Solved: Re: need help adding 2nd isp while keeping traffic segregated

JeromeBana · ‎02-22-2018

Hi

I'm rather new with cisco still, we have a catalyst 2960 that sit in front of our 2 Sophos Firewall in active/passive mode.

Currently our internet provider arrive on port 1 and the data is split into the 2 10g port each going to a firewall creating a lag (configured to use vlan96).I didn't do this, configuration look like this :

vlan internal allocation policy ascending

!

vlan 74

name VL-193-63-109-72-JN

!

vlan 96

name VL-194-195-187-JN

interface GigabitEthernet1/0/1

description ### Uplink to JANET ###

switchport access vlan 74

switchport mode access

interface TenGigabitEthernet1/0/1

description ### Uplink to FW-UTM-1 C2 ###

switchport mode trunk

channel-group 1 mode active

!

interface TenGigabitEthernet1/0/2

description ### Uplink to FW-UTM-2 C2 ###

switchport mode trunk

channel-group 1 mode active

!

interface Vlan1

no ip address

!

interface Vlan74

ip address 193.63.109.74 255.255.255.252

!

interface Vlan96

ip address 195.194.187.126 255.255.255.224

ip default-gateway 193.63.109.74

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 193.63.109.73

I have to migrate our connection and as of now i have managed to make it work but only connecting directly to a single firewall, which is not ideal.

We want to use this device in order to split the traffice for the new provider (EE) and all their traffic split between 47/48

our provider gave us 5.148.134.68/31, ip in 69 routing to 68, and a public range of 5.148.143.240/28.

I was going to configure the "in" like this :

vlan 69

name VL-5-148-134-69-EE

interface GigabitEthernet1/0/2

description ### Uplink to EE ###

switchport access vlan 69

switchport mode access

interface Vlan69

ip address 5.148.134.69 255.255.255.254

but for the connection to firewall can i do the same with trunk channel group(lag configured on the other side with different vlan, possibly 240) and having to "sacrifice" one of our public ip ?

It would seems more logical for me to have Tg1/2 being configured as access vlan 96, and 47/48 as access vlan 240.

should i remove the default-gateway and add a route for 5.148.134.68 or should i simply let the vlan speak and do the routing ?

brselzer · ‎02-22-2018

Hello Jerome,

If I understand correctly, you want to do something like this:

ISP1 <>|_____| <> Firewall1

|Switch|

ISP2 <>|_____| <> Firewall2

Is that correct? If so, I would keep the switch all L2 and put the IPs on the firewalls. Something like this:

Interface ISP1

switchport mode access

switchport access vlan 10

Interface ISP2

switchport more access

switchport access vlan 20

Interface Firewall1

switchport mode trunk

channel-group 1 mode active

Interface Firewall2

switchport mode trunk

channel-group 1 mode active

Then on the firewall you configure two sub interfaces. One with an encapsulation of 10 and one with an encapsulation of 20. You give the sub interface with encap 10 the ip for ISP1 and the one with encap 20 the ip for ISP2.

You can put an SVI on the switch for monitoring or management but I wouldn't think you would want a little 2960 to participate in your routing.

Hope that helps!

-Bradley Selzer
CCIE# 60833

View solution in original post

brselzer · ‎02-22-2018

Hello Jerome,

If I understand correctly, you want to do something like this:

ISP1 <>|_____| <> Firewall1

|Switch|

ISP2 <>|_____| <> Firewall2

Is that correct? If so, I would keep the switch all L2 and put the IPs on the firewalls. Something like this:

Interface ISP1

switchport mode access

switchport access vlan 10

Interface ISP2

switchport more access

switchport access vlan 20

Interface Firewall1

switchport mode trunk

channel-group 1 mode active

Interface Firewall2

switchport mode trunk

channel-group 1 mode active

Then on the firewall you configure two sub interfaces. One with an encapsulation of 10 and one with an encapsulation of 20. You give the sub interface with encap 10 the ip for ISP1 and the one with encap 20 the ip for ISP2.

You can put an SVI on the switch for monitoring or management but I wouldn't think you would want a little 2960 to participate in your routing.

Hope that helps!

-Bradley Selzer
CCIE# 60833

JeromeBana · ‎02-22-2018

Hi thanks for replying

That's perfect i was trying to replicate what was done previously but your method is much easier and quicker, also prevent me from wasting previous public ip :)

i was also complicating my task by trying to add an other physical interface using different ethernet ports but simply using different encapsulation on the same lag was enough.

Many thanks :D