Long time follower of the YouTube channel and have watched many many videos that have been done over the years on network configuration / best practices. My question might be very simple or it might be very complicated, so I’ll provide as much info as possible.
I just got a UCG-Ultra and it is upstream or “in front” of my L3 Cisco switch currently handling my inter-VLAN routing.
1.) When originally setting up I basically made a “transit vlan” and set the default route on the the L3 Cisco switch set to the gateway IP of the UCG-Ultra. Then I created a static route on the UCG-Ultra for each of the VLAN networks with a “next-hop” of the Cisco’s “transit vlan” IP. With this configuration internet was working just fine, but the UCG only saw one connected client (the Cisco switch) which I assume is normal behavior because everything is “behind” it? Image below for reference:
The shortcomings of this basically mean that I can’t really control any traffic on the UCG correct? It’s really just an all or nothing, since those networks essentially just pass through it?
2.) I had the thought of moving the VLAN interfaces to live on / be routed by the UCG to simplify things. The problem with this is that once I upgrade my L3 switch to something 2.5G or better and essentially only use L2 functionality anything crossing VLANs (aka that’s needs to be routed) would happen only as fast as the UCG (1 Gb), correct? So in the below image, If computer on VLAN 1001 wants to talk to NAS on VLAN 1000 (allowed by firewall rules) - they will not communicate at 2.5g because the routing between those vlans is done on the UCG-Ultra?
(will have to post image example separately since as a new member I can only embed one media item per post)
3.) I was messing around last night and on the UCG-Ultra ended up defining networks on the respective VLANS in the same subnet. For example in my Cisco L3, VLAN 1003 is 10.0.3.0/24 with IP 10.0.3.10. So on the UCG I created a network VLAN ID 1003 with IP 10.0.3.1 and tagged ports on both the Cisco, and the UCG and this seems to at least be now reporting actual traffic/client information in the UCG, which wasn’t happening before with the “transit vlan.” Is this anything wrong with this configuration will this do some sort of strange asymmetric routing ? Do I still need some sort of static route? I guess I’m really asking if I am going about this the right way, what suggestions anyone might have for designing this? All of the tutorials out there don’t really seem to show a Layer 3 device behind the firewall, but rather show the firewall containing DNS, DHCP, VLANs, Routing, etc and then using everything behind it as just L2. The problem with this is unless you have a really robust firewall, any faster switch behind it will be limited to the routing capabilities of the firewall ? Like in my above example? Hopefully I am using the right terminology to make this a bit clearer than mud haha. Thank you!
This last image shows the config as it sits currently -
(will have to post separately since as a new member I can only embed one media item per post)
