Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Catalyst 3560 Config question (vlan routing)

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Catalyst 3560 Config question (vlan routing)

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

2 REPLIES
Hall of Fame Super Blue

Re: Catalyst 3560 Config question (vlan routing)

JasonWhitehead wrote:

I have setup the default route for my layer 3 switch 0.0.0.0 0.0.0.0 10.100.1.2 255.255.255.252 on interface gigabitEthernet 0/1 with the

Switch(config-if)#no switchport
Switch(config-if)#ip address 10.100.1.1 255.255.255.252
Switch(config-if)#no shutdown

We are using a Watchguard firebox that associates rules and policies based on the Port that is receiving
the traffic, each network has different policies on Internet access that the watchgaurd filters.

with the setup above all traffic would leave the switch to one interface of the Firebox, what would the best
solution be to solve this problem? maybe make a different routing port on the switch, any help or advice would
be appreciated

Jason

It depends on a few things -

1) how many ports do you have on the WatchGuard and are there enough for all the vlans ?

2) If not can the Watchguard support 802.1Q ie. can you have subinterfaces on the WatchGuard ?

3) Can the Watchguard not filter by subnet IP address as it seems very restrictive otherwise ie. you need an interface per vlan/subnet ?

Jon

Re: Catalyst 3560 Config question (vlan routing)

Hi,

As per your existing setup switch --- watchgaurd firewall---internal lan,with this setup you can achive that from outside network what ever traffic comes to internal LAN will be filter as per the policies in firewall.

Routing will be done at switch and outside world.

But if you want to filter traffic between internal lan you need to have separate segment of firewall in separate segment so that all traffic from internal lan can come to firewall then policy will checked and goes to destination segment.

Hope that Helps

Regards

Ganesh.H

638
Views
0
Helpful
2
Replies