Re: Yes correct

chinpohpang851 · ‎02-08-2017

We would like to achieve inter-vlan routing for vlan 2, 3 in L3 Switch and at the same time DMZ(vlan5) should hit the Fortigate firewall first. Vlan2,3 's gateway were set in L3 Switch. Static routes are configure for vlan2, 3 to go firewall and internet.

My question is how to let DMZ(connected to L3 switch) to have it's gateway terminate at Firewall? Do i need to add another physical link?

I've attached a pic for reference.

willwetherman · ‎02-08-2017

Hi,

You could either use a separate physical link between your L3 switch and firewall with the ports on both ends configured as mode access in VLAN 5, or you can configure your current link (Fa0/3<->E0/0) as a dot1q trunk and tag VLAN 5 over that.

Hope that helps

Pawan Raut · ‎02-08-2017

If I understood your requirement correctly you want communication between vlan 2/3 and DMZ vlan 5 should be via FW.

do not configure layer 3 interface for vlan 5 on L3 switch.

you need one link between FW and L3 switch. on L3 switch it is access port in vlan 5 and Layer3 GW for Vlan on FW.

Also add one more link between switch and Firewall as transit interface between L3 switch and FW. Do static route on L3 switch for DMZ subnet towards Firewall using transit interface.

Similarly static route for vlan 2,3 on Firewall towards switch using that transit interface

chinpohpang851 · ‎02-09-2017

i enabled #ip routing on L3 switch, how to #no ip routing on int for vlan 5? So, I have to add 1 more link from L3 switch to FW for DMZ right?

Pawan Raut · ‎02-09-2017

Yes correct

mgmt · ‎03-05-2018

I"m working on a similar setup and have some questions:

1. Are you suggesting 3 direct port links from switch and firewall? If so can you clarify how you configure the L3 switch ports and firewall ports/zones.

2. All ports "untagged"?
3. Can you clarify what you mean exactly by "transit interface".

Thanks

L3 switch routing to Firewall