Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
no PBR recursive or PBR
From the pic below, I'd like to have PC1 DG as FW2 and PC2 DG as FW1. Now from my understanding, this can be done with PBR recursive configured on vlan40 at sw4 and on the transit vlans between the switches on the ring. But the problem is all of my switches are 3750s and according to Cisco TAC, the 3750s do not support next hop recursive or default next hop. Can this be accomplished without PBR or if I move PC1 subnet to another VLAN, how will I configure to have FW2 as the DG for the new VLAN? Thanks
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The way I see it, you basically have two options:
- use PBR without recursive resolution of next hop
- create separate VLAN for target hosts and extend VLAN through network directly to FW2 and make FW2 default gateway
- use PBR without recursive resolution of next hop
- create separate VLAN for target hosts and extend VLAN through network directly to FW2 and make FW2 default gateway
L2TPv3 - no
If i remember correctly VLAN 200 is already on SW5, just extend it to SW4 (and beyond if needed).
And you can configure PBR with firewall IP 10.100.200.1 as the next hop.
Add vlan 200 (10.100.200.0/24) to SW4 and VLAN trunk between SW4 and SW5, on SW4 create SVI for VLAN 200, assign IP address etc
Then you don't need recursive resolution of next hop, VLAN with that IP addrss range is directly connected.
If i remember correctly VLAN 200 is already on SW5, just extend it to SW4 (and beyond if needed).
And you can configure PBR with firewall IP 10.100.200.1 as the next hop.
Add vlan 200 (10.100.200.0/24) to SW4 and VLAN trunk between SW4 and SW5, on SW4 create SVI for VLAN 200, assign IP address etc
Then you don't need recursive resolution of next hop, VLAN with that IP addrss range is directly connected.
If you created routed links than, no... you can't do it that way..
But, according to drawing in post link between SW4 and SW5 is done by VLAN 203 (10.10.200.8/30) that's why I thought it is possible to do it that way..
But, according to drawing in post link between SW4 and SW5 is done by VLAN 203 (10.10.200.8/30) that's why I thought it is possible to do it that way..
If you are using VLAN203 between SW4 and SW5 , you are not using routed interface. You can add vlan 200 on the same trunk in that case.
If your configuration is
ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>
If your configuration is
interface x/x
switchport mode trunk
switchport trunk vlan 203
switchport trunk native vlan 203
switchport trunk allowed vlan 203
vlan 200
!
interface x/x
switchport trunk allowed vlan add 200
ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>
The current links use routed SVIs instead of routed ports, but that's no problem. Adding a trunked VLAN just bypasses the routing, but that makes the solution less fault-tolerant IMO.
You could use proxy-ARP for this. Set PC1's DG as the FW2's IP and PC2's DC as FW1's IP (even though they're on different subnets, just trust me :-)). Proxy-ARP will get each PC to the right firewall using routing across the network. Just enable proxy-ARP at the SVI on SW4 (enabled by default usually).
You could use proxy-ARP for this. Set PC1's DG as the FW2's IP and PC2's DC as FW1's IP (even though they're on different subnets, just trust me :-)). Proxy-ARP will get each PC to the right firewall using routing across the network. Just enable proxy-ARP at the SVI on SW4 (enabled by default usually).
Thanks for the suggestions. So it looks like I have 2 solutions here. Correct?
- Allow vlan200 (10.100.200.0/24 - FW2) on the trunks between the switches.
OR
- Use proxy-ARP which requires to manually set the DG on the PCs. Right now my PCs get DHCP IP addresses.
Predrag,
Can you explain your static route, ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>? Are u configuring this on sw4?
- Allow vlan200 (10.100.200.0/24 - FW2) on the trunks between the switches.
OR
- Use proxy-ARP which requires to manually set the DG on the PCs. Right now my PCs get DHCP IP addresses.
Predrag,
Can you explain your static route, ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>? Are u configuring this on sw4?
Premium Content
You need an Expert Office subscription to comment.Start Free Trial