Is it possible to route a single VLAN and let the rest pass through to the firewall. I have some 3560s and 3750s all connected to a 3850 with 10G then to a Fortigate 100E (1G). If I let the Fortigate do the routing then it resolves hostnames and the mgmt reports look nice but the 10G is lost due to the 1G port of the Fortigate. If I let the 3850 do the routing the fortigate resolves all the names as the 3850 hostname. All my servers are 10G and my clients are 1G.
it is unclear what you mean by 'route a single Vlan'...do you mean to route traffic from one Vlan out to something other than the firewall, and the rest through the firewall ?
I have 10 VLANs. 1 of these VLANs contains all my servers on 10G. I would like would like traffic to and from this VLAN to not hit the Fortigate but all other traffic to be routed by the fortigate.
Does this make it clearer? It made it seem more impossible to me. :)
Given that you have 10g uplinks between the 3850 and your access layer and also 1gb access ports on the access switchs I would let the 3850 do all the inter-vlan routing as it’s designed to do and just forward all wan traffic through the Fw -
Also if the Fw support aggregation and you have spare ports on that Fw I would suggest bundle a couple of ports together also between the 3850 and the fortigate
This is what I am doing now but the POS Fortigate only resolves the hostname of the 3850 for logging and reports. It would be awesome to not have to lookup hostnames when going through the logs.
The original poster tells us that he has 10 vlans. One vlan has servers connected at 10G and the other vlans have other devices. The original post asks a fairly simple question. Is it possible to have one vlan routed on the 3850 switch and to have all the other vlans routed on the firewall. In a technical perspective yes this is possible. But I do not believe that it will accomplish what the original poster really wants, which is to prevent traffic from the server vlan going through the firewall.
Assuming that the connection between the 3850 and the firewall is a trunk then these steps will accomplish routing the server vlan on the 3850 and routing the other vlans on the firewall:
1) On the 3850 configure an SVI for the server vlan.
2) On the 3850 configure a second SVI for management traffic and to provide a routed link to the firewall.
3) Remove SVIs for all other vlans on the 3850.
4) Configure the trunk between 3850 and firewall to carry the non server vlans and the management vlan. Be sure that the server vlan is not carried over the trunk.
5) On the firewall configure interfaces for all the vlans, except for the server vlan.
6) Configure all of the servers in the server vlan to have their gateway be the address of the 3850 in their vlan.
7) Configure all of the devices in the non server vlans to have their gateway be the address of the firewall in their respective subnets.
8) On the 3850 configure a default route with the firewall as the next hop.
9) On the firewall configure a route for the server subnet with the 3850 management subnet as the next hop.
The result of this will be that the 3850 does route for the server vlan and that all other vlans are routed by the firewall. Sounds sort of like success? The flaw in this approach is that when there needs to be communication between clients and servers that all of that traffic must go through the firewall. If a server want to send a packet to a client in one of the other vlans the server will send its packet to the 3850 which will route the packet toward the client vlan (which is on the firewall). The firewall will route the packet to the destination address (and the packet goes on the client vlan back through the 3850). A similar situation exists for a client that wants to communicate with the server. The packet from the client goes on the vlan through the 3850 and over the trunk to the firewall. The firewall will route the packet toward the server subnet and send the packet to the 3850, which will route the packet onto the server subnet and send it on to the server. So the results is that server traffic will need to transit the firewall.
I agree that the better solution is to have the 3850 route for all the vlans and send to the firewall only that traffic that needs to be processed by the firewall.