Solved: Re:basic vlan routing

suthomas1 · ‎04-10-2013

Hi,

I have a basic query. the network contains few application servers which are connected a 2960 currently.

A 3750 acts as the core L3 interface for these servers.

eg, it has SVI VLAN 100 - 192.168.100.1 /24 & SVI VLAN 111 - 192.168.111.1 /24

Now, the change that will be done is to bring in another firewall , that will be used to house the

layer 3 interface for these servers.

Hence, SVI VLANs 100 & 111 will be removed from the current core 3750 and instead these SVI's will be

created as Layer 3 interfaces on the new firewall.

The new firewall and the core 3750 will be connected via a transit link - 10.58.21.0 / 30.

Firewall interface will have 10.58.21.1 and 3750 connected interface will have 10.58.21.2.

Following routes will be in place on 3750 for all server bound traffic:

ip route 192.168.100.0 255.255.255.0 10.58.21.1

ip route 192.168.111.0 255.255.255.0 10.58.21.1

& the routes in place on the new firewall will be:

ip route 192.168.100.0 255.255.255.0 10.58.21.2

ip route 192.168.111.0 255.255.255.0 10.58.21.2

The final flow will be like:

servers ---> 2960 ( L2 switch ) -----> 3750 -------> Firewall ( L3 VLANs for servers )

so in case of any user traffic coming from 2960 and destined for the servers, it will be routed to the firewall

, will the return routes that is put above on the firewall cause any problems. or will it just remain

redundant, since it will as connected interface.

Appreciate all reply.

parvinder.s · ‎06-01-2013

hi,

if both the clients and servers connect to the 2960 switch...............

1. remove the 3750 switch.......trunk the 2690 into the fw with vlans........

2. remove the 2690 and connect all the client/server on the 3750

3. choose either one of above two.......and connect that removed switch in other int of fw and either place all the clients or servers in this switch.

the 3750 switch will be there as only L2. no routing no static routes..........

thanks

View solution in original post

amabdelh · ‎04-10-2013

If the source and destination IPs are in the same vlan, theh the FW will not do anything, if the source and destination IPs are in different vlans then the FW will route the packet between the two vlans but make sure you permit this traffic on the access-list on this FW

Sent from Cisco Technical Support iPhone App

paul driver · ‎04-15-2013

Hello
On the fw how are these L3 interfaces being created ( ie subinterfaces?) if so

on the 3750 give it a default route and trunk port upto the fw

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gordonderick · ‎04-16-2013

Hi,

I see a couple of design issues here.

1. The default gateway is on the FW for the servers. I.e. the server traffic would need to traverse a L3 link to get to their default gw. This cannot be possible as the servers should be in the same LAN as the default GW.

2. The IP routing is incorrect. Any traffic destined for the servers will go the the router 3750. The router will look up its routing table and find the next hop to be the FW and forward it to the FW. The FW will look up its routing table and find that the next hop is the router 3750 and send traffic to the the router. The process repeats. Basically you are creating a routing loop.

-Gordon.

parvinder.s · ‎06-01-2013

hi,