06-18-2019 01:11 AM
Hello,
I have a requirement which is quite strange. I have 3 laptops (each laptop is connected to VLAN 10, VLAN 20 and VLAN 30 respectively), connected to a layer 2 switch. The gateways are 192.168.10.2 for laptop 1 from VLAN 10, 192.168.20.2 for laptop 2 from VLAN 20 and 192.168.30.2 for laptop 3 from VLAN 30 (meaning the SVIs in the payer 2 switches are the gateways of each laptop).
Next, I have a router configured on a stick. An interface on the router is configured with sub-interfaces with the respective VLAN connected to a switch trunk port on the layer 2 for VLAN trunking. All the sub-interfaces are directly connected routes. I configured OSPF 1 with all the connected routes and also redistributed the connected into the OSPF 1 area 0.
I tried to ping or traceroute from laptop 1 to laptop 3 but not reachable. I even tried the ip default-gateway on the layer 2 switch but same result. Any ideas on how to make this work if the gateway is on the switch? The gateway on the router is not possible.
Solved! Go to Solution.
06-26-2019 01:15 AM - edited 06-26-2019 01:18 AM
If you need all traffic between vlans to go via the firewalls then you need to go back and visit the reasons for the requirements (assuming this is a production system and not a lab exercise).
Make a choice -
1) let the switches do the routing and keep your firewalls separate
or
2) make the firewalls a pair.
Yes you can come up with a "fix" that would probably make it work but networks are better when they are kept as simple as possible, so push back on the requirements.
Jon
06-18-2019 01:15 AM
Hi there,
Your topology sounds correct. Have you tried changing the default gateway on the laptops to the router sub-interface IP for their respective VLANs?...also make sure the L2 switch SVIs do not overlap with the router sub-interfaces.
Can you share the running configs of both devices?
cheers,
Seb.
06-18-2019 01:32 AM
H, thanks for replying, the topology is as attached. Router's subinterfaces as the gateways for the laptops are not possible as there is 1 more similiar router-on-a-stick (this is used as a redundant router-on-a-stick) on the switch.
ROUTER:
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 192.168.0.0 0.0.255.255 area 0
default-information originate
!
ip classless
!
ip flow-export version 9
SWITCH:
spanning-tree mode pvst
!
<truncated>
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
!
interface Vlan1
no ip address
!
interface Vlan10
mac-address 00e0.f700.5801
ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
mac-address 00e0.f700.5802
ip address 192.168.20.2 255.255.255.0
!
ip default-gateway 192.168.10.1
ip classless
!
ip flow-export version 9
06-18-2019 01:36 AM
If you have a second router on a stick have you consider running HSRP between them? You would then configure the laptop default gateway as the respective HSRP VIP.
If you want to persevere with using the Layer2 switch for inter-vlan routing then add the following command:
! ip routing !
cheers,
Seb.
06-18-2019 01:45 AM
Hi Seb,
thanks for your reply. Maybe I forgot to let you know the requirement. All traffic have to go through the router and the router have to be the only layer 3 devices that does inter-vlan routing. Eventually the router will be replaced with an ASA firewall. So with ASA firewall, HSRP will not be possible.
06-18-2019 01:58 AM
If that is the case, then remove/ shutdown the SVIs on the Layer2 switch. Have you tested changing the laptop default route to the router sub-interface IPs?
Once you have done this can you share the ouput from:
sh spanning vlan 10 detail
Regrading moving to ASA firewalls. Are you planning on replacing the two routers with two ASAs? If so, experimenting with the HSRP config is still valid as you could configure the ASAs in Active/ passive using a shared IP for each VLAN.
cheers,
Seb.
06-18-2019 02:02 AM
Hi Seb,
thanks for pointing me in some direction. I'll give your suggestions a try and will post shortly of any results. Regarding your suggestion on:
"If so, experimenting with the HSRP config is still valid as you could configure the ASAs in Active/ passive using a shared IP for each VLAN.",
Our implementation will have 2 active stand-alone firewalls, not A/P firewalls.
06-18-2019 11:25 AM
It seems to me that this is a case of having mutually exclusive requirements. One requirement seems to be that the layer 2 switch should function as the gateway for multiple connected subnets. The other requirement is "All traffic have to go through the router and the router have to be the only layer 3 devices that does inter-vlan routing." If the router is the only layer 3 device doing inter vlan routing then the switch can not function as the gateway for multiple connected subnets.
Which of those requirements is the most important? If you can not have both which one do you need the most?
I do not know your environment but it seems to me that the simple solution is to keep the switch as layer 2. In that case it needs only a single SVI for management purposes. The switch can have multiple vlans operating at layer 2 and connect to the router using a trunk. Then sub interfaces on the router could provide the inter vlan routing.
