Solved: RE: Do I need to create a trunk port between a Cisco L3 switch o

tdotvix1982 · ‎08-02-2011

Hi,

I had a question about connecting an L3 switch with a Juniper SSG 110 firewall. My L3 switch which is a Cisco 3750 series switch which is performing inter-vlan routing on the LAN segment would need to point a default gateway towards the firewall to forward all traffic it doesn't know about towards the remote site via the firewall. The firewall is running OSPF within the IPSEC over GRE tunnel. I would have the firewall point static routes towards the subnets in the vlans and then redistribute them into the routing protocol so that they may be sent across to the remote site. My question is whether I would need to create a trunk connection between the firewall's inside port and the L3 switch or do I just need to create a routed port and assign it an IP to connect to the firewall or create an SVI on the switch to connect to the firewall.

Thanks,

Vick.

Reza Sharifi · ‎08-06-2011

Hi,

Since your vlans are being terminated in the 3750, you do not need to have a trunk port to the firewall. As you noted all you need is an L-3 routed access port with the firewall using a /30 subnet and the proper redistribution you noted here.

HTH

Reza

View solution in original post

Somasundaram Jayaraman · ‎08-04-2011

Hi,

A trunk connection should work.

On Juniper side,

here is a sample of how to do this, you create the different zones and tag the VLAN number to the subinterfaces. So I made ethernet 0/9 into 4 zones and tagged the vlan numbers, so port ethernet 0/9 is a dot1q trunk with 4 vlans.

set zone id 100 "Workstation"

set zone id 101 "Phones"

set zone id 103 "Server"

set zone id 104 "Wireless"

set interface "ethernet0/9.1" tag 10 zone "Workstation"

set interface "ethernet0/9.2" tag 20 zone "Server"

set interface "ethernet0/9.3" tag 30 zone "Wireless"

set interface "ethernet0/9.4" tag 40 zone "Phones"

set interface ethernet0/9.1 ip 10.105.0.1/23

set interface ethernet0/9.1 route

set interface ethernet0/9.2 ip 10.105.2.1/25

set interface ethernet0/9.2 route

set interface ethernet0/9.3 ip 10.105.2.129/26

set interface ethernet0/9.3 route

set interface ethernet0/9.4 ip 10.105.3.1/24

set interface ethernet0/9.4 route

Hope this helps,

Cheers

Somu

tdotvix1982 · ‎08-06-2011

Hi Somu,

Thanks for the reply. But I was of the opinion that my L3 switch was performing inter-vlan routing and not the firewall. This is why we are installing our 3750 L3 switch. Lets say for instance I do not want to send out any VLAN tagging information to the firewall and instead I want to perform all intervlan routing on the LAN side of the L3 switch then do I need to perform dot1q trunking with the firewall. The firewall is running OSPF with the remote side and the L3 switch is not part of the OSPF domain. Ideally I was thinking, on the firewall, I would need to point static routes to VLAN subnets behind the L3 switch and then in turn redistribute the routes in the OSPF domain on the firewall to provide reachability to remote nodes in the OSPF domain across the WAN. Basically do I need to performing trunking with my firewall if I am performing inter-vlan routing on the L3 switch (firewall's inside segment). If not can I just create a routed port interfacing with the firewall's inside segment then?

Thanks,

Vick.

Reza Sharifi · ‎08-06-2011

Hi,

Since your vlans are being terminated in the 3750, you do not need to have a trunk port to the firewall. As you noted all you need is an L-3 routed access port with the firewall using a /30 subnet and the proper redistribution you noted here.

HTH

Reza

HenryNguyen89 · ‎08-17-2023

So, on the Firewall, do we need to config anything or it'll automatic redistribution to the L3 switch?

RE: Do I need to create a trunk port between a Cisco L3 switch or a Juniper SSG 140 firewall?