Solved: Re: Configure the switch layer 3 port connected to a firewall

alex.barchini · ‎02-27-2012

Hello,

I would like a help about a configuration, so I have a switch layer 6500 series connected to a firewall, the port configuration between them is layer 2, in another words I do not configure an IP address in the Cisco switch port to conected it in the firewall, but when a apply a policy on firewall it lose communication with others vlans, just the vlan that is connected between the switch and firewall works, attachment the design. I think that is necessary to configure the connection between the firewall and switch as layer 3 ( a port with IP address in the switch), but I would like to know why? The switch is configured with about 10 vlan and it is a inter vlan routing, a default route is configured in the switch where the gateway is the firewall.

Note: The comments in the picture attachment is in portugues, but nothing important.

Jon Marshall · ‎02-27-2012

Alexander

Difficult to say without seeing config. Here are your 2 options in more detail -

1) use a L2 port. So lets say the L2 port is in vlan 10 and the subnet is 192.168.5.0/24

6500 end

======

int vlan 10

ip address 192.168.5.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Firewall interface connecting to 6500 would be given an IP of 192.168.5.1 (the 6500 vlan 10 ip). Then on the firewall for each other vlan subnet on the 6500 you would need to add routes for those subnets eg.

ip route 192.168.6.0 255.255.255.0 192.168.5.1 <-- where 192.168.6.0/24 is a different vlan/subnet on the 6500.

2) If you use a L3 port then

6500 end

=======

int gi0/1 <-- connects to firewall

no switchport

ip address 192.168.5.1 255.255.255.252 <-- note you only need a /30 subnet for a P2P routed link

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Again, the firewall interface connecting to the 6500 is given 192.168.5.2 255.255.255.252. You then need to add routes to the firewall as in previous example except this time you also need to add a route for the server vlan as well.

One last point. I have used the example of adding static routes to the firewall but you could, if supported, use a dynamic routing protocol on your firewall and 6500 to exchange the 6500 subnets.

Jon

View solution in original post

Jon Marshall · ‎02-27-2012

Alexander

Shouldn't matter whether you use L2 port or L3 port, both should work. But if you use L2 port obviously you need a L3 valn interface for that vlan on the 6500 for the firewall to communicate with the other vlans.

Perhaps it is your firewall policy that is the problem.

Jon

alex.barchini · ‎02-27-2012

Jon,

but when a apply a policy on firewall all the other vlans stops to works properly, it did not connect to Internet, just the vlan where the servers stay works and the connection between the firewall and 6500 switch is in this default vlan(server vlan), with the SVI configurated. So I think if I configure a L3 route port in the Cisco switch where the firewall connect should works, because all vlan will be routed, but I would like to make sure about that.

Jon Marshall · ‎02-27-2012

Alexander

Difficult to say without seeing config. Here are your 2 options in more detail -

1) use a L2 port. So lets say the L2 port is in vlan 10 and the subnet is 192.168.5.0/24

6500 end

======

int vlan 10

ip address 192.168.5.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Firewall interface connecting to 6500 would be given an IP of 192.168.5.1 (the 6500 vlan 10 ip). Then on the firewall for each other vlan subnet on the 6500 you would need to add routes for those subnets eg.

ip route 192.168.6.0 255.255.255.0 192.168.5.1 <-- where 192.168.6.0/24 is a different vlan/subnet on the 6500.

2) If you use a L3 port then

6500 end

=======

int gi0/1 <-- connects to firewall

no switchport

ip address 192.168.5.1 255.255.255.252 <-- note you only need a /30 subnet for a P2P routed link

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Again, the firewall interface connecting to the 6500 is given 192.168.5.2 255.255.255.252. You then need to add routes to the firewall as in previous example except this time you also need to add a route for the server vlan as well.

One last point. I have used the example of adding static routes to the firewall but you could, if supported, use a dynamic routing protocol on your firewall and 6500 to exchange the 6500 subnets.

Jon

alex.barchini · ‎02-27-2012

Jon,

First of all thank you for your help. But...

1) use a L2 port. So lets say the L2 port is in vlan 10 and the subnet is 192.168.5.0/24

6500 end

======

int vlan 10

ip address 192.168.5.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Firewall interface connecting to 6500 would be given an IP of 192.168.5.1 (the 6500 vlan 10 ip). Then on the firewall for each other vlan subnet on the 6500 you would need to add routes for those subnets eg.

ip route 192.168.6.0 255.255.255.0 192.168.5.1 <-- where 192.168.6.0/24 is a different vlan/subnet on the 6500.

Where you said

"Firewall interface connecting to 6500 would be given an IP of 192.168.5.1 (the 6500 vlan 10 ip)"

And

"

int vlan 10

ip address 192.168.5.1 255.255.255.0

"

So... Do you need to put the same ip address on firewall interface and in the switch vlan(192.168.5.1)"?

And the route

ip route 0.0.0.0 0.0.0.0 192.168.5.2

Who is 192.168.5.2?

Jon Marshall · ‎02-27-2012

Alexander

No, the 6500 would use 192.168.5.1 on the vlan 10 interface. The firewall interface connected to the 6500 would use 192.168.5.2. They can't use the same IP.

so "ip route 0.0.0.0 0.0.0.0 192.168.5.2" on the 6500 says sends all traffic for unknown destinations (usually internet traffic) to the firewall interface.

Jon

dotuongvu · ‎09-20-2017

Hi Jon Marshall,
I do not understand the below sentence:
"except this time you also need to add a route for the server vlan as well."
which does the server vlan in this case?
Thanks a lot.