Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1570
Views
0
Helpful
4
Replies

3850 Issue with external VRRP (WatchGuard)

DuncanM2008
Level 1
Level 1

‎07-20-2016 11:43 AM - edited ‎03-08-2019 06:42 AM

Hello,


I've got a 3850 stack running IOS:
 Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.04.E RELEASE


It's setup as an L3 switch with two Vlans (Voice & Data) and a default route to a WatchGuard Firewall cluster, the issue is the WG Firewall cluster appears to use VRRP so the mac-address for the cluster is:

0000.5e00.0106


With the switch in L3 mode I'm unable to get the Cisco to communicate with the WatchGuard cluster and if I try the old static ARP & static mac trick similar to what you use with Multicast NLB (for Windows) I get as far as the MAC entry then get the below:

mac address-table static 0000.5e00.0106 vlan 10 interface GigabitEthernet1/0/1 GigabitEthernet2/0/5
%Cannot configure a static entry for an address used by the router

At the moment I'm a bit stuck as I've had to set the clients default gateway to be the WatchGuard directly as opposed to the 3850, I assume I can't add a static entry for the mac due to some internal logic in IOS XE about MAC and VRRP entries (in case I ever configured VRRP)??

Any suggestions how I get round this?


Thanks,

Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎07-20-2016 01:08 PM

Hello

How have you configure your default route towards the WG FW?

Try specifying the physical interface also with next hop , This will stop the L3 stack from Arp'ing every external destination address

ip route 0.0.0.0 0.0.0.0 (interface) x.x.x.x

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

DuncanM2008
Level 1
Level 1
In response to paul driver

‎07-20-2016 01:14 PM

Hi Paul,

It's purely a next hop IP at the moment, if I did it based on interface that would be difficult as the WG FW is in the same subnet (still doesn't ping). So the next hop interface could be one of two ports depending on which cluster member was active? 

The switch is 172.27.21.254 and the WG is 172.27.21.1 both in Vlan10, the Vlan10 SVI should be the client default gateway.

Thanks, 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to DuncanM2008

‎07-20-2016 01:49 PM

Vlan 10 segment is your user subnet.

How about creating a new /30 or /29 subnet between the FW and the switch?

HTH

0 Helpful

paul driver
VIP
VIP
In response to DuncanM2008

‎07-20-2016 02:48 PM

Hello

Can you post a topology of this and maybe the L3 switch config -

Maybe IRB could be a way forward?

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card