Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
6
Replies

replacing 2631 router with a 3750 switch - routing vlans

nmcfadye
Level 1
Level 1

‎06-16-2005 06:29 AM - edited ‎03-02-2019 11:07 PM

I currently have a 2621 router (with firewall feature set) configured with virtual interfaces to connect (using vlan trunking) with my switch which has 3 vlans, vlan2(students), vlan3 (faculty), vlan4(research).

Current access-lists on the router allow vlan3 to connect to vlan2, and vlan2 is restricted from accessing vlan3 and vlan4

The router can no longer handle the traffic for vlan3 accessing vlan2.

I have a 3750(std) switch which I want to use to improve the connectivity between vlan3 and vlan2. I effectively want to replace the router with switch to handle the inter vlan traffic, however at the same time I would like to keep using the router firewall features for traffic between our LAN and the outside

In addition the backup server on vlan2 needs to access a server on vlan3 to do backups at night.

It appears that I need to create a vlan-map with access-lists to do this.

Is there some way of obtaining the functionality of have the switch handle the inter vlan traffic while at the same time keep the router in place as a firewall.

thanks

Neil

Labels:
0 Helpful
6 Replies 6

alfredshum
Level 1
Level 1

‎06-16-2005 11:19 PM

Try this:

Outside network---Router---3750---hosts/access switches

Routing between VLANs is done on 3750. You can create a new VLAN for the subnet between 3750 and router, or a L3 interface on 3750 and a 30-bit subnet. For traffic destined to outside network, 3750 should have a default route to the Router (if outside network is Internet) or specific static routes for outside network.

You should have static routes on router for the VLANs 2, 3 and 4 using 3750 as next hop. And again a default route or static routes for outside network.

Then use VACL or ACL to limit traffic for VLAN 2 on 3750.

For the backup between servers, if both servers have spare NIC, I'd suggest you to create a standalone subnet using the new NIC and do the backup on this standalone subnet. Anyway just a suggestion...

0 Helpful

nmcfadye
Level 1
Level 1
In response to alfredshum

‎06-17-2005 07:35 AM

Currently my router is doing all the routing and I have access-lists for each virtual interface to control traffic between the subnets and from the outside. Can I simply apply some of these same access-lists to the vlans on the switch?

0 Helpful

johansens
Level 4
Level 4
In response to nmcfadye

‎06-17-2005 01:20 PM

As long as you don't need dynamic access-list (ie FW-feature) and only use static ACL's, you can apply these directly to the 3750.. there are some pitfalls some times (because of it beeing compiled and put in hardware).

If you have log-statments, the ACl will be processed in software, and if you have deny statements and you don't put a "no ip unreachables" on the VLAN-interface as well, the deny's will be punted to software..

Don't be too surprised if you don't see everything in the counters on the access-lists as well.

And you can't mix L2 and L3 ACL's.. :)

It's like this: Everything that doesn't run in hardware is bad for the 3750 and 3550's. They are very powerful layer3 switches if you use them correctly, but when stuff needs to run in software, you can't expect the same performance.

And.. don't have more than 8 routed interfaces/SVI's.

0 Helpful

nmcfadye
Level 1
Level 1
In response to johansens

‎06-20-2005 10:51 AM

I notice in the 3750 config guide

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00802c1048.html#wp1441334

shows an example to allow internal hosts to make connections to internet hosts by making an access list with the keyword "established", the example given shows this being applied to an port interface not a vlan interface.

Is that considered a dynamic access-list?

Can that keyword be used for a vacl?

Although I do not want vlan2 accessing vlan3 and vlan4, there are http, dhcp, mail servers on vlan2 that vlan3 and vlan4 need to access. vlan3 and vlan4 also have to ssh and sftp to vlan2.

Is is a pvlan a better solution for the server access?

0 Helpful

nmcfadye
Level 1
Level 1
In response to alfredshum

‎06-20-2005 11:26 AM

with regard to the L3 interface with a 30 bit mask to connect to the 2621 does the choice of the ip address matter as long as the static routes match up?

for example let say I choose

192.168.10.1/30 for the 3750 interface

and 192.168.10.2/30 for the router interface

What does it matter if you use a L3 interface with a 30bit mask or a new vlan?

When would you choose one versus the other?

0 Helpful

alfredshum
Level 1
Level 1
In response to nmcfadye

‎06-20-2005 08:22 PM

my own common practice is to use L3/routed ports for point-to-point connection between L3 devices.

For inter-vlan routing between say server subnets and user subnets, or multi-point connection between L3 devices, I'll use VLANs and SVIs.

Using 30-bit mask is just because I don't want to waste a class-C addressing space on a point-to-point L3/routed port.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents