Thanks for the replies, I did test it within the core switch just using the svi int's for a gateway between 2 pc's and going across vlans, it was at gig speeds.

 So how would I approach this setup. I'm hoping to not have to redo the entire thing like our voip is in another vlan that's also on the firewall sub-int.

I'm planning on changing only the 2 vlan sub-int's having issues and just create a route from the core switch to the sub-int ip's? Then switch all the devices to the svi's ip for the new gateway. Any pointers or advice would be great.

You don't need to create any routes on the core switch as they will be directly connected interfaces.

Shutdown the firewall interfaces concerned, and move the firewall interface IP's to SVI interfaces on your core switch.

Just to add to Philip's post.

If those vlans still need internet access which I assume they do then when you make the SVIs the L3 interfaces you won't need to add routes to the switch for those vlans, as Philip says, but you will need to add them to the firewall as those vlans/IP subnets are no longer local to the firewall.

However it is not clear what the next hop will be because it sounds like you trunk all vlans to the firewall for those that need internet access. In effect you need a dedicated vlan between the firewall and the switch to route across if you want to move those vlans to the switch.

You may already have a dedicated vlan because you may need the vlans that are routed on the switch to talk to some of the vlans routed on the firewall but without further details it's difficult to be more precise.

Does this make sense ?

Jon

Thanks Jon and Philip,

 Yes I have vlans 10,20,30, and 99 in use, their svi's end in 20.1,30.1 and 99.1, and on the firewall I have a screen attached of the port settings

(ip's edited for privacy), I could just use the svi ip's as the new gateways (this is a nexus switch btw, so it can do routing) I only need to change vlans 20 and 30 as those 2 need the gigabit wire speeds to move data, I can leave the voip(99) and my dmz edge server(10) the same. There's routes of 0.0.0.0/0 to next hop public ATT ip in the firewall, there's no routes in the nexus sw, and if I use an svi as a gateway it can't get to the web, which sounds like I need a route from the nexus to next hop ip of firewall sub-int.

Let me know if you want to see a diagram, thanks in advanced

The issue is what would you use as the next hop IP on the switch and that is what I was getting at in my previous post.

You need a common vlan/IP subnet between the two devices and you don't have that at the moment as far as I can see. So you need to add this and then you can use a default route on the switch and add routes for vlan 20 and 30 on the firewall.

Or do you have a common vlan/IP subnet already ?

Jon

Can this subnet/ip be on the switch alongside the svi's or do you mean I need another router between the switch and firewall to create that new subnet

internet > att router > pan fw >new router here< nexus sw>pc's - like this?

No you don't need another device, you simply need a subnet that is common to both devices so that you can route across the link.

So your link is still a trunk link but you have a vlan/IP subnet on that link that you use to route traffic.

Jon

Got it, I can create another svi trunk link on the nexus and give it another vlan id, and route through it to the firewall, so I would need to remove the sub-int on the firewall, just give that Ethernet port an ip, and route from the nexus svi's vlan 20 and 30 to the new vlan/link to the firewall. Hope that made sense, hehe

You don't have to use the main interface on the firewall but you can if you want. It really depends on what else you are routing on the firewall.

Up to you really.

Jon

Hi Jon,

So I went and created a sub-int on the same Ethernet port where vlan20 and 30 reside on fw, tagged it 50 for vlan50, and so as expected it won't ping yet as there's no routes, this is where my mind is cloudy on how to route, will it be like this

done on switch- svi-int vlan 20.1(dest) >>>subvlan 50.2(nexthop)

done on fw - vlan20.2 sub-int(dest)>>>subvlan50.2(nexthop)

then repeat for other vlans needed routing, as I mentioned I only needed to do this to get wire speeds for vlans 20 and 30

would that in return get the routing going for my core switch, thanks in advanced.

You need to create an SVI for vlan 50 on the switch as well and give it an IP from the same subnet.

Once you have done that your routing would point to the vlan 50 IPs as the next hops eg. on the firewall -

"ip route <vlan 20 subnet> <subnet mask> x.x.x.x" <--- where x.x.x.x is the vlan 50 SVI IP on the switch.

you would need a route for vlan 30 as well.  Obviously the above is Cisco syntax and the firewall will be different but you get the idea.

On the switch you can simply have a default route pointing to the vlan 50 IP on the firewall.

Jon

Thanks Jon,

I'll give it a try and let you know how it goes, appreciate all the pointers.

carlo