we recently purchased 5 C3750 Switches. These switches should be used as a stack for two netowrks that need to be separated by a ACL. The problem we have is that on top of this stack, we have a firewall that we have no hands on. All outgoing traffic (web etc.) needs to go through this firewall. Before we purchased the stack we had separate switches for these networks. They were separated by the firewall. For testing I created two VLAN's with an ACL. That is working fine so far. But I only have one routing table. This is a problem because all outgoing traffic needs to go through this firewall.
1st Network 192.168.0.0
2nd Network 10.1.0.0
In the routing table I set the default route to go to the firewall. But this is only working for the 1st network. I guess this is because the interface on the firewall that is connected to the stack only expects traffic coming from the 1st network but not the second.
Sorry, this is really not easy to explain.
Is there a way to have a separate routing table for each vlan?
that is exactly my problem. I have no hands on the firewall. If the changes would be transparent would be the best.
The admin of the firewall says it's not a good idea to have two networks behind one interface. He wants to leave it as is. That means a separate interace for each network on the firewall. That's why I thought about having individual routing tables for the VLAN's. But I don't understand enough of VRF-Lite. Will this still support ACL's between the two VLAN's?
If the changes would be transparent would be the best.
The FW needs to know how to reach remote subnets via its directly connected subnet. You can do this with static route at the FW or implement a dynamic routing protocol between the FW or the switch.
Either solution, the FW needs to be involved.
The admin of the firewall says it's not a good idea to have two networks behind one interface.
This person does not understand the concept of routing...
That means a separate interace for each network on the firewall.
If he wants to sacrifice another physical interface in the FW, then have him add a new IP subnet to this interface and connect this FW interface to your switch and associate this switchport to Vlan 10.1.0.0/24
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...