topic Re: Routing To Firewall in Routing and SD-WAN

Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 14:34:23 GMT

Hello

This is my topology as attached. I have site A (Switch A) connected to FW (all same subnet)

I know have Site B (Switch B) connecting to Site A (Switch A) however I want only 1 subnet out of Site B (10.20.100.0/24) behind Site A firewall - is this possible?

Re: Routing To Firewall

balaji.bandi — Mon, 30 Sep 2019 15:00:08 GMT

yes possible, make only ACL rule for that /24 to allow outside, so rest will be denied.

Re: Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 15:42:44 GMT

Sorry didnt get it

I want 10.20.100.0/24 (Site B) subnet behind the firewall in SIte A which is a routed link. clear?

Re: Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 16:16:36 GMT

will the attached work using VRF on the switches?

basically I am using a link from FW to Switch A (VRF-1) and from Switch A - Switch B (same VRF) and creating the SVI on Switch B for 10.20.100.x/24 (VRF-1) and addin static route "ip route VRF-1 0.0.0.0 0.0.0.0 10.10.253.2 (IP address of FW) - will this work?

Re: Routing To Firewall

balaji.bandi — Mon, 30 Sep 2019 16:38:21 GMT

Your first post vs new post not really matched as per requirement you mentioned earlier.

VRF, is seperate instance of routing, as long as the Routing and rechability available there is no reason i see failing here.

until i misunderstood your requirement.

Re: Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 17:06:47 GMT

ok let me be clear in requirement

Site A which has Switch A and FW - these are in 10.10.0.0/16 subnet

Site B which has Switch B - this site is in 10.20.0.0/16 subnet. however I want 10.20.100.0/x subnet ALONE behind the firewall due to security restrictions in my organization. so the vrf method which i posted above will work?

Re: Routing To Firewall

balaji.bandi — Mon, 30 Sep 2019 18:47:46 GMT

You can have 10.20.100.0/24 behind ASA, this is not an issue.

I do not see any requirement of VRF here-? who will be accessing the 10.20.100.0/24 network ?

If that subnet already behind the FW that means you going to have ACL which control who will be accessing the trusted device IP address and rest will be denied.

Re: Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 19:51:53 GMT

The physical users are located in Site B where their laptop should have 10.20.100.0/24. these will need access back to 10.10.0.0/16 but will need to go through firewall

if I have it behind the firewall how will I extend the plan over the routed link to Site B? hence vrf configuration to bring it back

Re: Routing To Firewall

balaji.bandi — Mon, 30 Sep 2019 20:28:40 GMT

that is what I suggested. if the users are behind FW, they can reach to 10.10.0.0/16 network below method of the network path.

users-10.20.100.0/24---FW----SWTA --SWB -- your destination IP.

or you can also have different segment directly connected to SwitchB with L2 / L3 extension.(if you do not like to have SWITCH A intervention in the network)

Re: Routing To Firewall

NetworkGuy! — Mon, 30 Sep 2019 21:17:19 GMT

Ok so 10.20.100.x/24 is behind firewall now how will I extend this to Sw B
using routed link?

Re: Routing To Firewall

balaji.bandi — Mon, 30 Sep 2019 21:53:32 GMT

yes you can use below path with routed link as mentioned other post. below path.

users-10.20.100.0/24---FW----SWTA --SWB -- your destination IP.

Re: Routing To Firewall

paul driver — Mon, 30 Sep 2019 22:52:29 GMT

Hello
Below is a working topology for hosts in the vrf subnet on swB to reach hosts in the same vrf on swA>
As for accessing host in the global network 10.20.0.0/16 on swB A vrf host will traverse the vrf link to SwA and then it routed out of it own vrf into the global rib back to swB over the non vrf link.

THB you wouldn't really require any vrf with just two subnets if you then it leaked back to the global route table. access control can be accomplished just by access-lists.

Anyway below I have used sub-interfaces i dont have any l3 switch but the L3 addressing and routing would be the same, also I have applied a RACL to allow only established tcp traffic and deny certain udp traffic (if any) from the global subnet into the vrf.

