cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
5
Helpful
7
Replies

Understanding my configuration. WAN/LAN/Vlan

adam.dillon1
Level 1
Level 1

Hello,

I'm hoping someone could help me understand a couple of port configurations.

My WAN connection comes from my ISP into a Cisco 2800 Router (ISP managed) and from there it goes into my 3750 stack.

Router to 3750 stack config:

interface GigabitEthernet5/0/2

description Router Trunk VLAN10,VLAN11

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,11

switchport mode trunk

From my 3750 stack there are 2 ports that go into my firewall.

The WAN port:

interface GigabitEthernet5/0/1

description Firewall X1 outside VLAN11

switchport access vlan 11

switchport mode access

The LAN port:

interface GigabitEthernet5/0/3

description Firewall X0 inside VLAN10

switchport access vlan 10

switchport mode access

ip flow ingress

ip flow egress

spanning-tree portfast

I guess what I don't understand is why does my WAN to 3750 have both the vlan10 and vlan11 allowed on it?

The way I understand that it should work is that traffic comes into my firewall on the vlan10, is routed as outbound internet traffic takes the vlan11 to the cisco router.

Is my understanding incorrect? If it is, can you explain how it actually works?

I wasn't the one that set this up, but I am now the one managing the setup. These questions come up because we are integrating a Barracuda Link Balancer to share multiple wan connections, and I'm not exactly sure where the device is placed on my network. Understanding my current configuration will probably answer my question about the link balancer.

1 Accepted Solution

Accepted Solutions

Ok,

It would seem that VLAN 10 (from your ISP Cisco 2800) is legacy configuration that was used most likely to place your remote sites behind the inside interface of your firewalls, via your providers MPLS network.

This is something you should raise with your ISP, as you could update the connection between the Cisco 2800 and 3750 to a Access Port (VLAN 11 only) instead of a trunk carrying both VLAN 10 and 11.

VLAN 10 will remain within your LAN (Cisco 3750) to allow your LAN devices access to the inside interface of your firewall.

View solution in original post

7 Replies 7

mattjones03
Level 1
Level 1

Hi Adam,

Do you have any other services from the ISP (I.e. MPLS etc)

Also, do you have any other interfaces that reside in VLAN 10.

"sh vlan brief"

I believe we do have an MPLS with the ISP.

At one point they managed private connections with our main office to 2 branch offices in other states. That's no longer the case, we use VPN tunnels now. But I think the main service has stayed the same.

VLAN10 is all of our local LAN traffic. 10 was used as our default instead of 1.

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/1/1, Gi1/1/3, Gi1/1/4
                                                Te1/1/1, Te1/1/2, Gi2/1/1
                                                Gi2/1/2, Gi2/1/3, Gi2/1/4
                                                Te2/1/2, Gi3/1/1, Gi3/1/2
                                                Gi3/1/3, Gi3/1/4, Te3/1/2
                                                Gi6/0/20
10   Default-Vlan                     active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/20, Gi1/0/21, Gi1/0/23
                                                Gi2/0/1, Gi2/0/2, Gi2/0/3
                                                Gi2/0/4, Gi2/0/5, Gi2/0/6
                                                Gi2/0/7, Gi2/0/8, Gi2/0/9
                                                Gi2/0/10, Gi2/0/11, Gi2/0/12
                                                Gi2/0/13, Gi2/0/15, Gi2/0/16
                                                Gi2/0/17, Gi2/0/18, Gi2/0/20
                                                Gi3/0/3, Gi3/0/4, Gi3/0/5
                                                Gi3/0/6, Gi3/0/7, Gi3/0/8

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi3/0/9, Gi3/0/10, Gi3/0/12
                                                Gi4/0/2, Gi4/0/3, Gi4/0/4
                                                Gi4/0/5, Gi4/0/6, Gi4/0/7
                                                Gi4/0/8, Gi4/0/9, Gi4/0/11
                                                Gi4/0/12, Gi4/0/13, Gi4/0/14
                                                Gi4/0/15, Gi4/0/16, Gi4/0/17
                                                Gi4/0/18, Gi4/0/19, Gi4/0/20
                                                Gi4/0/21, Gi4/0/22, Gi4/0/23
                                                Gi5/0/3, Gi5/0/4, Gi5/0/11
                                                Gi5/0/12, Gi5/0/13, Gi5/0/14
                                                Gi5/0/15, Gi5/0/16, Gi5/0/17
                                                Gi5/0/23, Gi6/0/4, Gi6/0/6
                                                Gi6/0/7, Gi6/0/8, Gi6/0/9
                                                Gi6/0/10, Gi6/0/11, Gi6/0/12
                                                Gi6/0/13, Gi6/0/14, Gi6/0/15
                                                Gi6/0/16, Gi6/0/17, Gi6/0/18
                                                Gi6/0/19, Gi6/0/21, Gi6/0/23
                                                Gi6/0/24, Po2, Po4

Ok,

It would seem that VLAN 10 (from your ISP Cisco 2800) is legacy configuration that was used most likely to place your remote sites behind the inside interface of your firewalls, via your providers MPLS network.

This is something you should raise with your ISP, as you could update the connection between the Cisco 2800 and 3750 to a Access Port (VLAN 11 only) instead of a trunk carrying both VLAN 10 and 11.

VLAN 10 will remain within your LAN (Cisco 3750) to allow your LAN devices access to the inside interface of your firewall.

that makes sense!

I'll check with my ISP and find out if that's the case. thank you so much!

You are welcome.

Please mark your question as answered/resolved.

I had opened a support case with my ISP to verify what you had said was correct. I heard back this morning that it was the case.

Marking resolved now.

Thanks again!

Great,

Glad you have managed to get the information you required.

If there is anything else I can do to assist, don't hesitate to ask.

Review Cisco Networking for a $25 gift card