topic Re: Vlan routing in ExtremeSwitching (EXOS/Switch Engine)

Vlan routing

jacksonvld — Tue, 29 Dec 2020 03:16:33 GMT

Hello gentlemen,
I need help from the most experienced.
I have the following vlans configured on my core switch:
1 - Default - 192.168.1.2/24
2 - IT - 172.17.41.1/24
3 - Fin - 172.17.36.1/24
4 - My Default gateway is 192.168.1.1 (My Firewall).

I don't want communication between vlans, but I need them to be able to go out to the internet, going through the firewall.

I have tried to configure static route, enable ipforwarding, ACL denying traffic between vlans when ipforwarding is enabled, but still without success.

Can someone please help me?

Sorry for the mistakes I use google translate.

Re: Vlan routing

jacksonvld — Tue, 29 Dec 2020 03:17:09 GMT

XCM8810.1 # sh config "vlan"
#
# Module vlan configuration.

#
configure vlan default delete ports all
configure vr VR-Default delete ports 1:1-48
configure vr VR-Default add ports 1:1-48
configure vlan default delete ports 1:1, 1:36, 1:41
create vlan "Fin"
configure vlan Fin tag 36
configure vlan Fin protocol IP
create vlan "TI"
configure vlan TI tag 41
configure vlan Default add ports 1:1 tagged
configure vlan Default add ports 1:2-35, 1:37-40, 1:42-48 untagged
configure vlan Fin add ports 1:36 untagged
configure vlan TI add ports 1:41 untagged
configure vlan Default ipaddress 192.168.1.2 255.255.255.0
configure vlan TI ipaddress 172.17.41.2 255.255.255.0
configure vlan Fin ipaddress 172.17.36.2 255.255.255.0

XCM8810.2 # sh iproute
Ori Destination Gateway Mtr Flags VLAN Duration
#s Default Route 192.168.1.1 1 UG---S-um--f Default 0d:0h:8m:37s
d 172.17.36.0/24 172.17.36.2 1 -------um--- Fin 0d:0h:8m:37s
#d 172.17.41.0/24 172.17.41.2 1 U------um--f TI 0d:0h:8m:37s
#d 192.168.1.0/24 192.168.1.2 1 U------um--f Default 0d:0h:8m:37s

Re: Vlan routing

Miguel-Angel_RO — Tue, 29 Dec 2020 03:18:56 GMT

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

Re: Vlan routing

JohanHendrikx — Tue, 29 Dec 2020 14:59:34 GMT

And make security rules on the firewall

Re: Vlan routing

Miguel-Angel_RO — Tue, 29 Dec 2020 17:19:24 GMT

And make security rules on the firewall

Spoiler!!

Re: Vlan routing

jacksonvld — Tue, 29 Dec 2020 20:37:16 GMT

Good morning gentlemen,
I understood your suggestion. I am looking for an alternative in which SWITCH CORE does all the routing without the vlan gateway on the firewall (tagged).
When I enable ipforwarding, routing occurs as I would like, but the vlans become able to access other vlans.

Again, sorry for the English, I use the Google translator

Re: Vlan routing

Miguel-Angel_RO — Wed, 30 Dec 2020 17:01:04 GMT

Jackson,

There could be several alternatives for this but it is really poor design and I wouldn’t recommend them.

Never forget that a switch/router is not a firewall and a firewall is not a switch/router.

Trying to put firewalling rules in a switch is a very bad habit and become quickly unmanageable. ACL on switches are stateless so you need to foresee them in a two way communication.

This being said, the only solutions I see for you is to set ACLs to deny the unwanted traffic and/or allow the authorized traffic(DHCP/ARP/DNS/Internet).

Mig

Re: Vlan routing

jacksonvld — Mon, 04 Jan 2021 19:36:57 GMT

Good morning Mig,
Yes. I don't want to use ACLs. I would like the Switch to do all the routing, for example:
- As I showed in the diagram. It is possible to make the IT VLAN use the default gateway 192.168.1.1?

Re: Vlan routing

Miguel-Angel_RO — Mon, 04 Jan 2021 20:04:23 GMT

Jackson,

If you want to avoid inter-vlan routing, you must specify ACLs in the switch or in the firewall but you’ll have to use them.

You could use VRFs to avoid this but this will need one port per VRF (much complex setup) on the switches and the firewall and ACLs on the firewall.

I’m afraid I don’t have a lot of solution meeting your wishes.

Mig

Re: Vlan routing

jacksonvld — Tue, 05 Jan 2021 00:01:16 GMT

I would not like to give the firewall the blocking function between vlans, but it seems to me that moving the vlan gateway to the firewall will be the best solution.

Re: Vlan routing

Miguel-Angel_RO — Tue, 05 Jan 2021 00:05:27 GMT

Jackson,

It is indeed my best choice.

Mig