Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2976
Views
0
Helpful
3
Replies

ISR 4431 SVI and Subinterfaces

Go to solution
jeffreywatson
Level 1
Level 1

‎04-07-2016 04:17 PM - edited ‎03-08-2019 05:17 AM

Hello -

We are setting up two routers to peer with an ISP via BGP using ISR4431.  The two routers are separated by about a mile through DWDM Fiber.  So I need an SFP port gig 0/0 between the routers to carry the cross traffic.  On the LAN Side I have two checkpoint firewalls that have to route out to the WAN and also see each other over the Site/Site link.

The Router has an 8 port L2 card which supports SVI's and 4 onboard gig ports.

So would this work:

If I setup an SVI Vlan 10 and assign an IP address on both routers for the LAN side to carry the Firewall traffic.  Then configure configure an SVI Vlan 20 and assign an ip on both routers for the ISP side.  Then configure gig 0/0/0.10 dot1q 10,  gig 0/0/0.20 dot1q 20 and do not assign an IP. Then run my routing protocol on all L3 interfaces/?

Will the Firewalls and the ISP routers be able to see each other over V10 and V20, and will  the Firewalls be able to route out to the ISP?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to jeffreywatson

‎04-07-2016 06:05 PM

I don't know if your switch modules have an SFP port, but use a switch with an SFP port at both sites (rather than the routers layer 3 SFP port).  Plug the two switches together using these ports.  Configure them as trunk ports.  Then the VLANs can freely flow between the two sites and everything can be layer 2 adjacent.

Configure SVI's on the router for whatever VLANs it needs to be in.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-07-2016 05:50 PM

Do the firewalls, and the two sites in general, need to be L2 adjacent, or can they be in separate L3 subnets?

0 Helpful

Go to solution
jeffreywatson
Level 1
Level 1
In response to Philip D'Ath

‎04-07-2016 06:01 PM

the firewalls need to see each other over a l2 segment and be able to route out to the WAN

if i configure the svi and dot1q sub interfaces with the same tags will they be able to pass traffic between each other?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to jeffreywatson

‎04-07-2016 06:05 PM

I don't know if your switch modules have an SFP port, but use a switch with an SFP port at both sites (rather than the routers layer 3 SFP port).  Plug the two switches together using these ports.  Configure them as trunk ports.  Then the VLANs can freely flow between the two sites and everything can be layer 2 adjacent.

Configure SVI's on the router for whatever VLANs it needs to be in.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card