topic Re: Virtual router from firewall in series with physical router. in General Topics

Virtual router from firewall in series with physical router.

Netwerx — Fri, 03 Feb 2017 20:02:06 GMT

If I change our virtual wire setup to layer 3, have the IP addresses on both interfaces be local network IPs, and set a static route for 0.0.0.0 to point to the existing physical router on the WAN side of the virtual wire, will traffic (tagged and non-tagged) traffic pass through normally? My understanding is that this is 'cascading' the routers. I'm fine with the existing physical router handing inter-vlan traffic for the time being, to cut down on complexity. It can always be changed later.

I'm starting an ISP migration, and am trying to get it down in steps / milestones.

Re: Virtual router from firewall in series with physical router.

pulukas — Sat, 04 Feb 2017 12:16:45 GMT

I'm not sure I follow your question fully, so forgive me if this is off track.

When you move from v-wire to layer 3 assuming there is a routed interface set of ip addresses on either side of the PA.

R1 10.1.1.2/31 ---- v-wire----10.1.1.3/31 R2

One ip address moves to the PA and you setup a second subnet for the other:

R1 10.1.1.2/31 ----10.1.1.3/31 PA-L3 10.1.1.4/31----10.1.1.5/31 R2

Routing on R1 does not change, the next hop will remain the same

Routing on R2 changes any next hops of 10.1.1.3 to 10.1.1.4

PA needs to copy routes from R1 with next hop 10.1.1.3 and change to next hop 10.1.1.5

PA needs to copy routes from R2 with next hop 10.1.1.2 and keep same next hop

Re: Virtual router from firewall in series with physical router.

reaper — Mon, 06 Feb 2017 13:52:43 GMT

If I understand your setup, then the firewall will only continue forwarding tagged and untagged traffic if you ensure all tags are present on sub-interfaces on the L3 interface

the big difference between vwire and layer3 is that vwire will simply act like a cable and pass everything along as long as the vlan tags are included in the vwire config and security policies permit the sessions

on a layer3 interface, each 'tag (or non-tag) needs to be represented by the physical interface 'belonging' to the appropriate subnet(s) and every vlan tag also being represented by a tagged subinterface, also belonging to the appropriate subnet(s)

next, your VirtualRouter will take care of forwarding between the subnets, and will add/remove tags where appropriate

adding 0.0.0.0/0 will ensure a default gateway is created to push out any non-locally-routed sessions to your desired next-hop

lastly, since you currently have 2 connected routers in the same subnet, you will need to split up this subnet (as demonstrated by @pulukas in the above post), or create an additional one so the firewall has a unique subnet per interface

hope this helps

Re: Virtual router from firewall in series with physical router.

Netwerx — Tue, 07 Feb 2017 14:53:37 GMT

Sorry for the confusing question. Our present setup is a cisco router as the default gateway for our network, then the firewall in virtual wire mode, then the core switch. We want to change from virtual wire to layer 3 with minimal disruption to our network. This virtual wire connection has been our primary internet connection, but we need to connect a second WAN connection that we need to transfer business processes to. That means layer 3 due to the need for the most options with policy based forwarding, NATting, etc.

I know we can move the subinterface IPs from LAN side of the physical router to the LAN side (to the core switch) of what would be the layer 3 setup on the firewall, using some other private subnet between the virtual router on the firewall as the next hop from the virtual router to the cisco, and use RIP to advertise the routes from our LAN through the virtual router, to the cisco. I just don't have enough understanding if we can use additional local IP addresses from our current subnets so that they are on both sides of the layer 3 connection on the virtual router. Around here is where I get confused, since by defintion router break up networks / broadcast domains. I think in my head i'm confusing a layer 2 deployment with what is possible with a layer 3 deployment.

I'm just trying to get the vwire converted to layer 3 without having to go to far into NAT rules, etc.

I think the easiest thing to do will probably be to work with our ISP who is currently managing our router to plan out a simple RIP setup between what will be the new virutal router, and the cisco. We just need exisitng traffic flows to go to / from our LAN so we can begin mirating things over to another interface on the firewall (new isp connection, basically going to our own public address space from our ISP NATing what we need).

Re: Virtual router from firewall in series with physical router.

pulukas — Wed, 08 Feb 2017 23:01:20 GMT

I'm confused on what the current setup is.

The core switch to the router connection, is this layer 2 or layer 3?

Re: Virtual router from firewall in series with physical router.

Netwerx — Mon, 13 Feb 2017 13:25:09 GMT

Current setup is that the PA firewall has a virtual wire interface bridging our core switch and physical router.

I've worked with our vendor and an ISP network guy. We set up a new /30 network between the router and firewall (Layer 3), set a few static routes on the physical router, and will redistribute them into EIGRP.