Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1876
Views
5
Helpful
10
Replies

L2 link and remote office

Go to solution
pcromwell
Level 3
Level 3

‎07-31-2019 08:17 AM

I have a topology as shown below in that a remote office is now going to connect via a Layer2 link as opposed to previously having had it's own internet link. The head office firewall will now monitor all the traffic entering and leaving the 192.168.1.0 Lan. 

This Lan 192.168.1.0 has a default gateway of 192.168.1.1 which is currently set on the remote office router gig 0/0. I want to move this def gateway onto a layer 3 interface on the Firewall.  However as the router has only got L3 interfaces I am not sure how I can move the DG from the router and to the firewall. as you can see the L2 link between head office and remote has a transit network to get traffic across.

Is there a way I can avoid changing the hardware and move the DG onto the L3 interface of the Firewall?

 

4D and HH Topology.jpg

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to pcromwell

‎08-01-2019 05:57 AM

The revised drawing looks appropriate. There are a couple of things that are perhaps assumed that I would like to make explicit:

- on the layer 2 switch at the remote office all ports are in the same vlan. It is not particularly important but if you are going to use vlan 199 on the stacked switches it might be good to use vlan 199 on the remote office switch.

- the connection from the stacked switches to the firewall is a trunk and it includes vlan 199.

- the firewall has a sub interface for vlan 199 and that is where address 192.168.1.1 is configured.

 

I do not know if the layer 2 switch at the remote office is a managed switch and needs an IP address or is unmanaged and does not need an IP address. If it needs an IP address then it should be something in the 192.168.1 network.

 

Otherwise I think it looks good.

 

HTH

 

Rick

HTH

Rick

View solution in original post

10 Replies 10

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎07-31-2019 08:36 AM

Hi there,

Before you change too much of your topology have you considered implementing netflow on the remote office router. This will give you a great insight into the traffic streams involving the 192.168.1.0/24 subnet.

 

cheers,

Seb.

0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to Seb Rupik

‎07-31-2019 09:56 AM

Thanks Seb, it is a good suggestion, but for this network, I need to get
the default gateway configured on the firewall
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-31-2019 09:24 AM

If the office router support bridging, you would be able to pass L2 traffic.
0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to Joseph W. Doherty

‎07-31-2019 09:50 AM

what would that look like in terms of IP addressing? I had considered that,
but it would mean take off ip address from gig 0/0 and bridge it to int
fa0/1/0
which has an ip address 192.168.2.2. How would the Lan 192.168.1.0
find the def gateway at the Firewall?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to pcromwell

‎07-31-2019 10:22 AM

You ask a couple of interesting questions. Here are my answers:

1) what would it look like in terms of IP addressing? 

Network 192.168.2.0 would be removed and no longer exist (remote router removes IP address from fa0/1/0 and switch removes SVI for that network).

192.168.1.1 would be removed from the remote router and configured on an appropriate sub interface of firewall.

Remote router G0/0 configured with some available IP address in 192.168.1.0 to provide management access to the router.

2) How would Lan 192.168.1.0 find the default gateway at the firewall?

This is fairly simple if you remember that now remote router G0/0 is bridged to fa0/1/0. fa0/1/0 is connected by layer 2 link to an access port in the switch stack. That access port is in vlan ??. vlan xx is aded to the trunk connecting the switch stack to the firewall. The firewall has a sub interface for vlan xx with IP address 192.168.1.1. So there is a single vlan starting from the firewall, through the switch stack, over the layer 2 link to the remote router. Any device connected at the remote office will arp for 192.168.1.1. The broadcast arp request is forwarded over the vlan, reaches the firewall, and the firewall responds to the arp request.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to Richard Burts

‎08-01-2019 12:41 AM

Thanks Richard, I think I understand. I have amended the topology and shown below to what I believe I now need. I assume it doesn't matter what the vlan number is as long as it is unique to that subnet?RTC design.jpg

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to pcromwell

‎08-01-2019 05:57 AM

The revised drawing looks appropriate. There are a couple of things that are perhaps assumed that I would like to make explicit:

- on the layer 2 switch at the remote office all ports are in the same vlan. It is not particularly important but if you are going to use vlan 199 on the stacked switches it might be good to use vlan 199 on the remote office switch.

- the connection from the stacked switches to the firewall is a trunk and it includes vlan 199.

- the firewall has a sub interface for vlan 199 and that is where address 192.168.1.1 is configured.

 

I do not know if the layer 2 switch at the remote office is a managed switch and needs an IP address or is unmanaged and does not need an IP address. If it needs an IP address then it should be something in the 192.168.1 network.

 

Otherwise I think it looks good.

 

HTH

 

Rick

HTH

Rick

Go to solution
pcromwell
Level 3
Level 3
In response to Richard Burts

‎08-02-2019 06:01 AM

Hi Richard, many thanks for clarifying and your concise explanations, I now feel more confident in what i am attempting

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to pcromwell

‎08-03-2019 07:21 AM

You are quite welcome. I am glad that our suggestions have been helpful. This has been an interesting discussion about an approach that is pretty unusual (using a router to bridge rather than to route) but is a valid approach when you are constrained to use existing equipment in a changing environment instead of obtaining new equipment (a new switch). Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎07-31-2019 09:40 AM

The drawing shows that the router at the remote site has only 2 active interfaces, one for the 192.168.1.0 LAN and one for a transit network, 192.168.2.0. Is it correct that this is all of the network at the remote office? If so then I believe that @Joseph W. Doherty has the right solution about using bridging. You could do something complex like implement Integrated Routing and Bridging. But I think that simple disabling ip routing on the remote router and enabling bridging on its interfaces would be sufficient. If you do this you would remove the 192.168.2.0 network and the connection on the switch G3/0/2 would not be a trunk but would be an access port in the single vlan connecting the remote office. This would allow you to move 192.168.1.1 to the firewall and allow you to configure some IP in that network if you want management access to the router.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card