×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

4948E-F VRF's SVI's and dot1q

Unanswered Question
Aug 29th, 2012
User Badges:

Hello,

I have been tasked with creating a DMZ from scratch.  I am a bit of a network newb, so please forgive my ignorance. I am to connect two Cisco 4948E-F switches to two CheckPoint firewalls.  I will be using two 10g uplink ports from each switch to cross connect to each FW – though they will only be 1g as the FW’s don’t have 10g ports. I will create a dot1q trunk for each connection going from the switches to the FW’s. I will also create a port-channel between the two switches. 3 VRF’s will be created – web, app and db. 3 SVI’s will be created for each VRF. My questions are:


     1.      I planned on creating sub-interfaces for each VRF, but it doesn’t appear that the 4948E-F supports sub-interfaces. How do I direct traffic coming from the FW through the trunk to a particular VRF? 

     2.      How do I get the traffic from one VRF to pass through the FW to travel back down to the other VRF’s? I would think the routing would all happen within the switch since all SVI’s live on those switches.


These are my initial questions and I’m hoping this starts a thread that I can continue to use and ask questions.


Thanks in advance to all you senior network engineers in helping me keep my job.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Thu, 08/30/2012 - 06:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ron,

you can associate SVIs to VRFs so you can easily map a Vlan permitted on the trunk to the FW to a VRF if you associate to the VRF the corresponding SVI ( Layer 3 concept).


ip vrf DATA

rd 100:1


interface vlan X

ip vrf forwarding DATA

! you need to reconfigure ip address after having put the interface in a VRF

ip address z.k.x.f 255.255.255.255.w


where X is a vlan permitted on the trunk to the FW.


About the physical connections:


each switch needs to be connected to the other switch with a bundle etherchannel carrying all Vlans of interest and needs only one link to a single FW.

This is because typically the FW boxes are deployed in pair in an Active/Standby configuration ( easier to deal with) so you don't need to cross-connect each switch with both FW boxes.


How to deal with routing between VRFs is a question of choices :

you can give the FW the duty to perform inter VRF routing in a controlled way


or you can have a special configuration on the switch to perform inter VRF communication


I would suggest to have the FW to perform inter VRF routing this is more safe and communication is performed under FW control.


inter-VRF communication on the switch requires the use of BGP protocol and of route-targets defined under each VRF.


However, for less complexity also I would go with inter-VRF communication performed on the FW box


Hope to help

Giuseppe

ranaya0324 Thu, 08/30/2012 - 08:08
User Badges:

Thank you, Giuseppe!  That is excellent information.  Your post now brings up additional questions - which is exactly what I was hoping for....


So, I should have mentioned the FW's are in an Active/Active configuration.  I think I would want to cross connect the switches to the FW's for redundancy/high-availability.  I did plan on creating an ether-channel between the switches, but this is where my question lies.  Since this is my DMZ wouldn't I need the routed traffic to pass through the FW, so I can configure the appropriate access-list rules to prohibit cross VLAN communications?  This is not a very complex network, so there is no routing protocols on the FW's.  All routes are static and there is probably less than 12 total.


Again, thanks for the help

Actions

This Discussion

Related Content