Re: Interfaces and Routing IP

haggittmark@tm-america.com · ‎05-01-2020

We want to test two different ISP. I have two firewalls each with a different network (of course), but only one layer 3 switch. Is it possible to make one interface on the switch go to one firewall and another interface on the same switch to go to the other firewall?

Reza Sharifi · ‎05-01-2020

Yes, connect one interface using layer-3 or a vlan with an SVI interface to one firewall and connect a different interface with a different layer-3 or SVI to the other firewall. Example:

interface g0/1

ip add 10.10.10.1 255.255.255.252

to firewall 1

interface g0/2

ip address 10.10.10.5 255.255.255.252

to firewall 2

You also need an IP (on the same subnet) on each firewall.

HTH

barweiss45 · ‎05-01-2020

If I understand your question correctly, the answer is yes. If you have a layer 3 switch then you'll be able to have 2 SVIs (switched virtual interfaces (aka interface vlan x)). You will connect your firewall to the layer 3 switch and build the necessary vlans for your inside and outside interfaces on the firewall. Then build they layer 2 ports according (you can trunk or use multiple access ports). Then you will build the SVI's for each vlan. You will need to use VRF lite to separate the outside interfaces from the inside routing table or you will defeat the purpose of the firewall. Commands on the L3 switch could look like this, but I would need more information if you needed something a little specific.

vrf definition OUTSIDE
!
rd <YOUR ASN>:<UNIQUE NUMBER>
address-family ipv4
exit
!
interface g1/0/1
description TO INSIDE INTERFACE OF FIREWALL
switchport
switchport mode access
switchport access vlan 100
exit
!
interface g1/0/2
description TO OUTSIDE INTERFACE OF FIREWALL
switchport
switchport mode access
switchport access vlan 200
exit
!
int vlan 100
ip address x.x.x.x n.n.n.n
!
int vlan 200
vrf forwarding OUTSIDE
ip address x.x.x.x n.n.n.n

You will then do the same thing but different vlans for the second firewall.
I hope this helps.

Barry