HTH
Rick
06-18-2019 05:41 PM
Hi Richard, thanks for looking into this to assist me. I have attached the eventual network diagram. There are 2 sites, 1 on the left and 1 on the right with identical network equipment and devices.
1. The 2 firewalls are stand-alone and not deployed in a high availability mode.
2. These 2 firewalls will have the same routing and policy tables.
3. The switches can be layer 3 and the link between the switches are configured with HSRP for the VLANs.
4. In this example, there are 2 VLANs. Laptop 1 and laptop 3 are in VLAN 10, Laptop 2 and Laptop0 are in VLAN 20.
5. Inter-vlan traffic must be routed via the firewalls. (Most important requirement)
6. If firewall 0 fails, firewall 1 will continue to provide inter-vlan routing capabilities.
7. If laptop 1 and laptop 3 wants to communicate, the traffic need not go to the firewall but within the same layer 2 domain and VLAN.
The requirements above are a must. Let me know. Thank you!
06-19-2019 01:54 PM
Thank you for the additional information and especially for this clarification "5. Inter-vlan traffic must be routed via the firewalls. (Most important requirement)". If this is the most important requirement then it becomes clear that the switches should act as layer 2 switches, not as layer 3 and therefore the switches will not perform as gateway for the vlans. The gateway for the vlans must be the firewalls. The switches will configure the layer 2 vlans and assign access ports to the appropriate vlan and will connect to the firewalls with trunk ports. The firewalls will do the inter vlan routing and the routing and security policy for traffic to outside.
I do anticipate one significant problem in getting this to work. The problem is with #6 and how to get the ASAs to continue inter vlan routing if one of the ASAs fails. Since the ASAs will operate as stand alone and not as a failover pair then each ASA will have its own IP address in each vlan. Perhaps one ASA will have IP addresses 192.168.10.1 and 192168.20.1 while the second ASA will have 192.168.10.2 and 192.168.20.2. You could have both ASAs use 192.168.10.1 if they operated as a failover pair but not as stand alone. So what will be the gateway for the laptops in vlan 10? Is the gateway 192.168.10.1 or is it 192.168.10.2? If the gateway is 192.168.10.1 and it goes down how do you get the ASA with 192.168.10.2 to take over routing for vlan 10?
HTH
Rick
06-19-2019 05:32 PM
Hi Richard,
thanks for your reply. I do understand that putting the switch as layer 2 and the gateway is the firewalls are akin to the router-on-a-stick methods. If lets say the switches are layer 3, any possibility to allow this as gateway and and still the firewall do the inter-vlan routing?
06-20-2019 11:36 AM
Perhaps we are not understanding some terms in the same way. For most of us when we talk about establishing a gateway for devices in a vlan that gateway does the routing for the devices in the vlan. I get the feeling that you understand gateway in some different way. Perhaps you can clarify how you understand the term?
You have made it quite clear that the top priority is that inter vlan routing be done by the firewall. In this case, and assuming the common meaning of the term, it is not possible for the switch to be the gateway for the vlan.
HTH
Rick
06-23-2019 07:32 PM
Hi Rick,
agreed on your point, the gateway should be the device that routes. Now we are changing the switch to a layer 3 switch. Gateway is at the layer 3 switch now and will now point to the firewall via static routes for inter-vlan traffic. Now, there is another firewall on a stick, as depicted in the diagram, which is also a stand-alone firewall. To achieve HA, do i need IP SLA?
06-24-2019 08:41 AM
If you enable layer 3 routing on the switch and configure a static route for each of the vlans with the next hop as the firewall it may not work as you expect. When a packet arrives at the switch from one vlan to the other vlan the switch will see the destination address as a locally connected subnet and locally connected subnets are preferred over static routes. So the switch would forward the packet to the other vlan without sending it through the firewall. To make it work you would need 2 static routes for each vlan, a static route for addresses in the first half of the vlan and a static route for addresses in the second half of the vlan. That way the static route is more specific and will be preferred over the locally connected subnet. It seems to me that this is getting quite complex to make it work and I wonder why you are enabling layer 3 routing when functionally you are working hard to prevent the switch from doing normal layer 3 routing.
To achieve HA for the firewalls it should work if you configure a primary static route for each subnet (or perhaps for each half subnet) with the primary firewall as next hop, configure IP SLA to monitor accessibility of the primary firewall, and configure a backup static route (a floating static route with higher administrative distance) with the second firewall as the next hop.
HTH
Rick
06-25-2019 01:31 AM
Hi Rick,
thanks for your reply. We will give your suggestion a try and will post back any results.
The reason why we want the firewall to route is because we want full visibility and control of the routed traffic, in terms of security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide