Design Question

bfrericks · ‎02-09-2010

Hello everyone I'm looking for some design advice. (see attached picture for a rudimentary drawing of the setup) We have a project that we aren't quite ready to dedicate a lot of hardware resources to but the requirements are that this endeavor have a separate Internet connection and firewall. We do, however need to maintain connectivity to the already existing networks. My thought was we would create a separate VLAN for this network off of our Layer 3 switch. This network would then have a dedicated firewall that will also eventually have a DMZ as well. Here is my question:

Obviously we can't have two default routes in the core switch for internet traffic to keep each network utilizing it's respective internet connection. That said to maintain different internet connections on each network, I must change the default gateway for each host in the 300 network to 300.300.300.254. Obviously that then disconnects me from all of the other networks attached to the core switch. I realize that I can add static routes to each host in the 300 network for all of the other networks but this seems like a management nightmare and simply an inefficient way to do this.

So my question is, knowing the firewall in the 300 network won't route (nor would I want it to) traffic, short of static routes at each host, how do I regain connectivity to all other networks with this current setup? Does anyone have any suggestions for a better setup?

Thanks in advance for any assistance!

Jon Marshall · ‎02-09-2010

bfrericks@greatamerica.com
Hello everyone I'm looking for some design advice.  (see attached picture for a rudimentary drawing of the setup) We have a project that we aren't quite ready to dedicate a lot of hardware resources to but the requirements are that this endeavor have a separate Internet connection and firewall.  We do, however need to maintain connectivity to the already existing networks.  My thought was we would create a separate VLAN for this network off of our Layer 3 switch.  This network would then have a dedicated firewall that will also eventually have a DMZ as well.  Here is my question:
  
Obviously we can't have two default routes in the core switch for internet traffic to keep each network utilizing it's respective internet connection.  That said to maintain different internet connections on each network,  I must change the default gateway for each host in the 300 network to 300.300.300.254.  Obviously that then disconnects me from all of the other networks attached to the core switch.  I realize that I can add static routes to each host in the 300 network for all of the other networks but this seems like a management nightmare and simply an inefficient way to do this.
  
So my question is, knowing the firewall in the 300 network won't route (nor would I want it to) traffic, short of static routes at each host, how do I regain connectivity to all other networks with this current setup?  Does anyone have any suggestions for a better setup?
Thanks in advance for any assistance!

What is your L3 switch ie. make/model and what version of IOS together with the feature set is it running. If you post a "sh version" from the switch then that should show us.

PBR (Policy Based Routing) would be the easiest thing to do on the L3 switch but it may or not be supported hence the need for a "sh version".

Jon

Ganesh Hariharan · ‎02-10-2010

Hello
everyone I'm looking for some design advice.  (see attached picture for
a rudimentary drawing of the setup) We have a project that we aren't
quite ready to dedicate a lot of hardware resources to but the
requirements are that this endeavor have a separate Internet connection
and firewall.  We do, however need to maintain connectivity to the
already existing networks.  My thought was we would create a separate
VLAN for this network off of our Layer 3 switch.  This network would
then have a dedicated firewall that will also eventually have a DMZ as
well.  Here is my question:
  
Obviously
we can't have two default routes in the core switch for internet
traffic to keep each network utilizing it's respective internet
connection.  That said to maintain different internet connections on
each network,  I must change the default gateway for each host in the
300 network to 300.300.300.254.  Obviously that then disconnects me
from all of the other networks attached to the core switch.  I realize
that I can add static routes to each host in the 300 network for all of
the other networks but this seems like a management nightmare and
simply an inefficient way to do this.
  
So
my question is, knowing the firewall in the 300 network won't route
(nor would I want it to) traffic, short of static routes at each host,
how do I regain connectivity to all other networks with this current
setup?  Does anyone have any suggestions for a better setup?
Thanks in advance for any assistance!

Hi,

Can you provide the details of the L3 switch as suggested by Jon and for your query Policy based routing can work for different lan to internet.

Ganesh.H

bfrericks · ‎02-10-2010

The L3 switch is actually a HP Procurve 5412 (and subsequently all L2/L3 switches). Firewall's, routers, wireless are all Cisco. I checked and of course the 5412's don't support PBR.....

Jon Marshall · ‎02-10-2010

bfrericks@greatamerica.com

The L3 switch is actually a HP Procurve 5412 (and subsequently all L2/L3 switches). Firewall's, routers, wireless are all Cisco. I checked and of course the 5412's don't support PBR.....

Is there any way you could insert a router into this setup ie. make a router the default-gateway for vlan 300 and then do PBR on the router ?

Jon