Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
5
Helpful
4
Replies

Inter vlan routing

Yury1981
Level 1
Level 1

‎10-04-2019 02:49 AM - edited ‎10-04-2019 03:11 AM

Could use some advise on below setup if it is a good practice solution.

 

Hardware:

Firewall (Also acting as DHCP server)
Switch (cisco SG350x)

 

Configuration:

Firewall has multiple vlans configured and is DHCP server for the vlans.

vlan 1 : 192.168.100.0

vlan 10: 10.10.10.0
vlan 20: 10.20.20.0

vlan 30: 10.30.30.0

Between firewall and switch is a trunk

Switch has ip routing enabled.
Switch has virtual interface for all the vlans
Hosts receive IP from DHCP and switch virtual interface is set as gateway

Example:
Firewall dhcp vlan 10 address is 10.10.10.1 and switch virtual interface ip 10.10.10.2
Host IP 10.10.10.100 with gateway set at 10.10.10.2 for the inter vlan communication.

Issue:
Inter vlan communication between vlan 10, 20, 30 works fine.
VLAN 10 has internet connectivity as a static route next hop is set to 10.10.10.1

Unfortunately VLAN 20 and 30 have no internet access.

I can add static routes in the switch but only the route for vlan 10 get's an outgoing interface.
Seems like vlan 20 and 30 try to communicate over the route of vlan 10.

Is there a way to force a route or a other solution?
seems to be routing related.

config1.JPG
 




Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎10-04-2019 03:15 AM

Hi there,

I would remove the VLAN 10-30 SVIs off the firewall. Configure a new VLAN (eg ID 2) with a point-to-point subnet (10.10.2.0 /30) between the firewall (10.10.2.1) and switch (10.10.2.2). Configure the firewall end (10.10.2.1) of that link as the next hop for the default route on the switch (ip route 0.0.0.0 0.0.0.0 10.10.2.1 ) .

On the switch SVIs configure the ip helper-address as the firewall IP (10.10.2.1), this will forward the DHCP discover messages on to the firewall.

 

Make sure you configure route table entries on the firewall for VLANs 10-30 with a next hop of 10.10.2.2 .

 

cheers,

Seb.

Yury1981
Level 1
Level 1
In response to Seb Rupik

‎10-04-2019 03:30 AM

Thanks for the fast reply Seb.

Your suggested setup makes sense but also creates the following.
When I remove a SVI's on the firewall the DHCP funtcion is also removed for that vlan.

Yury

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Yury1981

‎10-04-2019 03:35 AM

Scopes can't exist on the firewall without the layer3 interface being present? that's a pain!

 

Why not configure the DHCP scopes on the switch itself...therefore not requiring the ip helper-address configs.

 

cheers,

Seb.

0 Helpful

Yury1981
Level 1
Level 1
In response to Seb Rupik

‎10-04-2019 01:26 PM - edited ‎10-04-2019 01:31 PM

Seb,

I've continued a bit with your first suggestion.

Set the static route 0.0.0.0 0.0.0.0 192.168.100.1 in the switch
Set a static route in the firewall 10.0.0.0/8 to 192.168.100.2

 

This seems to be working and I'll investigate more after the weekend.
Firewall SVI's are still present and hosts receive IP from according vlan DHCP scope

With this setup I should have achieved Intervlan traffic handled at the switch and firewall only handles dhcp and internet traffic.
Now a couple of ACL's on the switch and I should have a nicely secure and segmented network.
Also need to look into the trafic/route over the default native vlan but now this is working that can easily be changed.

Yury

0 Helpful
Customers Also Viewed These Support Documents