Solved

layer 2 and layer 3 router/switch

Posted on 2013-11-15
9
674 Views
Last Modified: 2013-11-16
Experts,

Dumb question here. I have a firewall that has port GI0/1 as:

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.20.20.3 255.255.255.192 standby 10.20.20.4


Connected directly to this FW's port gi0/1, is a 6500 switch port 1/10:

interface GigabitEthernet1/10
 switchport
 switchport access vlan 500
 switchport mode access

There is no INT VLAN 500 anywhere on the network.


Question, Is the link between the firewall and switch considered layer 2 or layer3?
0
Comment
Question by:trojan81
  • 4
  • 3
  • 2
9 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39652622
Layer 2 if they are not IP'd, and it's layer 3 when you IP them. But for layer 2 to work, you need encapsultion or trunking and the Vlans' will have to match or at least some vlans will, doesn't have to be all, but it helps :)
-rich
0
 

Author Comment

by:trojan81
ID: 39652810
richrumble,

The firewall side has an IP and the switch side is just a switchport. So would the link be layer 2 or layer 3?  
Or is the correct answer, layer 2 from the switch perspective and layer 3 from the firewall perspective?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39652833
You can't have a connection if they aren't on the same layer :) Get an IP for both sides, which is how most network gear connects, or try you hand a the very obscure layer two only link between RTR and SW...
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-2/switch_evolution.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1020363
-rich
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:trojan81
ID: 39652848
rich,

The firewall side has an IP address, the switch side has a switchport. The int vlan is on that switch too.

Yes it works. I see it everywhere. You don't need to have an IP address at both sides. The other side can be a VLAN as long as the interface VLAN and the IP assigned to the other side are on the same network, it is fine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39653109
The link between them is layer 2 and 3. Mac address and Vlan is layer 2 and IP is layer 3. What I was thinking you wanted the router to be the VLAN authority (HSRP). The connection is actually 1,2,3 physical network and ip. Typically I'm used to setting up the routers to have the vlan info so you can do redundant/failover HSRP setup. I got ahead of myself :)
-rich
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39653207
Author,

The connection the firewall is a HSRP layer 3 connection. Anytime you state layer 3, of course will be including the layer below it, which are layer 1 and 2. The connection on the switch side is layer 2.

The switch side looks like it's used in order for the two firewalls that are hsrp primary and secondary to communicate with one another.
0
 

Author Comment

by:trojan81
ID: 39653722
Soula and Rich,

So the correct answer is layer 2 and layer 3? I was simply looking to provide an answer for someone who asked "is the link between the firewall and inside switch layer 2 or layer 3?

Traffic from the inside hits the switch SVI at layer 3 and then is sent layer 2 to the firewall's active/passive IP.  Wouldnt the link be considered layer 2 even though the physical interface on the firewall has an IP?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39653746
It depends on what the switch is doing.
SP = 2 Vlan=1 (vlan1= 192.168.1.xxx)
RTR IP = 192.168.1.123

If PC 2 (192.168.1.234) needs to talk to the router and PC2 is physically on the same switch as the router, the Switch makes the decision at layer 2, both the router and PC2 are in the same Vlan. If PC3 (192.168.22.45) wants to go out the router, it's on a different vlan and makes it's decision based on the IP which is layer 3.

The switch router are likely still probably making the connection at layer 3 since no tunnel or layer 2 protocol is connecting the two when dealing with IP's. Since the router is concerned with layer 3, all of it's questions or it's answers will be at that layer.

When you have a higher layer, you have the lower ones too, so it's 2 and 3 because layer 3 needs layer 2.
-rich
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39653979
The connection between the switch and firewall is layer 2.  If the switch interface was a routed port the connection would be layer 3.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to append an output to existing file with DOS and IPerf 2 65
igmp snooping in layer 2 switch 4 29
Password recovery 2960S 4 36
Export and Import an SPA 8000 config 7 18
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question