Solved: The original post asks the

nygenxny123 · ‎12-11-2015

I am having trouble gettin my head wrapped around how a host is speaking to its gateway ..which is 3 devices away...and that gateway is connected to the network via an access port on a differnt vlan.

Scenario is as follows

Host is connected to a 3750B, no routing enabled on switch. Connetion for host via an access port configured for vlan 200

IP address of host is 10.65.50.10/24
The Gateway of the host is 10.65.50.1/24....that interface is on a Palo Alto Fw 3 devices away-which is running OSPF

The host switch...3750B has a trunk link to 3750A--both have the same vlan information

3750A however is running OSPF and has formed a neighbor relatoinship with the Palo Alto...which is also running OSPF

The neighbor relationship however is in a different network/vlan

3750A#sh ip ospf ne

Neighbor ID Pri State Dead Time Address Interface
10.65.254.10 1 FULL/DR 00:00:38 10.65.100.1 Vlan100

nterface Vlan100
ip address 10.65.100.254 255.255.240.0

The actual physical connection to 3750A is an access port configured for vlan 100...not a trunk as I would assume

How is traffic getting to the gateway if it is crossing an access port and not a trunk port?

If I shut down OSPF on switch A and enable it on switch B...will routing work the same?
Will there be an issue with traffic going to the Palo Alto gateways
since I am no longer physically connected to the new OSPF router if I move OSPF to router B?

Richard Burts · ‎12-14-2015

The original post asks the question of how traffic is getting to its gateway when the gateway is 3 hops away and is in a different network. I would answer that I do not believe that most of the traffic does get to the gateway. I believe that most of the traffic is routed before it gets to the gateway. I believe that this is what is happening:

- the host attempts to send a packet to its gateway.

- the packet gets to the layer 3 device that is routing for vlan 200 which appears to be switch 3750A.

- switch 3750A performs routing and forwards the packet toward its destination (without necessarily forwarding to the Palo Alto).

The solution suggested by Richard assumes that the original poster wants all routing for the network to be done by the Palo Alto firewall. I wonder if that is really the design for the network for the original poster. If that is the design then Richard is right that every vlan should connect to the Palo Alto and this implies that OSPF should be removed from 3750A.

I believe that the configuration of OSPF on 3750A implies that the design of the network is that an interior device should do the inter vlan routing and should use the firewall only for traffic that will exit the network (and does that by forwarding traffic using the layer 3 routed link on vlan 100. In that case the network is working as designed. And it would be desirable to do some clean up and change the configuration of the first host so that its gateway was the layer 3 device routing for vlan 200.

The original poster asks about the possibility of moving OSPF to 3750B. There are some things that we do not know which impact whether this would work. Certainly this change requires enabling routing on 3750B. But we do not know whether 3750B has access to the same vlans and subnets that 3750A has. And we do not know whether 3750B has a connection to the Palo Alto that could be used as a layer 3 routed link. So at this point we do not have enough information to answer the part of the question about whether routing would work the same if OSPF moved from 3750A to 3750B.

HTH

Rick

HTH

Rick

View solution in original post

Richard Bradfield · ‎12-13-2015

The connection to the Palo Alto FW needs to be a trunk containing vlan 100 and 200.

so you will have a trunk from B to A which you say you have. Then you will be ok.

If you can't configure the FW or a trunk, then you need to have the access vlan 200 to the FW and give switch A an address on vlan 200

HTH

Richard.

Richard Burts · ‎12-14-2015

The original post asks the question of how traffic is getting to its gateway when the gateway is 3 hops away and is in a different network. I would answer that I do not believe that most of the traffic does get to the gateway. I believe that most of the traffic is routed before it gets to the gateway. I believe that this is what is happening:

- the host attempts to send a packet to its gateway.

- the packet gets to the layer 3 device that is routing for vlan 200 which appears to be switch 3750A.

- switch 3750A performs routing and forwards the packet toward its destination (without necessarily forwarding to the Palo Alto).

The solution suggested by Richard assumes that the original poster wants all routing for the network to be done by the Palo Alto firewall. I wonder if that is really the design for the network for the original poster. If that is the design then Richard is right that every vlan should connect to the Palo Alto and this implies that OSPF should be removed from 3750A.

I believe that the configuration of OSPF on 3750A implies that the design of the network is that an interior device should do the inter vlan routing and should use the firewall only for traffic that will exit the network (and does that by forwarding traffic using the layer 3 routed link on vlan 100. In that case the network is working as designed. And it would be desirable to do some clean up and change the configuration of the first host so that its gateway was the layer 3 device routing for vlan 200.

The original poster asks about the possibility of moving OSPF to 3750B. There are some things that we do not know which impact whether this would work. Certainly this change requires enabling routing on 3750B. But we do not know whether 3750B has access to the same vlans and subnets that 3750A has. And we do not know whether 3750B has a connection to the Palo Alto that could be used as a layer 3 routed link. So at this point we do not have enough information to answer the part of the question about whether routing would work the same if OSPF moved from 3750A to 3750B.

HTH

Rick

HTH

Rick

Host with gateway 3 devices away question