Solved: Connectivity from Layer 3 Switch to Firewall - Page 2

Anup Sasikumar · ‎11-30-2012

Hi Experts,

RACK 1 is the old rack and NEW RACK is the rack which is going to be procurred for some new Servers. All the Servers in the RACK 1 has a default gateway as PIX Inside IP. As of now the 3560 Switches acts as Layer 2 and does not have L3 IP routing enabled. Could you please suggest on how can I enable conenctivity between 192.168.36.0 range and 192.168.57.0 range wihtout making any change to current PIX inside IP address 192.168.57.1?

Is it possible that I can enable IP routing on the 3560 Switches , create interface VLAN 36 and since already Switch 2 has it 's default gateway as 192.168.57.1 , Would the traffic from 192.168.36.0 be routed to 192.168.57.1 ? Or do I need to create static route for that ?

Since L3 Routing is not enabled and since the 3560 Switches are just acting as L2 , the VLAN 2 - 192.168.57.0 range does not have any interface VLAN configured. Please correct me if I am wrong , so when it is changed I would need to create interface VLAN 2 on 3560 Switches , right ?

Please help !!!

Regards,

Anup

Regards,
Anup

Abzal · ‎12-01-2012

If you trying to add reverse route back to 3560 from router, you need to point exit interface connected to 3560 or IP address of 3560 connected to router.

Abzal

Best regards,
Abzal

cadet alain · ‎12-01-2012

Hi,

on the switch f0/1:

no switchport

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254

on the router end:

int f0/1

ip add 192.168.1.254 255.255.255.0

ip route 192.168.1.36.0 255.255.255.0 192.168.1.1

ip route 192.168.1.57.0 255.255.255.0 192.168.1.1

for the Pix do the same with 2 route inside ( one for each VLAN) and one default route outside to get to internet

don't forget to NAT and apply access-list inbound on outside to permit icmp back in

Regards.

Alain

Don't forget to rate helpful posts.

Anup Sasikumar · ‎12-04-2012

THANKS A MILLION , Alain and Abzal.

I am able to get connectivity to Router interface from the VLAN machines ! :-)

So I have just learned that to enable conenctivity from a Layer 3 Switch to a Firewall/Router , the following are the options

(1) If Switchport configurations are used

-Create a new seperate VLAN/interface VLAN for establishing connectivity

-Assign IP for that interface VLAN on Switch

-Assign an IP in the same range to the port on Router/Firewall to which the Switch is connected to

-Make sure default static route is pointing to the Router/Firewall port ip address

-Make sure that routes are added for the inside networks on Router/Firewall for the return traffic

(2) If Router port configurations are used

-Make the switchport connecting to the Firewall/Router to Router port

-Assign IP to the port

-Assign IP in the same range to the port on Router/Firewall

-Make sure default static route is pointing to the Router/Firewall port ip address

-Make sure that routes are added for the inside networks on Router/Firewall for the return traffic

---------------------

The one thing I am still unclear about the routing is the reason why we don't have to use a trunk port to connect L3 Switch and Router ? Multiple VLAN traffic is flowing through the link right ?

Is it because it is L3 traffic and network Layer encapsulation is done on interface VLANS that the VLAN ID tag on the frame becomes insignificant ?

Or is it because it is router to router (Well L3 Switch) connection and the Layer 2 concepts are insignificant ?

------------------

Please help !

Thanks,

Anup

Regards,
Anup

cadet alain · ‎12-04-2012

Hi,

Your L3 switch was routing so you needed a logical interface(SVI) or a physical routed interface on which you could set an IP.

Regards.

Alain

Don't forget to rate helpful posts.