now Im getting consufed.

My servers are pointing to the firewall's internal itnerface, not the internal router.

So a server on the 10.10.10.0 subnet has a default gateway of 10.10.10.222 (whichi is the inisde interface on a watchguard firewall)

If a request from the 10.10.10.0 subnet is for the 192.168.200.0 network, then the server will go to the firewall then it will get directed to the existing internal router, then will be directed to the appropriate subnet.

edited

Scary Jon, but makes sense.

So I would have all my servers going to my L3 switch then back to the sonicall wall? Woudl this create an extra hop for all local subnets traffic, but reduce a hop for all routed traffic?

What you then do is have any additional routes for other networks on the  L3 switch and you let the L3 switch send the traffic to the right  device.

How is this done? Just normal static route commands?

John

Not that scary don't worry

We do need to clarify some things though. The servers currently have a DG of the Sonicwall. Is this because you need to secure them from the other internal subnets ie. 192.168.200/202.x subnets or is it because you didn't have an internal L3 switch before ?

Why would the servers go to the Sonicwall unless they are going out through it ?  The only time traffic should go to the Sonicwall with your new setup wouild be if the traffic was actually going out through that device.

Woudl this create an extra hop for all local subnets traffic, but reduce a hop for all routed traffic?

Not sure what you mean. By introducing a L3 switch and using it route the internal vlans you are reducing the hops or at the very least just changing the hop from a firewall to the L3 switch. Think of the L3 switch within your LAN as the organiser of local traffic (local traffic being traffic between subnets within your LAN ie. 10.10.10.x/192.168.200/202.x).

So all local traffic goes to the L3 switch and then a decision is made there as to where to send the traffic to ie. another device on a different subnet or to the ASA or Sonicwall.  And yes you would use static routes to tell the L3 switch where to send traffic to that is not one of the local subnets.

However before we do any of this i get the feeling there are other things going on that maybe i haven't fully understood. Where are all your 10.10.10.x servers and 192.168.200/202.x clients connected to in your LAN. Presumably not just to the 3560 switch ?

If there are other switches in the LAN then are these connected to the 3560 or do you plan to connect them up. If they aren't are they connected to the Sonicwall ?

Jon

Hi Jon,

We do need to clarify some things though. The servers currently have a  DG of the Sonicwall. Is this because you need to secure them from the  other internal subnets ie. 192.168.200/202.x subnets or is it because  you didn't have an internal L3 switch before ?

We do have an internal router. The guy before me had set things up, who knows if there was an internal router when he satarted adding these sonicwall and watchguards. Good possibility that things were "peiced" together.

So having the internal router as the "traffic cop" is the standard, I will go with that and change the NIC addresses. So little disruption is involved. I am scared on screwing things up when I make the switchover. I want to just be able to plug things in and hav it all work.

I just dont get the part of the internal router (L3 switch)  knowing where to send the traffic such as the 192.168.200.254 sonicwall. I have no routes telling it to go there. I think this has to be defined in the L3 switch?

However before we do any of this i get the feeling there are other  things going on that maybe i haven't fully understood. Where are all  your 10.10.10.x servers and 192.168.200/202.x clients connected to in  your LAN. Presumably not just to the 3560 switch ?

Clients - 192.168.200.254 - sonicwall

Tunnels - 192.168.200.254 - sonciwall

Servers - 10.10.10.222 - watchguard

Demo servers - 192.168.202.222 - Watchguard (created the Eth0/2 on the ASA) getting ready to move them

DMZ - 192.168.201.0 - ASA (not completely ready, I am working with John to get the NAT and ACL's ready)

I plan to connect our Dell Powerconnect switches to the L3 switch. each subnet has its own Dell Powerconnect switch. So I plan to connect the firewall inside interface directly to the L3 switch using a vlan assigned port. Then connect the switch to another vlan assigned port. Spanning tree for these or no spanning tree on these ports?

