Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2220
Views
0
Helpful
8
Replies

Internet Edge layer 3 switch

Go to solution
sam saeed
Level 1
Level 1

‎10-29-2015 06:21 AM - edited ‎03-05-2019 02:37 AM

I was tasked to turn up a new site with a layer 3 3750G switch as the internet edge. It's a fiber 1GB connection from the provider. The current setup has a Sonicwall firewall as the edge but since the connection from the ISP is fiber it will not work on the SonicWall since it doesn't have a sfp port. I am installing a 3750G as the internet edge so it can go ISP->FIBER->3750G->Ethernet->Sonicwall. I was under the impression that switches aren't the best edge devices since the TCAM tables are smaller but I was told by my superior that since its not a BGP connection it wouldn't be effected. This is the first time I am turning up a site with a different interface subnet and routed subnet so I take it'll be a great learning experience.

These are the specs from the provider

Interface subnet

NETWORK: 14:214.X.244/30

GATEWAY: 14.214.X.245

IP                 14.214.X.246 

SUBNETS 255.255.255.252

ROUTED SUBNET

NETWORK 14.214.X.48/29

GATEWAY 14.214.X.49

USABLE IPs 14.214.X.50 - 14.214.X.54

SUBNET      255.255.255.248

I was thinking of configuring the switch like this:

int vlan 20
ip add 14.214.X.246 255.255.255.252
no shut
int g0/48
description *Outside Interface to ISP*
switchport mode access
switchport access vlan 20
spanning-tree portf
no shut


int vlan 25
ip add 14.214.X.50 255.255.255.248
no shut
int g0/1
description *Usuable IP 14.214.X.50-14.214.X.54*
switchport mode access
switchport access vlan 25
spanning-tree portf
no shut

ip route 0.0.0.0 0.0.0.0 14.214.X.245   --DEFAULT ROUTE TO GATEWAY FOR INTERFACE SUBNET

The only part thats confusing me is that the interface subnet has a default gateway then the routed subnet.  From the Sonicwall I assume all they will need to configure is a defalut route to the ROUTED SUBNET's default gateway 14.214.X.49 right? Or to the interface subnet's DEFAULT GATEWAY of 14.214.X.245

So I think my config should work as is please advise if something doesn't look right.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-29-2015 06:38 AM

David

I wouldn't do it like that.

Basically you just need the 3750 as a L2 switch not L3 and create a single vlan but no SVI for that vlan.

Put the ports connecting to the ISP and the SonicWall into the same vlan and then use the /30 IP on your firewall and use the other range for NAT.

Jon

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-29-2015 06:37 AM

I am assuming the SonicWall behaves like an ASA ie. for the /29 range you don't need to assign an IP from that range to any interface to be able to use those IPs with NAT.

If it can't then you could do what you are proposing although you don't need SVIs, you can use L3 routed ports, but I would go the other way if possible because then you have all the IPs in that range free to use.

If you route on the 3750 then you have to use two of those IPs for the firewall to 3750 connection.

Jon

0 Helpful

Go to solution
sam saeed
Level 1
Level 1
In response to Jon Marshall

‎10-29-2015 06:52 AM

-Jon

I originally figured I could get away with having the switch act like a switch and just act a pass through. Which would be exactly how you said placing it all in the same vlan.  But the techs on the other side wanted the switch interfaces to get configured for the internet ip address. I assume the Sonicwall behaves like a ASA as well. I won't be working on the firewall I am just setting up the cisco device. I requested specifics to make sure the NAT POOL is getting configured on their Sonicwall and did not get a response back so I've been doing a lot of assuming. So I just whipped up a quick config to have something work off of.

Configuring the switch with the internet ip addresses wasn't making sense to me since as you mentioned I would have to waste 2 routable ip address on the switch interface and Sonicwall outside interface.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sam saeed

‎10-29-2015 06:56 AM

Thanks for getting back.

If they are insistent on using the IPs on the 3750 then use L3 routed ports and the default route for the firewall would be the L3 interface IP it connects to.

Perhaps they want to be able to manage it but like you say it would be using up two of the routable IPs.

Jon

0 Helpful

Go to solution
sam saeed
Level 1
Level 1
In response to Jon Marshall

‎10-29-2015 07:03 AM

Yes, glad you mentioned the default route from the SonicWall I almost forgot. That was the one thing that was confusing me. So you are saying if I configure the switch to be managed. Then the default route from the SonicWall will point to the ip address of the L3 Switch interface it is directly connected to. Right? And not to the default Gateway that the ISP provided for the routable subnet. Right?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sam saeed

‎10-29-2015 07:13 AM

Yes to your question because the switch is now routing so -

3750 default route next hop is ISP and SonicWall default route next hop is 3750 L3 interface IP it connects to.

You could still manage it at L2 but it is a bit messy ie. you could make the SonicWall's outside interface a trunk so you can also have a management vlan on the switch.

Or some people run a separate cable to a spare interface on the firewall or to their internal switch infrastructure.

Really not keen on connecting to your internal infrastructure direct myself.

So there are multiple ways of doing it with both L2 and L3 on the 3750 and it'sjust what you need for your requirements.

Jon

0 Helpful

Go to solution
sam saeed
Level 1
Level 1
In response to Jon Marshall

‎10-29-2015 07:17 AM

Thanks dude! You are always helpful.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-29-2015 06:38 AM

David

I wouldn't do it like that.

Basically you just need the 3750 as a L2 switch not L3 and create a single vlan but no SVI for that vlan.

Put the ports connecting to the ISP and the SonicWall into the same vlan and then use the /30 IP on your firewall and use the other range for NAT.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-29-2015 06:46 AM

David

Appreciate you have marked this answer as correct but just wanted to add something.

What you were proposing was fine although as I say using L3 routed ports instead of SVIs would be the way to go.

That is the way you would set it up if you had a router instead of a L3 switch.

However if you follow my suggestion that switch is effectlively unmanaged because it has no IP even for management.

Whereas with your way it would be manageable albeit you have used two of the IPs from the spare range.

Depends on what you need really.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card