Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
1
Helpful
8
Replies

Move SVI up the network stack

Go to solution
tmessick01
Level 1
Level 1

‎11-07-2023 02:26 PM

Hello!  I'm banging my head against a puzzle, and I'm curious if anyone else has attempted a similar configuration before (or if it's possible).  

I am trying to find a way to migrate VLAN 96 in this example to the Palo Alto firewall as a subinterface.  This is intended as a means to segment the network for better visibility and security.

The issue I'm having is that because Vlan 96 is an SVI on the 3850 switch, I can't figure out how to move it up the network stack to the Catalyst 6840 (functioning as the network core) to then move it to the firewall.  The Cat 6840 and Cat 3850 are connected via an L3/routed link, whereas the Cat2960x edge switch is connected to the Cat3850 with an l2/trunk link, allowing the proper VLAN.

I have a number of other Cat2960x switches also trunked to the same 3850, and other 3850 switches fulfilling a l3 role in other sections of the network (hub/spoke topology with the 6840 at the center).

Any thoughts?  I'm happy to post sanitized configuration samples if that's helpful.

Labels:
Preview file
48 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-08-2023 07:55 PM

Am I correct in understanding that essentially you want the Palo Alto to become the default gateway for devices in vlan 96?

Thank you for including the diagram which clarifies some things that might not be so very clear in the description in your post. If I understand the diagram correctly there is vlan 96 on the 2960 switch. The 2960 switch carries vlan 96 on a trunk to the 3850 switch. There is an SVI on the 3850 which provides routing services for vlan 96. There is a routed link between the 3850 and the 6840 and the 6840 connects to the Palo Alto.

In that architecture there is not any way that the Palo Alto can be the default gateway for vlan 96. If you want Palo Alto to bwe the gateway for vlan 96 then you must change the link between 3850 and 6840 from a routed link to be a trunk. And that has impacts on the other vlans.

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
marce1000
VIP
VIP

‎11-07-2023 11:19 PM

 

 - Generally speaking you can't move SVI's , the only thing you can do is delete it on the 3850 and then define it on the firewall ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
DanielP211
VIP
VIP

‎11-07-2023 11:32 PM

Hello!

There are multiple way to "strech" the L2 if you have routed underlay. You could do vpls or vxlan to stretch it from the 3850 to 6840. 

BR

****Kindly rate all useful posts*****
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-08-2023 06:03 AM

can you more elaborate 

Thanks A Lot
MHM

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-08-2023 07:55 PM

Am I correct in understanding that essentially you want the Palo Alto to become the default gateway for devices in vlan 96?

Thank you for including the diagram which clarifies some things that might not be so very clear in the description in your post. If I understand the diagram correctly there is vlan 96 on the 2960 switch. The 2960 switch carries vlan 96 on a trunk to the 3850 switch. There is an SVI on the 3850 which provides routing services for vlan 96. There is a routed link between the 3850 and the 6840 and the 6840 connects to the Palo Alto.

In that architecture there is not any way that the Palo Alto can be the default gateway for vlan 96. If you want Palo Alto to bwe the gateway for vlan 96 then you must change the link between 3850 and 6840 from a routed link to be a trunk. And that has impacts on the other vlans.

HTH

Rick
0 Helpful

Go to solution
tmessick01
Level 1
Level 1
In response to Richard Burts

‎11-09-2023 06:35 AM

Thanks Richard!  You are absolutely correct with your interpretation.  I've got a test stack and will try out some possibilities for getting the the 6840<->3850 link reconfigured as a trunk link.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Richard Burts

‎11-09-2023 06:38 AM

He dont need to make connect as trunk' what he need is only add new link for vlan 96 in 6800 and make another one to FW.

This make 6800 as Bridge and host in vlan 96 will have gw in FW.

Thanks A Lot
MHM

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-09-2023 09:47 AM

In my response I said that there is no way for the firewall to be the default gateway for vlan 96. And in practical terms I believe it to be correct. But your point is valid that if he provisions separate physical links between 6800 and the 3850 and between the 6800 and the firewall those that links could be used for vlan 96 and the firewall could be the gateway.

HTH

Rick

Go to solution
MHM Cisco World
VIP
VIP
In response to Richard Burts

‎11-09-2023 11:32 PM

Yes it valid.
other vlans will have GW in 6800 and only vlan96 will have FW as GW.
but to be honest I dont like this solution it can lead to asymetric traffic 
so 100% your solution is better IF he can make link as L2 trunk.

Thanks A Lot
MHM

0 Helpful
Customers Also Viewed These Support Documents