4948E-F VRF's SVI's and dot1q

ranaya0324 · ‎08-29-2012

Hello,

I have been tasked with creating a DMZ from scratch. I am a bit of a network newb, so please forgive my ignorance. I am to connect two Cisco 4948E-F switches to two CheckPoint firewalls. I will be using two 10g uplink ports from each switch to cross connect to each FW – though they will only be 1g as the FW’s don’t have 10g ports. I will create a dot1q trunk for each connection going from the switches to the FW’s. I will also create a port-channel between the two switches. 3 VRF’s will be created – web, app and db. 3 SVI’s will be created for each VRF. My questions are:

1. I planned on creating sub-interfaces for each VRF, but it doesn’t appear that the 4948E-F supports sub-interfaces. How do I direct traffic coming from the FW through the trunk to a particular VRF?

2. How do I get the traffic from one VRF to pass through the FW to travel back down to the other VRF’s? I would think the routing would all happen within the switch since all SVI’s live on those switches.

These are my initial questions and I’m hoping this starts a thread that I can continue to use and ask questions.

Thanks in advance to all you senior network engineers in helping me keep my job.

Giuseppe Larosa · ‎08-30-2012

Hello Ron,

you can associate SVIs to VRFs so you can easily map a Vlan permitted on the trunk to the FW to a VRF if you associate to the VRF the corresponding SVI ( Layer 3 concept).

ip vrf DATA

rd 100:1

interface vlan X

ip vrf forwarding DATA

! you need to reconfigure ip address after having put the interface in a VRF

ip address z.k.x.f 255.255.255.255.w

where X is a vlan permitted on the trunk to the FW.

About the physical connections:

each switch needs to be connected to the other switch with a bundle etherchannel carrying all Vlans of interest and needs only one link to a single FW.

This is because typically the FW boxes are deployed in pair in an Active/Standby configuration ( easier to deal with) so you don't need to cross-connect each switch with both FW boxes.

How to deal with routing between VRFs is a question of choices :

you can give the FW the duty to perform inter VRF routing in a controlled way

or you can have a special configuration on the switch to perform inter VRF communication

I would suggest to have the FW to perform inter VRF routing this is more safe and communication is performed under FW control.

inter-VRF communication on the switch requires the use of BGP protocol and of route-targets defined under each VRF.

However, for less complexity also I would go with inter-VRF communication performed on the FW box

Hope to help

Giuseppe

ranaya0324 · ‎08-30-2012

Thank you, Giuseppe! That is excellent information. Your post now brings up additional questions - which is exactly what I was hoping for....

So, I should have mentioned the FW's are in an Active/Active configuration. I think I would want to cross connect the switches to the FW's for redundancy/high-availability. I did plan on creating an ether-channel between the switches, but this is where my question lies. Since this is my DMZ wouldn't I need the routed traffic to pass through the FW, so I can configure the appropriate access-list rules to prohibit cross VLAN communications? This is not a very complex network, so there is no routing protocols on the FW's. All routes are static and there is probably less than 12 total.

Again, thanks for the help