cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1091
Views
0
Helpful
4
Replies
DuncanM2008
Beginner

3850 Issue with external VRRP (WatchGuard)

Hello,


I've got a 3850 stack running IOS:
 Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.04.E RELEASE


It's setup as an L3 switch with two Vlans (Voice & Data) and a default route to a WatchGuard Firewall cluster, the issue is the WG Firewall cluster appears to use VRRP so the mac-address for the cluster is:

0000.5e00.0106


With the switch in L3 mode I'm unable to get the Cisco to communicate with the WatchGuard cluster and if I try the old static ARP & static mac trick similar to what you use with Multicast NLB (for Windows) I get as far as the MAC entry then get the below:

mac address-table static 0000.5e00.0106 vlan 10 interface GigabitEthernet1/0/1 GigabitEthernet2/0/5
%Cannot configure a static entry for an address used by the router

At the moment I'm a bit stuck as I've had to set the clients default gateway to be the WatchGuard directly as opposed to the 3850, I assume I can't add a static entry for the mac due to some internal logic in IOS XE about MAC and VRRP entries (in case I ever configured VRRP)??

Any suggestions how I get round this?


Thanks,

4 REPLIES 4
paul driver
VIP Mentor

Hello

How have you configure your default route towards the WG FW?

Try specifying the physical interface also with next hop , This will stop the L3 stack from Arp'ing every external destination address

ip route 0.0.0.0 0.0.0.0 (interface) x.x.x.x

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hi Paul,

It's purely a next hop IP at the moment, if I did it based on interface that would be difficult as the WG FW is in the same subnet (still doesn't ping). So the next hop interface could be one of two ports depending on which cluster member was active? 

The switch is 172.27.21.254 and the WG is 172.27.21.1 both in Vlan10, the Vlan10 SVI should be the client default gateway.

Thanks, 

Vlan 10 segment is your user subnet.

How about creating a new /30 or /29 subnet between the FW and the switch?

HTH

Hello

Can you post a topology of this and maybe the L3 switch config -

Maybe IRB could be a way forward?

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future