John

Okay it sounds okay to at first glance. This is the bit i am still not following -

I just dont get the part of the internal router (L3 switch)  knowing where to send the traffic such as the 192.168.200.254 sonicwall. I have no routes telling it to go there. I think this has to be defined in the L3 switch?

What would traffic go to the Sonicwall for. In your new setup all traffic goes to the L3 switch first. So the only reason to go to the Sonicwall would be if the destination network was either a DMZ on the Sonicwall or a remote network that is reachable via the Sonicwall.

For any DMZs or remote networks that you need to go to the Sonicwall for you would simply add a route to the L3 switch eg.

ip route 192.168.200.254

As for STP, yes run it. Even if you have no loops in your network and it sounds like you don't you should still run it just in case.

Jon

to clarify on the part of how the L3 knows to get to the 192.168.200.254

I wonder what I have to change for the tunnels, this may get ugly. that means I have to adjust all the Acl's for the tunnels to the new address (assuming I change the sonicwall address and give it to the internal L3 switch)

But how does traffic know to get out to the internet throught the wwatchguard.

Example:

Server 10.10.10.45 wants to get out to the internet.

The default gateway is 10.10.10.222 (which is the L3 switch after we swapped it with the Watchguard)

Now, how does the L3 switch tell server 10.10.10.45 to go out through the watchguard to the itnernet?

This is where I am confused.

John

Ahh, i have just spotted something.

Do all the internal devices use the Watchguard to get out to the internet ? If yes we are okay, you simply add this route to the 3560 -

ip route 0.0.0.0 0.0.0.0

the above is a default-route and tells the L3 switch to send all traffic for which it does not have a more specific route (which would be internet traffic) to the Watchguard.

If the internal devices use different firewalls for internet connectivity then we may have a problem depending on what feature set your L3 switch is using.

By the way, you don't have to move the Watchguard IP of .222 if you don't want but that would then mean updating all devices with .222 as their DG to the L3 vlan IP on the switch.

Jon

Jon,

Yes each subnet uses its firewall to get out to the internet.

Example:

server 10.10.10.99

goes out to the internet using 10.10.10.222 (watchguard)

User 192.168.200.33

goes out to the internet using 192.168.200.254 (sonicwall)

Demo server 192.168.202.88

goes out to the internet using 192.168.202.222 (another watchguard)

I am planning on getting rid of the two watchguards and setting them up on the ASA, but first will be the 192.168.202.0 network.

So each subnet has its own way to get out to the internet using its own firewall.

Oh dear.

Well you can't do what we have been talking about then unless you either -

1) use just one firewall for internet access. Do you know the logic behind having a different firewall for each subnet ? is it for security reasons or is it simply the way the network has developed ?

It must be a nightmare maintaining 3 different firewalls just for 3 subnets. Unless your company has very tight security requirements it seems a recipe for making a mistake having to look after all that.

2) Use PBR on the L3 switch. What you can do on the L3 switch is use Policy Based Routing which would allow us to get around this issue. Couple of things to be said about this -

i) not really a long term solution but if you are getting rid of some of the firewalls it might not be that long term

ii) you have to have IP Services on your L3 switch. If you have IP Base then it will not run PBR. So do a "sh version" on your switch and it should tell you or post the output here.

Just to make sure though, this existing setup is not because you need such a secure network is it ?

Jon

It was just peiced together. No reason, I think the guy before me had thoughts of making it secure on the 192.168.202.0 watchguard. But there is full communictaion between the subnets. No regulation. Just one big network.

Each subnet has its own firewall.

I want to get rid of the Watchguard 192.168.202.0 firewall and add it to the ASA. I also want to create a DMZ on the ASA and put all my webservers on it. Also regulate the allowed traffic from my DMZ to my INSIDE. Too many port 80's opened, so I want them all on the DMZ.

My L3 switch is IPBase-M version 12.2

How do you think I should re-structure?

Hi Jon,

Let pick this up next week. Have a good weekend. Have a few beers for me.

Thanks for the awesome help!!1

John

No problem.

Jon