cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1057
Views
0
Helpful
2
Replies

Catalyst 3560 Config question (vlan routing)

Jason Whitehead
Level 1
Level 1

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

1 Accepted Solution

Accepted Solutions

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

JasonWhitehead wrote:

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

Jason

It depends on a few things -

1) how many ports do you have on the WatchGuard and are there enough for all the vlans ?

2) If not can the Watchguard support 802.1Q ie. can you have subinterfaces on the WatchGuard ?

3) Can the Watchguard not filter by subnet IP address as it seems very restrictive otherwise ie. you need an interface per vlan/subnet ?

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

Review Cisco Networking for a $25 gift card