Hi, hope you're all well.

I'm moving towards VRRP and OSPF for the routing between each site (4/5 sites). Currently we're routing off some old school Firewalls with L3 VPN routing between 3 sites via the ISP Connectivity. As the budget won't stretch to get some new core switches and firewalls I'm going to use the 3750's.

I just want to check for site A, that I set the internal NiC on the firewall to say 192.168.100.2, I route the traffic statically as the Next hop from the SVI vlans? Or do I put it in the subnet I planned for the VPLS and let the routing after the firewall carry out the NATting I intend to use on the firewall?

I'm going to paraphrase this to save on your reading time.

VPLS subnet: 10.10.10.0/26

Site A (WAN Site):

3750-1 int gi 1/0/1: ip address 10.10.10.2/26, ip ospf priority 10, vrrp ip 10.10.10.1/26
3750-2 int gi 1/0/1: ip address 10.10.10.3/26, ip ospf priority 5, vrrp ip 10.10.10.1/26

router ospf 15, log-adjacency-changes, network 192.168.100.0 0.0.0.255 area 0, network 192.168.110.0 0.0.0.255 area 0, network 192.168.120.0 0.0.0.255 area 0

Local vlan SVI's: vlan100 - 192.168.100.0/24, vlan - 110 192.168.110.0/24, vlan 120 - 192.168.120.0/24


Help, advise, recommendations more than welcome.

Thanks in advance
MV.

Sorry bit of clarification.

The SVI's are .1 not .0 & I'm 90% sure the Firewall should terminate in the LAN but I want to be 100%.

put the firewall on the LAN with a default route on the 3750's pointing to the firewall as the next hop. on the 3750's advertise the default to your other sites. also, your VPLS subnet should be OSPF area 0 and each of your sites should exist in a separate area. i would also recommend a hierarchical address scheme for each site so that you can summarize your address space should you need to do so in the future. yes, your environment is pretty small, but design and construct it properly from the beginning.

Thanks unclerico,

Makes a lot of sense and thank you for getting back to me.