Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
10
Helpful
6
Replies

Routing between Cisco 3750 switch and 3rd party firewall

Go to solution
it7119
Level 1
Level 1

‎11-21-2017 11:24 AM - edited ‎03-08-2019 12:49 PM

Existing n/w topology

                            WAN

 

                 Watch guard firewall

                                               

Server switch D LINK                 D LINK Access Switch -LAN - WIFI

 

                       Servers

 

Proposed n/w topology

                            WAN

 

                 Watch guard firewall

                                               

Cisco 3750 L3 switch          --          Servers      --   WIFI

 

             Cisco 2960 Access Switch

 

                                LAN

 

I have inherited a flat network.  I am planning to implement 7-10 vlan’s in the new workplace.

We are planning to purchase a Cisco 3850 switch along with a few Cisco 2960 switches.

In my existing network my WatchGuard firewall is the gateway for the whole network

Proposed VLAN’s

Vlan 10 – Servers -  192.168.1.0                 gw          192.168.1.254

Vlan 20 – Users        192.168.2.0                 gw          192.168.2.254

Vlan 30 – Printers     192.168.3.0               gw          192.168.3.254

Vlan 40 – Unmanaged devices   192.168.4.0  gw      192.168.4.254

Vlan 50 – Backup traffic    192.168.5.0   gw             192.168.5.254

Vlan 60 – IT VLAN      192.168.6.0   gw                     192.168.6.254

 

We are planning to use the Cisco 3750 switch in L3 mode for inter-vlan routing between the various Vlan’s. My question is regarding

  1. My current default gateway is the Watchguard firewall for the whole network. When I implement vlan’s , each Vlan will have its Vlan ip address as its gateway. Eg VLAN 20 will have its ip 192.168.2.254 as its gateway. How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command 
  2. How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done
  3. I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-21-2017 12:36 PM

How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command 

You would need a /30 or a /29 subnet between the 3750 (core switch) and the firewall. You than need a default route of the core switch 3750 to point to the firewall IP address. On the firewall. you need a few static routes (one per vlan) pointing to the IP address on the core switch. Example

ip route 192.168.1.0/24  x.x..xx.x

ip route 192.168.2.0/24  x.x..xx.x

etc..

How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done

What device is used for VPN access

I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's 

I would put each SSIDs in a different vlan (one for internal and one for guest) and use ACL to block the guest from the internal network but have access to Internet only.

HTH

 

View solution in original post

6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-21-2017 12:36 PM

How would I implement routing between the Cisco 3750 and the Watchguard firewall for internet and vpn access for the various vlan's. Will it be something like ip route command 

You would need a /30 or a /29 subnet between the 3750 (core switch) and the firewall. You than need a default route of the core switch 3750 to point to the firewall IP address. On the firewall. you need a few static routes (one per vlan) pointing to the IP address on the core switch. Example

ip route 192.168.1.0/24  x.x..xx.x

ip route 192.168.2.0/24  x.x..xx.x

etc..

How can a SSL vpn user from remote connect to the servers. Will the concept of VLAN's be different for SSL VPN users. Where is the routing done

What device is used for VPN access

I have a Wireless AP at the moment which has a separate SSID to connect to my existing network and a Guest SSID which does not connect to my internal nw. How will this be affected when i implement VLAN's 

I would put each SSIDs in a different vlan (one for internal and one for guest) and use ACL to block the guest from the internal network but have access to Internet only.

HTH

 

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎11-21-2017 05:56 PM

Reza suggests using static routes, and that's perfectly fine, but some FWs also support routing protocols. If your does, you might have the option to use it.
0 Helpful

Go to solution
it7119
Level 1
Level 1
In response to Reza Sharifi

‎11-22-2017 07:28 AM - edited ‎11-22-2017 08:10 AM

 

What device is used for VPN access  - Laptops with SSL client installed that connect to my Watchguard firewall

 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to it7119

‎11-22-2017 08:03 AM

No, what I meant was what is the device you log in to for VPN access.  Do you have a VPN concentrator, use the firewall or some other device?

0 Helpful

Go to solution
it7119
Level 1
Level 1
In response to Reza Sharifi

‎11-22-2017 08:23 AM

Sorry i misread your question - we use the firewall which acts as vpn gateway as well to login from remote

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to it7119

‎11-22-2017 08:48 AM

I am not familiar with watch guard firewall but that should not change. So, the users log in to the firewall/VPN, they get an IP address for the DHCP server and can access internal and external (Internet)resources. Not knowing your environment, you may need a couple of changes on the firewall to make sure the IP address that is assigned to VPN users can talk to your internal vlans.

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card