Catalyst 3560 Config question (vlan routing)

Answered Question
Jan 12th, 2010

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 10 months ago

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 01/12/2010 - 16:27

JasonWhitehead wrote:

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

Jason

It depends on a few things -

1) how many ports do you have on the WatchGuard and are there enough for all the vlans ?

2) If not can the Watchguard support 802.1Q ie. can you have subinterfaces on the WatchGuard ?

3) Can the Watchguard not filter by subnet IP address as it seems very restrictive otherwise ie. you need an interface per vlan/subnet ?

Jon

Correct Answer
Ganesh Hariharan Wed, 01/13/2010 - 00:28

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

Actions

This Discussion