Notable Replies

  1. Hi Rene,

    I have a question and it’s not in any of the subjects, maybe you can answer it.
    I have a router with 2 interfaces:
    G0/1–> ip address, G0/2–>, running OSPF. G0/1 Connects to my MASTER firewall with ip add and G0/2 connects to my SECONDARY firewall with ip address, the firewalls are configure HA. If I try to configure G0/2 with an ip add of it gives me an error. How can I make this scenario work with the 2 interfaces and the firewalls? or Do I need to get a switch module with 2 interfaces and configure a vlan?
    Please advise

  2. Hi Alfredo,

    The interfaces on a router are “routed ports”, each interface requires an IP address in a unique subnet. is in the same subnet as your first interface and it’s also a broadcast address. You’ll have to use a larger subnet, /30 only offers you two IP addresses. A /29 would work.

    Somehow you need to add the interfaces of the two firewalls and the router in a single broadcast domain. You can’t turn the routed ports into switchports so a switch module is not a bad idea…or create a VLAN on a switch and connect the firewall + router interfaces to it.

    Technically you might be able to bridge the two router interfaces and use a BVI interface but that’s not something I would recommend:

    bridge irb
    brige 1 protocol ieee
    int gi0/1
    bridge-group 1
    int gi0/2
    bridge-group 1
    interface bvi 1
    ip address

    This bridges the two gigabit interfaces together, the BVI interface is the “routed” port.

    Hope this helps…


  3. Thanks for confirming and also thinks for that added bit at the end about would match everything.

    I was almost thinking just to conform with best practice it would be good to add the permit everything just to conform with best practices but did not think from that perspective that it would then include that as well. You might have saved me from a possible booboo!

  4. Hi Laz,

    Thanks for your answering and clearing this up for me. Yes, it makes perfect sense and provides clarity to my doubts in logic. I thought this was the case. However, a second opinion from the experts is always a great way of confirmation. I will go and have a play with this again and see if I can produce the right results in my lab. Very many thanks for the clarification.


  5. Hi Laz,

    In my lab environment, I am able to use policy-based routing to push routes from internal VLANs to one single IP gateway and it works like a charm. My issue now is: I am trying to implement a DMZ in my lab. From the diagram, you will see that all the the default traffic is sent to the firewall from LAN to Internet (That is working fine as it’s just a default route). Routes from the firewall to the internal LAN is flowing well via firewall routing using (router on a stick method).

    Therefore traffic is flowing from LAN to internet - OK
    From Firewall to DMZ - OK

    When I tried to do a tracert from DMZ to on the DMZ host, the packet was dropped at the gateway. I suspect the reason for this is that the router does not know where to push the traffic as it sees two interfaces i.e. one going to the LAN and another to the FIREWALL.

    Here is my question:

    Can you use the policy based route to set the default next hop to go to the firewall and something like another next hop to be internal LAN?


Continue the discussion forum.networklessons.com

33 more replies!