12-06-2016 02:21 PM - edited 03-08-2019 08:28 AM
Hello,
I'm hoping someone could help me understand a couple of port configurations.
My WAN connection comes from my ISP into a Cisco 2800 Router (ISP managed) and from there it goes into my 3750 stack.
Router to 3750 stack config:
interface GigabitEthernet5/0/2
description Router Trunk VLAN10,VLAN11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11
switchport mode trunk
From my 3750 stack there are 2 ports that go into my firewall.
The WAN port:
interface GigabitEthernet5/0/1
description Firewall X1 outside VLAN11
switchport access vlan 11
switchport mode access
The LAN port:
interface GigabitEthernet5/0/3
description Firewall X0 inside VLAN10
switchport access vlan 10
switchport mode access
ip flow ingress
ip flow egress
spanning-tree portfast
I guess what I don't understand is why does my WAN to 3750 have both the vlan10 and vlan11 allowed on it?
The way I understand that it should work is that traffic comes into my firewall on the vlan10, is routed as outbound internet traffic takes the vlan11 to the cisco router.
Is my understanding incorrect? If it is, can you explain how it actually works?
I wasn't the one that set this up, but I am now the one managing the setup. These questions come up because we are integrating a Barracuda Link Balancer to share multiple wan connections, and I'm not exactly sure where the device is placed on my network. Understanding my current configuration will probably answer my question about the link balancer.
Solved! Go to Solution.
12-06-2016 02:49 PM
Ok,
It would seem that VLAN 10 (from your ISP Cisco 2800) is legacy configuration that was used most likely to place your remote sites behind the inside interface of your firewalls, via your providers MPLS network.
This is something you should raise with your ISP, as you could update the connection between the Cisco 2800 and 3750 to a Access Port (VLAN 11 only) instead of a trunk carrying both VLAN 10 and 11.
VLAN 10 will remain within your LAN (Cisco 3750) to allow your LAN devices access to the inside interface of your firewall.
12-06-2016 02:28 PM
Hi Adam,
Do you have any other services from the ISP (I.e. MPLS etc)
Also, do you have any other interfaces that reside in VLAN 10.
"sh vlan brief"
12-06-2016 02:32 PM
I believe we do have an MPLS with the ISP.
At one point they managed private connections with our main office to 2 branch offices in other states. That's no longer the case, we use VPN tunnels now. But I think the main service has stayed the same.
VLAN10 is all of our local LAN traffic. 10 was used as our default instead of 1.
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/1/1, Gi1/1/3, Gi1/1/4
Te1/1/1, Te1/1/2, Gi2/1/1
Gi2/1/2, Gi2/1/3, Gi2/1/4
Te2/1/2, Gi3/1/1, Gi3/1/2
Gi3/1/3, Gi3/1/4, Te3/1/2
Gi6/0/20
10 Default-Vlan active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/20, Gi1/0/21, Gi1/0/23
Gi2/0/1, Gi2/0/2, Gi2/0/3
Gi2/0/4, Gi2/0/5, Gi2/0/6
Gi2/0/7, Gi2/0/8, Gi2/0/9
Gi2/0/10, Gi2/0/11, Gi2/0/12
Gi2/0/13, Gi2/0/15, Gi2/0/16
Gi2/0/17, Gi2/0/18, Gi2/0/20
Gi3/0/3, Gi3/0/4, Gi3/0/5
Gi3/0/6, Gi3/0/7, Gi3/0/8
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
Gi3/0/9, Gi3/0/10, Gi3/0/12
Gi4/0/2, Gi4/0/3, Gi4/0/4
Gi4/0/5, Gi4/0/6, Gi4/0/7
Gi4/0/8, Gi4/0/9, Gi4/0/11
Gi4/0/12, Gi4/0/13, Gi4/0/14
Gi4/0/15, Gi4/0/16, Gi4/0/17
Gi4/0/18, Gi4/0/19, Gi4/0/20
Gi4/0/21, Gi4/0/22, Gi4/0/23
Gi5/0/3, Gi5/0/4, Gi5/0/11
Gi5/0/12, Gi5/0/13, Gi5/0/14
Gi5/0/15, Gi5/0/16, Gi5/0/17
Gi5/0/23, Gi6/0/4, Gi6/0/6
Gi6/0/7, Gi6/0/8, Gi6/0/9
Gi6/0/10, Gi6/0/11, Gi6/0/12
Gi6/0/13, Gi6/0/14, Gi6/0/15
Gi6/0/16, Gi6/0/17, Gi6/0/18
Gi6/0/19, Gi6/0/21, Gi6/0/23
Gi6/0/24, Po2, Po4
12-06-2016 02:49 PM
Ok,
It would seem that VLAN 10 (from your ISP Cisco 2800) is legacy configuration that was used most likely to place your remote sites behind the inside interface of your firewalls, via your providers MPLS network.
This is something you should raise with your ISP, as you could update the connection between the Cisco 2800 and 3750 to a Access Port (VLAN 11 only) instead of a trunk carrying both VLAN 10 and 11.
VLAN 10 will remain within your LAN (Cisco 3750) to allow your LAN devices access to the inside interface of your firewall.
12-06-2016 07:50 PM
that makes sense!
I'll check with my ISP and find out if that's the case. thank you so much!
12-06-2016 11:35 PM
You are welcome.
Please mark your question as answered/resolved.
12-13-2016 08:39 AM
I had opened a support case with my ISP to verify what you had said was correct. I heard back this morning that it was the case.
Marking resolved now.
Thanks again!
12-13-2016 10:23 AM
Great,
Glad you have managed to get the information you required.
If there is anything else I can do to assist, don't hesitate to ask.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide