Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
15
Helpful
5
Replies

VLAN issue

OddyAten
Level 1
Level 1

‎09-25-2017 03:36 AM - edited ‎03-08-2019 12:09 PM

I would like your assistance with a scenario I'm currently working on.

 

We have a corporate network where all servers and clients are connected to the same subnet. This one is 192.168.100.0/24.

Switches are connected to a different subnet, 192.168.99.0/24.

The firewall, which is the default gateway, is host 192.168.100.200.

The switch all servers are connected to, including the firewall, is Cisco 2960G

The core switch is Cisco 3750G providing F/O connection to all other switches.

Switches have IP addresses of subnet 192.168.99.0/24 in their native VLAN1. This means the firewall (192.168.100.200) is connected to that vlan as well. Of course this is not right.

 

Now, what would be the recommended approach to amend this configuration? Should we create a new vlan interface on 3750G to host subnet 192.168.100.0/24? The problem is this switch does not have an ethernet port, only fibre ones, while the firewall has only ethernet ports.

 

Thank you in advance!

 

Labels:
0 Helpful
5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

‎09-25-2017 04:28 AM

If you go that path switch could use a glc-t adapter for fibre to copper connection to the firewall, there cheap enough work well use them in our 4ks and asrs , I would take everything off vlan 1 and shut it down at L3 SVI for security and remove any devices that are part of it , vlan 1 has control and production traffic in it , you should avoid mixing them if possible

OddyAten
Level 1
Level 1
In response to Mark Malone

‎09-25-2017 05:46 AM

Thank you Mark.

If we wanted to stay to current path, without changing the firewall connection, what exactly do we do?

Create a new vlan for 192.168.100.0/24 on L3 switch and then enable trunk on the switchport used to connect it to 2960 where firewall is connected to? If so, we have to enable trunk to both switches' ports, right?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to OddyAten

‎09-25-2017 06:04 AM

Yes create a new vlan for the fw subnet and create a trunk and then lock down the 2 vlans to it should work , trunk will be required each side yes

 

interface GigabitEthernet x/x
 description ................................
 switchport
 switchport trunk allowed vlan 1,2

OddyAten
Level 1
Level 1
In response to Mark Malone

‎09-26-2017 12:51 AM - edited ‎09-26-2017 01:25 AM

Here is a very basic schematic:

 

FW's ethernet port A is connected to 2960G switchport Gi0/7

2960G switchport Gi0/45 is connected to 3750 Gi1/0/8

 

FW (192.168.100.200/24)

                 |

                 | 

Cisco 2960G (192.168.99.11/24) ------------------- Cisco 3750 (192.168.99.1/24)

 

What we want to do, is to be able to access subnet 192.168.99.0/24 via ICMP, Telnet etc. for a limited number of hosts of subnet 192.168.100.0/24. This way we will be able to access switches remotely and monitor them.

 

So, here's what I did so far:

 

1. FW:

Added static route to 192.168.99.0/24 including the necessary firewall rules.

 

2. Cisco 2960G:

ip routing

interface Vlan1

   ip address 192.168.99.11 255.255.255.0

 

interface GigabitEthernet0/45

   switchport trunk allowed vlan 1,100

   switchport mode trunk

 

ip default-gateway 192.168.100.200

ip route 192.168.100.0 255.255.255.0 192.168.100.200

 

2. Cisco 3750:

 

ip routing

interface Vlan1

   ip address 192.168.99.1 255.255.255.0

 

interface Vlan100

   ip address 192.168.100.3 255.255.255.0

 

intergace GigabitEthernet1/0/8

   switchport trunk encapsulation dot1q

   switchport trunk allowed vlan 1,100

 

ip default-gateway 192.168.99.11

ip route 192.168.100.0 255.255.255.0 192.168.100.200

 

When I ping from 3750 to 192.168.100.200 it fails. Same from 2960.

If I ping from a host in subnet 192.168.100.0/24 I get a reply from the FW IP address saying destination host is unreachable.

 

Probably, I need to assign swithport gi0/7 of 2960 to VLAN100 (switchport access vlan100).

The problem is I have to be absolutely sure it will work, because it's a productive environment.

 

I hate to bother you again, but could you please advise?

 

Many thanks in advance!

 

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to OddyAten

‎09-26-2017 02:17 AM

Hi

so if its a layer 3 device use the ip route .... if its acting as layer 2 device use the ip default-gateway dont use both on a device

 

is the 3750 doing the actual routing for the LAN or the firewall pick one of them i would anyway  ?

 

persoanlly i would connect the FW in front of the 3750 and allow the firewall do the routing

leave the 2960 as a pure layer 2 access switch with a default gateway pointing to the 3750 , 3750 pointing routing to the firewall and vice versa the FW will need a return route to LAN , i think that would be a smoother setup

Below design is slightly confusing telling 1 switch go one way for deafult traffic and the other go a differnet path , if you place the firewall in front of the L3 3750 and they route between each pther and the 2960 stays pure layer 2 and hangs off the 3750 it wil make the path cleaer for traffic

 

Hope made sense there for you in what im trying to explain , make the design easier to work with

Customers Also Viewed These Support Documents