08-06-2018 10:58 AM - edited 03-05-2019 10:50 AM
HI FOLKS,
client has two Sonicwalls on same subnets which was connected to a Switch (Cisco 3550). now, that Switch has been replaced with Cisco 2911 router. one ether port to provider, one ether port to main Sonicwall and all working fine. they need the second Sonicwall to be connected to the third and last Ethernet port on this router but same subnet. router doesn't accept same sublet and rightly so. they cannot change IPs and Subnets on their firewalls.
can IP vrf help in this situation?
Best Regards,
Masood
Solved! Go to Solution.
08-08-2018 10:21 AM
I am not particularly expert on Sonicwall but based on what I do know and on the diagram that you posted I am assuming that the Sonicwall are operating as a failover pair. Can you provide any information about the IP addressing configured on the Sonicwalls? If they are a failover pair I am assuming that the Sonicwall expects to be able to communicate directly with its peer (arp for the peer address and communicate directly) and may want to try to track reachability of the peer interface (perhaps some type of heart beat). Since vrf is designed to keep things separated my guess is that vrf is not an appropriate solution.
I agree that the suggestion about using a switch module is the optimum solution. But if that is not feasible then I would suggest that you use Integrated Routing and Bridging. IRB will allow you to put both physical interfaces into a bridge group and to bridge between the interfaces. It will allow you to put an IP address onto the BVI virtual interface. This should allow both Sonicwall units to communicate with each other and with the router, to monitor each other reachability, and to fail over while it allows the router to communicate directly with both Sonicwall units.
HTH
Rick
08-06-2018 11:10 AM
Hello,
indeed VRFs would work:
ip vrf RED
rd 1:1
!
ip vrf GREEN
rd 2:2
!
interface GigabitEthernet0/0
ip vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding GREEN
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
08-06-2018 11:13 AM
THANK YOU!
if this solves my issue then would be great.
thank you. i will test the solution tonight.
best Regards,
Masood
08-06-2018 11:26 AM
Hi,
would machines connected to Sonicwall 1 would talk to machine connected to Sonicwall 2 using this Red and Green vrf?
best Regards,
Masood
08-06-2018 11:31 AM
08-06-2018 11:34 AM
I'm afraid I did not follow your response.
Best Regards,
Masood
08-06-2018 11:33 AM
It depends...you would have to do some sort of route leaking. Can you provide a schematic drawing of what your topology should look like ?
08-06-2018 11:51 AM
08-06-2018 11:52 AM
08-06-2018 12:02 PM
I'll have to lab this...will get back with you...
08-06-2018 12:07 PM
I am not sure you have the right module on the 2911, but wouldn't it be easier to connect the 2 Sonicwall devices into the 2911 using two L2 ports and create a vlan interface with one IP address?
Regards,
08-06-2018 12:15 PM
Hi,
I do not have a Switching module in this router. That is the problem. I am also waiting on a Cisco 3750G L3 Switch but it will be here next week. Meanwhile, I need to get these working using the vfr config for now. Pressure. I have not been involved in any off previous configurations and IP assignment. I was just pulled into this.
I hope the vrf example you sent me will do the trick!?
Best Regards,
Masood
08-06-2018 12:23 PM
unfortunately, I do not have my GNS3 Lab PC with me here otherwise I would have lab test this vrf solution before adding to the router.
I was wondering if I need an IP route or default gateway statement under each vrf?
Best Regards,
Masood
08-06-2018 12:58 PM
Hello,
below is a sample config:
ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 1:1
!
ip dhcp excluded-address vrf RED 192.168.1.1
ip dhcp excluded-address vrf GREEN 192.168.1.2
!
ip dhcp pool RED
vrf RED
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool GREEN
vrf GREEN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
!
interface GigabitEthernet0/0
description Link to ISP
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip vrf forwarding GREEN
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf GREEN 0.0.0.0 0.0.0.0 10.10.10.2 global
ip route vrf RED 0.0.0.0 0.0.0.0 10.10.10.2 global
08-06-2018 01:07 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide