0

I have the following topology:

Click here, unfortunently I don't have enough rep to post images

Essentially I would like the packet flow to go from PC1, to the Core Switch, to the Edge Switch, and to the Firewall. I need to "bump the wire" to force traffic through the IPS. Ideally I would put it inline between the edge and firewall but there are issues with that (different interface types) so I need to do it this way.

The theory is as follows.

  1. Packet is destined for the internet, the client doesn't know how to get there so it directs the packet to the default route. The source MAC is the client, the destination Mac is the PC.

  2. The Core siwtch recieves it. It checks it's CAM table and knows that 10.1.0.1's MAC address is somewhere on port 2.

  3. The Edge switch recieves it and in it's CAM table it doesn't have a direct entry for the MAC of 10.1.0.1 in VLAN 10. It does know it's in port 3 though.

  4. Through the IPS it goes.

  5. Now the Edge switch sees that 10.1.0.1's MAC address is on port 1.

The point is I don't want to "route" from port 2 to 1 directly through the backplane, I need to force it to go through the IPS.

Here's my proposed config

Edge:

int FastEthernet0/1
  switchport mode access
  switchport access vlan 20
int FastEthernet0/4
  switchport mode access
  switchport access vlan 20
int FastEthernet0/2
  switchport mode access
  switchport access vlan 10
int FastEthernet0/3
  switchport mode access
  switchport access vlan 10

Core:
int FastEthernet0/1
  switchport mode access
  switchport access vlan 10
int FastEthernet0/4
  switchport mode access
  switchport access vlan 10

Before you laugh I am using a 2960 as the edge and a 3560 for the Core. I am testing this in a lab environment ;).

Is this "proper" or is there a better way of doing this?

HatinCisco9234
  • 1
  • 1

1 Answers1

0

Without getting into a bunch of gory details, I'll just make the following points:

1. You can't "route" traffic at layer 2, routing occurs at layer 3.

2. The client traffic is going to die without ever reaching the IPS or the Firewall. The client is going to ARP for the Default Gateway, and being that the Default Gateway is in a different VLAN it will get no response. The switch isn't going to forward that ARP request from VLAN 10 to VLAN 20. The switch is going to forward the ARP request only to ports that are in VLAN 10. There are several other technical problems with your proposed design, but since the point I just made is a showstopper I'm not going to elaborate on anything else.

3. Why don't you use the IPS as the Default Gateway for the clients and use the Firewall as the Default Gateway for the IPS?

4. What are the issues with connecting the IPS between the Edge switch and the Firewall? You show both of them connected to the Edge switch. I'm assuming they're both connected to Ethernet ports on the Edge switch. If so, why can't you just connect them directly?

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • 1. I didn't mean route as in L3 hence why I put in quotes. 3. The IPS is a transparent bridge. 4. The interfaces are different physically. 2. The ARP should go as follows being a L2 broadcast... a. Broadcast out all red ports on the core switch (port 2)... b. It goes in port 2 on the edge and rebroadcast out all red ports (port 3). c. It goes through the IPS and into the blue port and thus gets rebroadcast out the other blue ports (port 1). I don't see why this won't work – HatinCisco9234 May 20 '15 at 14:42