Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
5
Helpful
4
Replies

Making a C9300 switch a gateway

Gator
Level 1
Level 1

‎10-12-2022 07:50 AM

Greetings:

I have a C9300 switch and a Sophos firewall in a medium sized network. Currently the gateway of the network is the firewall. I have heard its better practice to make the C9300 the gateway. What would i need to do on the switch to make that happen ? please and thanks.

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-12-2022 08:31 AM

If you looking to control the traffic between any VLAN, i prefer to have FW as Gateway, so you can deny example :

VLAN 10 and VLAN 20 do not like to talk each otehr FW you can block.

If you looking to Move the gateway on switch you need to create VLAN SVI as Layer 3 interface and assign a IP address, so user can point that as gateway, again you need to make some static routing here between FW and Switch.

if this is simple network i do not see any advantage moving gateway back to Switch (until you see reason and greedy to move the Gateway to switch).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-12-2022 09:59 AM

"I have heard its better practice to make the C9300 the gateway."

That depends on your traffic flows, local vs. non-local.

The C9300 likely has much more routing capacity than your FW.  If you have lots of traffic that transits your C9300, which needs to hop between your local networks, then yes, C9300 probably a better choice for such routing.  However, if most of your traffic is not hopping between networks, locally, but passing through your FW, FW is fine for your L3 "routing".

One quick test, if you only have one gateway, locally, you likely wouldn't benefit from C9300 being the gateway.  Even if you had lots of local gateways, unless traffic is between your local networks, again, C9300 likely wouldn't benefit you being the gateway.

If you do believe you have much local traffic between your local networks, let us know, and we can discuss what you may need to do.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-12-2022 11:31 AM

FW as GW meaning all traffic is inspect in FW, making the SW as GW meaning the traffic not hit the FW and hence the FW will not inspect the traffic.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-12-2022 02:24 PM

"FW as GW meaning all traffic is inspect in FW, making the SW as GW meaning the traffic not hit the FW and hence the FW will not inspect the traffic."

Very true.

However, often, but not always, we use FWs, and their deep inspection capabilities for traffic flowing in/out of our network, i.e. not for traffic totally flowing just within our network.

Also, basic between networks security can be implemented on a C9300.

Again, there are times when the capabilities of a FW are wanted for internal traffic too, so that's something to not forget.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card