Switch A
interface FastEthernet0/1
description link to SwB
ip address 10.10.254.1 255.255.0.0

interface FastEthernet2/0
description VRF link to SwB
ip vrf forwarding stan
ip address 10.10.253.6 255.255.255.252

router eigrp 10
network 10.10.254.1 0.0.0.0
no auto-summary

router eigrp 100
no auto-summary
address-family ipv4 vrf stan
network 10.10.253.6 0.0.0.0
redistribute static <---------------redistributes global subnet to SwB vrf rib
no auto-summary
autonomous-system 100
exit-address-family

ip route 10.10.253.4 255.255.255.252 FastEthernet2/0 <---------makes global rib awre of vrf
ip route vrf stan 10.20.0.0 255.255.0.0 10.10.254.2 global <----add global subnet into vrf

Switch B
interface FastEthernet0/1
description link to SwA
ip address 10.10.254.2 255.255.0.0

interface FastEthernet0/0.10
description Global subnet
encapsulation dot1Q 10
ip address 10.20.0.2 255.255.255.0

interface FastEthernet0/0.100
description vrf subnet
encapsulation dot1Q 100
ip vrf forwarding stan
ip address 10.20.100.2 255.255.255.0
ip access-group 100 out

router eigrp 10
network 10.10.254.2 0.0.0.0
network 10.20.0.2 0.0.0.0
no auto-summary

router eigrp 100
no auto-summary
address-family ipv4 vrf stan
network 10.10.100.2 0.0.0.0
network 10.10.253.5 0.0.0.0
no auto-summary
autonomous-system 100

ip route 10.20.100.0 255.255.255.0 FastEthernet0/0.100 <---------makes global rib aware of vrf

access-list 100 permit icmp 10.20.0.0 0.0.255.255 any echo-reply
access-list 100 deny icmp 10.20.0.0 0.0.255.255 any
access-list 100 permit udp 10.20.0.0 0.0.255.255 any range bootps bootpc
access-list 100 permit udp 10.20.0.0 0.0.255.255 any eq domain
access-list 100 deny udp 10.20.0.0 0.0.255.255 any
access-list 100 permit udp any any
access-list 100 permit tcp 10.20.0.0 0.0.255.255 any established
access-list 100 deny tcp 10.20.0.0 0.0.255.255 any
access-list 100 permit ip any any

Re: Routing To Firewall

NetworkGuy! — Tue, 01 Oct 2019 06:50:19 GMT

Quick glance, I see 10.10.253.x on SW A but where does it terminate in SW B?

Re: Routing To Firewall

NetworkGuy! — Tue, 01 Oct 2019 09:39:53 GMT

had a link again but cant we route the 10.20.100.x subnet along through the firewall?

can you please tell me if this will work?

Switch B (10.10.254.2) -> (10.10.254.1) Switch A ( 10.10.255.1) -> FW (10.10.255.2) - all running eigrp

Switch B (10.10.253.5/30 - VRFXX) -> (10.10.253.6/30- VRFXX) Switch A (10.10.253.1/30-VRFXX) -> (10.10.253.2/30) FW

the FW will have an ip route saying "ip route 10.20.100.0/24 go through 10.10.253.5 (switch b)

on Switch B, I have the SVI for 10.20.100.0/24

This means

- from Switch B to Internet for traffic 10.20.100.0/24 as source traffic will flow through Switch A VRFXX and then go through firewall

- From switch B (10.20.100.x) to other subnet traffic in Switch A will go through vrfxx and then to firewall and firewall will then pass this through 10.10.255.x subnet to switch A. since it goes through firewall, it will be ACL

will the above work?

Re: Routing To Firewall

paul driver — Tue, 01 Oct 2019 11:07:25 GMT

Hello
Sounds about right, any source SwB traffic from the vrf subnet (internet or otherwise) will need to go via its vrf link via FW any other source traffci from Swb will go via the normal eigrp path towards SwA.

Thats how I had tested it anyway (minus the FW hop ) but that just another vrf interface the same logic applys

Re: Routing To Firewall

Jon Marshall — Tue, 01 Oct 2019 11:06:32 GMT

Just to add, as Paul says it will work, but you need to modify your next hops ie. you cannot have a static route on switch B pointing to the firewall IP, it needs to point to switch A's IP and then switch A has a route to the firewall and the same for routes from the firewall back.

Unless of course you are using EIGRP in the VRF as well in which case it will work.

Jon

Re: Routing To Firewall

NetworkGuy! — Tue, 01 Oct 2019 14:06:14 GMT

Thanks Paul and Jon - now I have limited fibre connectivity between Switch A and Switch B

So can I do a L3 port-channel between two multilayer switches

example:

Switch A

port3.254

ip address 10.10.254.1 255.255.255.252

Port 3.253

ip address 10.10.253.4 255.255.255.252

vrf Test

Switch B

port3.254

ip address 10.10.254.2 255.255.255.252

Port 3.253

ip address 10.10.253.5 255.255.255.252

vrf Test

will the above work with VRF config?

Re: Routing To Firewall

Jon Marshall — Tue, 01 Oct 2019 19:18:32 GMT

Yes that should work fine.

Jon