hello John ,

We have one firewall its not a pair ,

And we are asked to use the firewall interface for Vlan 10 , can we still configure layer 3 for both vlan on 3750 ? if not what will be suggested solution .

Regards

Amit

Amit

You can use the firewall for vlan 10 but that means for traffic between the two vlans you will need to send traffic back out of the same interface on the firewall ie.

PC1 in vlan 10 has it's default gateway set to the firewall inside interface. If that PC1 sends traffic to PC2 in vlan 20 then the traffic goes to the firewall and then has to be sent back out of the same interface to the 3750.

Do you know if your firewall can do this and are you okay with configuring that ?

Jon

Hello ,

Yes our firewall can do that , we are ok with this config .

Regards

Amit

Amit

On the 3750 -

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0   <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0 

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

Jon

really sincerely appreicate your help on this Jon , one quick query I need to keep PC default gateway as below

PC 1 Vlan 10 172.16.20.1          <------which is the firewall

PC2 Vlan 20 10.10.10.1        <--------- which is 3750

Also is this standard solution or work around ?

regards

Amit

The "standard" solution is as i say to route both vlans on the 3750 and only send traffic to the firewall for the internet.

With this solution you use a separate subnet for connectivity between the 3750 and the firewall.

But you said you had to have the default gateway of the clients in vlan 10 to be the firewall so i adjusted the configuration accordingly.

Jon

just wanted to know if we want to use standard solution with both subnets VLAN 10 and VLAN 20 , do we need another subnet for P2P link between 3750 and firewall . will be great help if you can share config for it

Amit

If you wanted to do that then you can use the same config as before but it would mean readdressing the inside interface of your firewall plus some modifications to the routing. So using the original config i posted -

1) use a new subnet for the 3750 to firewall connection. As you only have one firewall then you can use a L3 routed link eg.

3750

====

int gi0/0 <-- this connect to the firewall

no switchport

ip address 192.168.5.1 255.255.255.252

firewall

======

the inside interface then needs to use the IP address 192.168.5.2 255.255.255.252

2) you need to update the routing -

3750

====

replace the existing default route with -

ip route 0.0.0.0 0.0.0.0 192.168.5.2

firewall

=======

you need routes for both subnets now eg.

route inside 172.16.20.0 255.255.255.0 192.168.5.1

route inside 10.10.10.0 255.255.255.0 192.168.5.1

4) finally the default gateway of the vlan 10 clients should point to the 3750 L3 vlan 10 interface.

Note, if you do not want to readdress the firewall interface then you can use the existing vlan 10 subnet for the connection from the 3750 to the firewall and then use a new IP subnet for vlan 10. If all the clients used DHCP this may be easier but it may not.

You would need to modfy the config accordingly if you did that.

Jon

Thanks Jon , One more thing , in the first solution I need to put the trunk port config on 3750 right ?

Gi0/0 connects to Firewall

int gi0/0 <-- this connect to the firewall

no switchport

switchport mode trunk aloowed all

is that right ?

regards

Amit

Amit

No it is not a trunk unless you want to route both vlans off the firewall.

If you do then the configuration needs changing but you said you wanted to route vlan 20 on the 3750.

Jon

Thats right want to keep vlan 20 layer 3 on 3750 .

So below is the only configration i need to do on 3750 on port which connects to firewall ?

int gi0/0 <-- this connect to the firewall

no switchport

regards

Amit

Amit

It depends on whether you are routing vlan 10 on the firewall or not.

You wouldn't do "no switchport" if you are routing vlan 10 on the firewall.

Please be specific in what you want as it keeps changing and it's not clear what you want.

Jon

Apology for confusion and taking your time ,

Just wanted to know with below config which was prepaired for first time what configration i need to give on interface gi0/0 which connects to firewall please thanks

----------------------------------------------------

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0   <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

------------------------------