The Cisco 3750 does support full layer-3 capability, its OSPF implementation is about as complete as you’d find in a x800-series router running IPBASE. In fact, it’s routing speed will be pretty close to what an 1801 router could do – i.e., not wonderful.
Some 3750s (not many) come with “LAN-Lite” or “LAN-base” software, however, and all L3 functions are disabled in those builds. From the console, run “show version”, and then go to Cisco’s site (or post here) to decode the “image name”, which will look something like “c3750-ipbaselmk9-tar.122-55.SE3.tar”. If it says “ipbase” or “ipservices” you’re good to run OSPF. If it also says in “k9” you’re able to use encryption (but you won’t want to, as the CPU is very slow). -Adam Thompson <mailto:athom...@athompso.net> athom...@athompso.net From: David Miller [mailto:davi...@gmail.com] Sent: Thursday, August 18, 2011 09:42 To: support@pfsense.com Subject: Re: [pfSense Support] VPN Failover Backup On Thu, Aug 18, 2011 at 1:11 AM, John McDonnell <gorgar...@ymail.com> wrote: One more question about OSPF routing, am I going to want to remove the routes from the switches or would it be beneficial to leave them in there, but point to the IP of the pfSense box and have it do OSPF routing to determine if it should go over the normal wireless links or over the VPN? I'm not sure, but I'd think that having the switches doing the basic routing to determine if it needs to go across a link would be more efficient and faster than passing that to the pfSense box and then back to the switch if it's only in a different subnet at the same building. Not sure how I'd incorporate QoS on the VOIP in this manner though, perhaps a virtual IP? Yes for inter-VLAN routing within the building I'd use the switches to get the line speed routing available in the switch. I don't see any reason to send the traffic to pfSense just to have it send the traffic back if you don't have to. Also I just had a look at the 3750 spec sheet it appears to support OSPF and EIGRP (Cisco's proprietary dynamic routing solution). It's not too common for a Layer3 switch to support dynamic routing protocols so I can't say how complete this support is but it's there in some form. I'm not sure what image you need to have on the switch to get access to this functionality. So you would have to do some research into if your images support these protocols and if they support enough of the protocol to do what you need. If they do then you could keep all the routing on the Cisco switches and just use pfSense to setup the VPN tunnel. Otherwise I would use the hybrid approach and let the pfSense boxes route between buildings leaving the switches to route between vlans. Thank you all for your thoughts and I think I'm a bit closer to being ready to give this a test run once I get some spare time in a couple weeks. Good luck. Let us know how it works out. -- David
