01-19-2015 04:16 AM - edited 03-07-2019 10:17 PM
Hi
Please see attachment for my setup. So I have 2 sites which are approx half a mile apart. The ISP has provided 2 circuits, one at each site and these are meant to be acting as a Active/Standby circuit for which they will use HSRP. They have asked us to provide a layer 2 link on which they will run their HSRP Vlan.
We currently have spare fiber running between the 2 sites so no issues there. We are trying to work out how to provide this L2 link. It was suggested by someone to put a switch at each site and use one of the spare fibers to connect into these switches to provide the L2 link, the or router and ISP router can connect into these switches.
The issue is the customer does not want to provide the 2 switches so I was thinking if there is any alternative. The uplinks from my core switches at each site are routed links. Is there any was on running a L2 vlan down those links and across the core switches?
Thanks
Solved! Go to Solution.
01-19-2015 04:52 AM
so no way I can run a layer 2 vlan via the L3 links
Not as far as I can see although others may want to comment.
The problem is that both your WAN and the ISP routers would be in the same vlan and the only way for traffic to get from the ISP router to your WAN router is via the core switch which means that traffic coming from the internet goes through your core switches before it gets to your firewalls.
Which is just not something you want to do.
Jon
01-19-2015 04:26 AM
I hope others will answer this question as well but it comes back to allowing internet traffic via your core without going through the firewall as previously discussed.
If you want to do that then yes simply run cables via your core but it is, as I said before, a really bad idea.
As soon as you use your core switches for that vlan you are exposing your internal network to the internet.
So the answer is yes it can be done but it is not a secure or safe way to do it.
As I said before all these issues could be solved by simply asking the ISP for a new address block for site 2. Your internal servers wouldn't be accessible if site 1 goes down but you said that is not important.
If they insist on running HSRP and you cannot purchase the switches then the only other way is to use the core switches but I wouldn't do it.
Jon
01-19-2015 04:47 AM
Hi Jon
I appreciate the response. I've taken in what you said before and it definitely makes sense, I don't want to introduce a security risk by by passing the firewalls.
I was just making sure I haven't missed anything, so no way I can run a layer 2 vlan via the L3 links
01-19-2015 04:52 AM
so no way I can run a layer 2 vlan via the L3 links
Not as far as I can see although others may want to comment.
The problem is that both your WAN and the ISP routers would be in the same vlan and the only way for traffic to get from the ISP router to your WAN router is via the core switch which means that traffic coming from the internet goes through your core switches before it gets to your firewalls.
Which is just not something you want to do.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide