Solved: Routing between Cisco 3750 switch and 3rd party firewall

it7119 · ‎11-21-2017

Existing n/w topology

WAN

Watch guard firewall

Server switch D LINK D LINK Access Switch -LAN - WIFI

Servers

Proposed n/w topology

WAN

Watch guard firewall

Cisco 3750 L3 switch -- Servers -- WIFI

Cisco 2960 Access Switch

LAN

I have inherited a flat network. I am planning to implement 7-10 vlan’s in the new workplace.

We are planning to purchase a Cisco 3850 switch along with a few Cisco 2960 switches.

In my existing network my WatchGuard firewall is the gateway for the whole network

Proposed VLAN’s

Vlan 10 – Servers - 192.168.1.0 gw 192.168.1.254

Vlan 20 – Users 192.168.2.0 gw 192.168.2.254

Vlan 30 – Printers 192.168.3.0 gw 192.168.3.254

Vlan 40 – Unmanaged devices 192.168.4.0 gw 192.168.4.254

Vlan 50 – Backup traffic 192.168.5.0 gw 192.168.5.254

Vlan 60 – IT VLAN 192.168.6.0 gw 192.168.6.254

We are planning to use the Cisco 3750 switch in L3 mode for inter-vlan routing between the various Vlan’s. My question is regarding

My current default gateway is the Watchguard firewall for the whole network. When I implement vlan’s , each Vlan will have its Vlan ip address as its gateway. Eg VLAN 20 will have its ip 192.168.2.254 as its gateway. How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command
How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done
I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's

Reza Sharifi · ‎11-21-2017

How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command

You would need a /30 or a /29 subnet between the 3750 (core switch) and the firewall. You than need a default route of the core switch 3750 to point to the firewall IP address. On the firewall. you need a few static routes (one per vlan) pointing to the IP address on the core switch. Example

ip route 192.168.1.0/24 x.x..xx.x

ip route 192.168.2.0/24 x.x..xx.x

etc..

How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done

What device is used for VPN access

I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's

I would put each SSIDs in a different vlan (one for internal and one for guest) and use ACL to block the guest from the internal network but have access to Internet only.

HTH

View solution in original post

Reza Sharifi · ‎11-21-2017

How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command

You would need a /30 or a /29 subnet between the 3750 (core switch) and the firewall. You than need a default route of the core switch 3750 to point to the firewall IP address. On the firewall. you need a few static routes (one per vlan) pointing to the IP address on the core switch. Example

ip route 192.168.1.0/24 x.x..xx.x

ip route 192.168.2.0/24 x.x..xx.x

etc..

How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done

What device is used for VPN access

I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's

I would put each SSIDs in a different vlan (one for internal and one for guest) and use ACL to block the guest from the internal network but have access to Internet only.

HTH

Joseph W. Doherty · ‎11-21-2017

Reza suggests using static routes, and that's perfectly fine, but some FWs also support routing protocols. If your does, you might have the option to use it.

it7119 · ‎11-22-2017

What device is used for VPN access - Laptops with SSL client installed that connect to my Watchguard firewall

Reza Sharifi · ‎11-22-2017

No, what I meant was what is the device you log in to for VPN access. Do you have a VPN concentrator, use the firewall or some other device?

it7119 · ‎11-22-2017

Sorry i misread your question - we use the firewall which acts as vpn gateway as well to login from remote

Reza Sharifi · ‎11-22-2017

I am not familiar with watch guard firewall but that should not change. So, the users log in to the firewall/VPN, they get an IP address for the DHCP server and can access internal and external (Internet)resources. Not knowing your environment, you may need a couple of changes on the firewall to make sure the IP address that is assigned to VPN users can talk to your internal vlans.

HTH