Re: Routing assistance

Stacey Hummer · ‎06-02-2021

Good day all,

I am trying to resolve an issue we currently have. I have one connection coming from our ISP into a 3650 switch that feeds out 2 x 1GB SFPs and 1 10GB. The connection from the ISP goes into the distribution switch as we supply other entities with a raw feed. We have 2 x 10GB capable firewalls that I am trying to get connected into a HA configuration. The issue is I do not have another connection @ 10GB on the 3650 switch. I do have a 3850 24 port SFP switch just inside our network co-located with the firewalls and the raw feed. I've been looking at how I could segregate the traffic from the ISP to connect to the 3850 (inside the domain) but not have access to the domain. Then there could be 2 x 10GB SFP connections coming from that to feed both outside interfaces of the firewalls. I was looking at VRF-lite but not sure it will work. Any suggestions as to how to go about this. I have attached images of now and what I need to do. Thanks in advance

nagrajk1969 · ‎06-02-2021

Hello Stacey

Why dont you try this below configs in your network deployment...maybe it will help

On 3860 switch

1. Create Vlan-101 and

a) ISP-Raw-speed switch is connected to port1 (10Gbps port)
b) Firewall-1 WAN interface is connected to port2 (10Gbps port)
c) Firewall-2 WAN interface is connected to port3 (10Gbps port)

- so all the 3 internet-facing public links/interfaces are in the same vlan101
- keep all these 3 ports untagged/access ports only
- DONT configure any layer-3 vlan101 interface for this vlan101...there is no need, becos both FW-1 and FW-2 firewalls default-gw will be the ipaddress of the ISP-router connected to the ISP-Raw-speed switch (connected on port1)

2. Create Vlan-102 and..

a) FW-1 lan interface will be connected to port-3 (10Gbps)
b) FW-2 lan interface will be connected to Port-4 (10Gbps)

- so both these ports are in same vlan...and therefore with ipaddresses in same subnet
- configure both port-3/port-4 as untagged/access ports only
- dont configure any layer-3 vlan102 interface for vlan102 on this switch

c) So now connect port-5 on this 3860 switch to another of the layer-3 switch on which all the internal-networks are connected
- make this port too a access/untagged port

3. Now lets assume that the Internal-Network-switch has multiple ports to which the lan-hosts are connected...and one 10G port-25

a) Create vlan102 on this internal-nw switch and add port-25 to this vlan102

- make this port-25 access-port/untagged only
- On this Internal-Switch, configure the layer3 vlan102 interface and give it an ipaddress in the same subnet as the lan-interface ipaddress of both FW-1 and FW-2

b) Now create connect your internal-nw hosts to this internal-nw-switch and keep all of them in same vlan102...or divide them into separate vlans and make this Internal-nw layer3 switch as the main Inter-Vlan-router

c) Note: DO NOT CREATE VLAN101 ON THE INTERNAL-NW SWITCH AT ANY TIME...EVER

I think the above should give you further ideas as to how to go about with your deployments

As far as i can say,

- with the above config the isp-raw-speed coming into the 3860 on port-1 will be routed to only the FW-1 and FW-2 wan-interfaces on port-2/3...becos they are on same vlan101...and there is NO intervlan-routing happening becos there is NO intervlan-routing happening on this 3860 switch

- Next the traffic from ISP/Internet is routed thru the HA-FWs and in the lan-side, it is again routed to ONLY the Internal-nw switch for further routing to the internal-lan-hosts/systems...

- Its ONLY on the Internal-nw switch that any routing between vlan102 and other internal vlans, if any, can be done...and since there is NO vlan101 interface/nw connected anywhere on the Internal-nw switch, there is i think complete isolation between the Internet and the Internal-lan networks...

thanks