Hi all, need some advise on a setup i'm proposing. Basically, I want to deliver internet to different customers via a shared firewall as a gateway, using a layer 3 and layer 2 switches.
Basically, I can make this work with a L3 3560 and a firewall into a port and give each customer a port and L3 VLAN, few ACL and it works great. What I want to do is distribute this throughout the building using multliple L2 switches. What I don;t understand is will the L3 still work as I intend to use only a single trunk link between the switches. I noticed unless there is something in the port on the L3 routing doesn't work. I've attached a JPG diagram to help.
An alternative is that I just patch each customer into the VLAN port on the L3 using a dumb switch, but this uses far more L3 switch ports and I would like an all Cisco solution with a central VLAN database. I have toyed with the idea of doing this via L2 only, but most midrange firewalls only support 25 VLANs which is potentially too few.
For the first question, yes.
For the second question there is a condition. The layer 2 switch must have a management interface in the VLAN it is pinging, or it must have a default gateway configured (pointing to the 3560) in its management VLAN.
As part of you architecture you should set aside one VLAN for management and make sure it arrives at all the switches. The management VLAN should not have any production traffic on it. Most NetAdmins use VLAN 1 for that, and they also make sure that VLAN 1 is the native VLAN of each of the trunks. BUT no production traffic on it, and no access ports except perhaps for a Network Management Station.
Yes it will still work.
Use the following command in global config mode:
3560(Config)#int vlan 2
3560(Config-if)#ip add x.x.x.x y.y.y.y
This will create a logical L3 interface for the vlan, always being up and connected.
Trunk to your 2960s on ports 1,2,3 etc of your 3560. These trunk ports will be L2 only.