Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.
no PBR recursive or PBR
From the pic below, I'd like to have PC1 DG as FW2 and PC2 DG as FW1. Now from my understanding, this can be done with PBR recursive configured on vlan40 at sw4 and on the transit vlans between the switches on the ring. But the problem is all of my switches are 3750s and according to Cisco TAC, the 3750s do not support next hop recursive or default next hop. Can this be accomplished without PBR or if I move PC1 subnet to another VLAN, how will I configure to have FW2 as the DG for the new VLAN? Thanks
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
L2TPv3 - no
If i remember correctly VLAN 200 is already on SW5, just extend it to SW4 (and beyond if needed).
And you can configure PBR with firewall IP 10.100.200.1 as the next hop.
Add vlan 200 (10.100.200.0/24) to SW4 and VLAN trunk between SW4 and SW5, on SW4 create SVI for VLAN 200, assign IP address etc
Then you don't need recursive resolution of next hop, VLAN with that IP addrss range is directly connected.
If i remember correctly VLAN 200 is already on SW5, just extend it to SW4 (and beyond if needed).
And you can configure PBR with firewall IP 10.100.200.1 as the next hop.
Add vlan 200 (10.100.200.0/24) to SW4 and VLAN trunk between SW4 and SW5, on SW4 create SVI for VLAN 200, assign IP address etc
Then you don't need recursive resolution of next hop, VLAN with that IP addrss range is directly connected.
If you created routed links than, no... you can't do it that way..
But, according to drawing in post link between SW4 and SW5 is done by VLAN 203 (10.10.200.8/30) that's why I thought it is possible to do it that way..
But, according to drawing in post link between SW4 and SW5 is done by VLAN 203 (10.10.200.8/30) that's why I thought it is possible to do it that way..
If you are using VLAN203 between SW4 and SW5 , you are not using routed interface. You can add vlan 200 on the same trunk in that case.
If your configuration is
ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>
If your configuration is
interface x/x
switchport mode trunk
switchport trunk vlan 203
switchport trunk native vlan 203
switchport trunk allowed vlan 203
vlan 200
!
interface x/x
switchport trunk allowed vlan add 200
ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The current links use routed SVIs instead of routed ports, but that's no problem. Adding a trunked VLAN just bypasses the routing, but that makes the solution less fault-tolerant IMO.
You could use proxy-ARP for this. Set PC1's DG as the FW2's IP and PC2's DC as FW1's IP (even though they're on different subnets, just trust me :-)). Proxy-ARP will get each PC to the right firewall using routing across the network. Just enable proxy-ARP at the SVI on SW4 (enabled by default usually).
You could use proxy-ARP for this. Set PC1's DG as the FW2's IP and PC2's DC as FW1's IP (even though they're on different subnets, just trust me :-)). Proxy-ARP will get each PC to the right firewall using routing across the network. Just enable proxy-ARP at the SVI on SW4 (enabled by default usually).
Thanks for the suggestions. So it looks like I have 2 solutions here. Correct?
- Allow vlan200 (10.100.200.0/24 - FW2) on the trunks between the switches.
OR
- Use proxy-ARP which requires to manually set the DG on the PCs. Right now my PCs get DHCP IP addresses.
Predrag,
Can you explain your static route, ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>? Are u configuring this on sw4?
- Allow vlan200 (10.100.200.0/24 - FW2) on the trunks between the switches.
OR
- Use proxy-ARP which requires to manually set the DG on the PCs. Right now my PCs get DHCP IP addresses.
Predrag,
Can you explain your static route, ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>? Are u configuring this on sw4?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
- use PBR without recursive resolution of next hop
- create separate VLAN for target hosts and extend VLAN through network directly to FW2 and make FW2 default gateway