02-22-2018 04:18 AM - edited 03-08-2019 01:58 PM
Hi
I'm rather new with cisco still, we have a catalyst 2960 that sit in front of our 2 Sophos Firewall in active/passive mode.
Currently our internet provider arrive on port 1 and the data is split into the 2 10g port each going to a firewall creating a lag (configured to use vlan96).I didn't do this, configuration look like this :
vlan internal allocation policy ascending
!
vlan 74
name VL-193-63-109-72-JN
!
vlan 96
name VL-194-195-187-JN
interface GigabitEthernet1/0/1
description ### Uplink to JANET ###
switchport access vlan 74
switchport mode access
interface TenGigabitEthernet1/0/1
description ### Uplink to FW-UTM-1 C2 ###
switchport mode trunk
channel-group 1 mode active
!
interface TenGigabitEthernet1/0/2
description ### Uplink to FW-UTM-2 C2 ###
switchport mode trunk
channel-group 1 mode active
!
interface Vlan1
no ip address
!
interface Vlan74
ip address 193.63.109.74 255.255.255.252
!
interface Vlan96
ip address 195.194.187.126 255.255.255.224
ip default-gateway 193.63.109.74
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 193.63.109.73
I have to migrate our connection and as of now i have managed to make it work but only connecting directly to a single firewall, which is not ideal.
We want to use this device in order to split the traffice for the new provider (EE) and all their traffic split between 47/48
our provider gave us 5.148.134.68/31, ip in 69 routing to 68, and a public range of 5.148.143.240/28.
I was going to configure the "in" like this :
vlan 69
name VL-5-148-134-69-EE
interface GigabitEthernet1/0/2
description ### Uplink to EE ###
switchport access vlan 69
switchport mode access
interface Vlan69
ip address 5.148.134.69 255.255.255.254
but for the connection to firewall can i do the same with trunk channel group(lag configured on the other side with different vlan, possibly 240) and having to "sacrifice" one of our public ip ?
It would seems more logical for me to have Tg1/2 being configured as access vlan 96, and 47/48 as access vlan 240.
should i remove the default-gateway and add a route for 5.148.134.68 or should i simply let the vlan speak and do the routing ?
Solved! Go to Solution.
02-22-2018 05:56 AM
Hello Jerome,
If I understand correctly, you want to do something like this:
ISP1 <>|_____| <> Firewall1
|Switch|
ISP2 <>|_____| <> Firewall2
Is that correct? If so, I would keep the switch all L2 and put the IPs on the firewalls. Something like this:
Interface ISP1
switchport mode access
switchport access vlan 10
Interface ISP2
switchport more access
switchport access vlan 20
Interface Firewall1
switchport mode trunk
channel-group 1 mode active
Interface Firewall2
switchport mode trunk
channel-group 1 mode active
Then on the firewall you configure two sub interfaces. One with an encapsulation of 10 and one with an encapsulation of 20. You give the sub interface with encap 10 the ip for ISP1 and the one with encap 20 the ip for ISP2.
You can put an SVI on the switch for monitoring or management but I wouldn't think you would want a little 2960 to participate in your routing.
Hope that helps!
02-22-2018 05:56 AM
Hello Jerome,
If I understand correctly, you want to do something like this:
ISP1 <>|_____| <> Firewall1
|Switch|
ISP2 <>|_____| <> Firewall2
Is that correct? If so, I would keep the switch all L2 and put the IPs on the firewalls. Something like this:
Interface ISP1
switchport mode access
switchport access vlan 10
Interface ISP2
switchport more access
switchport access vlan 20
Interface Firewall1
switchport mode trunk
channel-group 1 mode active
Interface Firewall2
switchport mode trunk
channel-group 1 mode active
Then on the firewall you configure two sub interfaces. One with an encapsulation of 10 and one with an encapsulation of 20. You give the sub interface with encap 10 the ip for ISP1 and the one with encap 20 the ip for ISP2.
You can put an SVI on the switch for monitoring or management but I wouldn't think you would want a little 2960 to participate in your routing.
Hope that helps!
02-22-2018 06:37 AM
Hi thanks for replying
That's perfect i was trying to replicate what was done previously but your method is much easier and quicker, also prevent me from wasting previous public ip :)
i was also complicating my task by trying to add an other physical interface using different ethernet ports but simply using different encapsulation on the same lag was enough.
Many thanks :D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide