Re: Firewall Issues?? Multiple VLANS & SLA ISP

ckeyy · ‎10-20-2024

In my setup, I have 10 VLANs that all need internet access. The issue I encountered is that only one VLAN is able to reach the internet using its next hop to the firewall. I tried configuring 10 separate default routes for each VLANs, but while I was able to ping 8.8.8.8, I couldn't ping the ISP gateway. The internet connection was unstable—pages would start loading but never fully load. However, when I configured a single default route for VLAN 10, I was able to browse the internet normally for VLAN 10 network only.

Additionally, I set up an SLA for backup ISP failover, but when I disconnected the primary ISP, the failover didn’t work.

Configured in core switch: VLANs, SVI, Port Channel, and default route (ex. ip route 0.0.0.0 0.0.0.0 <subinterfaces ip>)

Configured in firewall: Port channel-subinterfaces of vlans, auto nat dynamic for each vlan (example. source: subinterface of vlan 10, original address: network of vlan 10, destination: outside interface, translated address: interface), static route to isp gateway, inside to outside policy

Nat only configured for ISP 1, should I configure the nat for isp 2?

My configuration for SLA monitor.... ISP 1: metric-1, monitor address-ISP 1 address, target interface-isp 1 outside interface......... ISP 2: metric-10, monitor address-ISP 2 address, target interface-isp 2 outside interface.

Karsten Iwen · ‎10-20-2024

The first question is where you want to terminate your VLANs?

On the switch? This will likely give you more throughput between VLANs but only limited control.
In this case, you only have one transfer VLAN between the switch and the firewall, and this is used for routing between the devices. The Switch has the default route, and the firewall needs dedicated routes to the core switch to reach the internal networks.
You need a NAT config that covers the transfer interface and all internal VLANs.
On the Firewall? This will give you full control of the firewalling between VLANs, but inter-VLAN routing might be slowed down.
In this case the SVIs on the switch should be removed and the end devices use the IP on the Firewalls' sub-interfaces as the default gateway.
You need a NAT config that covers all internal interfaces and VLANs.

In either case, the NAT is needed for both ISP1 and ISP2.

ckeyy · ‎10-20-2024

How about on firewall, if so, does the restriction of VLANs communication should be done in the firewall like creating a policy for inside to inside? Should I remove SVI in core switch? core switch act as a DHCP server since firewallmmodel is limited for /24? will it work? connection of firewall and core switch is in ethechannel

Karsten Iwen · ‎10-20-2024

In general, the SVIs should only be on that device that controls the VLAN. If you still have theSVI on the Core and IP routing is enabled, users could circumvent the controls by just changing the default gateway to the core.

I would configure a PC based DHCP server in one dedicated firewall network and use the DHCP relay features to send the request to this server.

ckeyy · ‎10-20-2024

but is it possible to make a core as a DHCP server? then I would configure the DHCP relay in firewall? tho I tried it to packet tracer, and it worked. I also changed the IP of subinterfaces to .1 and SVI is .2. It's like doing a router on a stick

MHM Cisco World · ‎10-31-2024

this issue solved ?

MHM