This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Vlan routing

Vlan routing

Go to solution
jacksonvld
New Contributor

‎12-28-2020 07:16 PM

Hello gentlemen,
I need help from the most experienced.
I have the following vlans configured on my core switch:
1 - Default - 192.168.1.2/24
2 - IT - 172.17.41.1/24
3 - Fin - 172.17.36.1/24
4 - My Default gateway is 192.168.1.1 (My Firewall).

I don't want communication between vlans, but I need them to be able to go out to the internet, going through the firewall.

 

I have tried to configure static route, enable ipforwarding, ACL denying traffic between vlans when ipforwarding is enabled, but still without success.

Can someone please help me?

 

 

Sorry for the mistakes I use google translate.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎12-28-2020 07:18 PM

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

View solution in original post

0 Kudos
10 REPLIES 10

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎12-30-2020 09:01 AM

Jackson,

There could be several alternatives for this but it is really poor design and I wouldn’t recommend them.

Never forget that a switch/router is not a firewall and a firewall is not a switch/router.

Trying to put firewalling rules in a switch is a very bad habit and become quickly unmanageable. ACL on switches are stateless so you need to foresee them in a two way communication.

 

This being said, the only solutions I see for you is to set ACLs to deny the unwanted traffic and/or allow the authorized traffic(DHCP/ARP/DNS/Internet).

 

Mig

0 Kudos

Go to solution
jacksonvld
New Contributor

‎12-29-2020 12:37 PM

Good morning gentlemen,
I understood your suggestion. I am looking for an alternative in which SWITCH CORE does all the routing without the vlan gateway on the firewall (tagged).
When I enable ipforwarding, routing occurs as I would like, but the vlans become able to access other vlans.

Again, sorry for the English, I use the Google translator

 

df4505285fec46deaed927b194f7aa6d_65599002-cfd5-4041-a000-33edba1bbc6a.png

 

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎12-29-2020 09:19 AM

And make security rules on the firewall


Spoiler!! e3540569069c46a79af02810ada590c0_1f602.png:joy:

0 Kudos

Go to solution
JohanHendrikx
Contributor II

‎12-29-2020 06:59 AM

And make security rules on the firewall

Johan Hendrik System Architect Audax
0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎12-28-2020 07:18 PM

Jackson,

First shot is to remove the ipaddress from the vlans and put them on the vlan interface of the firewall.

If you want more specific answers you’ll have to share a topology design.

Mig

0 Kudos
GTM-P2G8KFN