Solved

Vlan routing

  • 28 December 2020
  • 10 replies
  • 136 views

Hello gentlemen,
I need help from the most experienced.
I have the following vlans configured on my core switch:
1 - Default - 192.168.1.2/24
2 - IT - 172.17.41.1/24
3 - Fin - 172.17.36.1/24
4 - My Default gateway is 192.168.1.1 (My Firewall).

I don't want communication between vlans, but I need them to be able to go out to the internet, going through the firewall.

 

I have tried to configure static route, enable ipforwarding, ACL denying traffic between vlans when ipforwarding is enabled, but still without success.

Can someone please help me?

 

 

Sorry for the mistakes I use google translate.

icon

Best answer by Miguel-Angel RODRIGUEZ-GARCIA 28 December 2020, 20:18

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

View original

10 replies

XCM8810.1 # sh config "vlan"
#
# Module vlan configuration.

#
configure vlan default delete ports all
configure vr VR-Default delete ports 1:1-48
configure vr VR-Default add ports 1:1-48
configure vlan default delete ports 1:1, 1:36, 1:41
create vlan "Fin"
configure vlan Fin tag 36
configure vlan Fin protocol IP
create vlan "TI"
configure vlan TI tag 41
configure vlan Default add ports 1:1 tagged
configure vlan Default add ports 1:2-35, 1:37-40, 1:42-48 untagged
configure vlan Fin add ports 1:36 untagged
configure vlan TI add ports 1:41 untagged
configure vlan Default ipaddress 192.168.1.2 255.255.255.0
configure vlan TI ipaddress 172.17.41.2 255.255.255.0
configure vlan Fin ipaddress 172.17.36.2 255.255.255.0

XCM8810.2 # sh iproute
Ori  Destination        Gateway         Mtr  Flags        VLAN       Duration
#s   Default Route      192.168.1.1     1    UG---S-um--f Default    0d:0h:8m:37s
 d   172.17.36.0/24     172.17.36.2     1    -------um--- Fin        0d:0h:8m:37s
#d   172.17.41.0/24     172.17.41.2     1    U------um--f TI         0d:0h:8m:37s
#d   192.168.1.0/24     192.168.1.2     1    U------um--f Default    0d:0h:8m:37s

Userlevel 6
Badge +1

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

Userlevel 4

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

And make security rules on the firewall

Userlevel 6
Badge +1

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

And make security rules on the firewall


Spoiler!! :joy::joy:

Good morning gentlemen,
I understood your suggestion. I am looking for an alternative in which SWITCH CORE does all the routing without the vlan gateway on the firewall (tagged).
When I enable ipforwarding, routing occurs as I would like, but the vlans become able to access other vlans.

Again, sorry for the English, I use the Google translator

 

 

Userlevel 6
Badge +1

Jackson,

There could be several alternatives for this but it is really poor design and I wouldn’t recommend them.

Never forget that a switch/router is not a firewall and a firewall is not a switch/router.

Trying to put firewalling rules in a switch is a very bad habit and become quickly unmanageable. ACL on switches are stateless so you need to foresee them in a two way communication.

 

This being said, the only solutions I see for you is to set ACLs to deny the unwanted traffic and/or allow the authorized traffic(DHCP/ARP/DNS/Internet).

 

Mig

Good morning Mig,
Yes. I don't want to use ACLs. I would like the Switch to do all the routing, for example:
- As I showed in the diagram. It is possible to make the IT VLAN use the default gateway 192.168.1.1?

Userlevel 6
Badge +1

Jackson,

If you want to avoid inter-vlan routing, you must specify ACLs in the switch or in the firewall but you’ll have to use them.

You could use VRFs to avoid this but this will need one port per VRF (much complex setup) on the switches and the firewall and ACLs on the firewall.

I’m afraid I don’t have a lot of solution meeting your wishes.

 

Mig

I would not like to give the firewall the blocking function between vlans, but it seems to me that moving the vlan gateway to the firewall will be the best solution.

Userlevel 6
Badge +1

Jackson,

It is indeed my best choice.

Mig

Reply