Solved: Re: Multiple VLANs and default route to internet

Osirison · ‎09-09-2018

Hello,

My network is connected like this. (I left out the other switches connected to the C3560CX)

[ISP modem]-[Cisco ISR C1111-8P]-[Cisco C3560CX]

The ISR is DHCP server, and running zone based firewall.

The C3560CX is the gateway for the hosts the WAP and other switches, all local and inter vlan traffic should be handled by this switch.

VLAN1 (native, not used)

VLAN10 192.168.10.0 (Hosts)

VLAN20 192.168.20.0 (Guests)

VLAN40 192.168.40.0 (Security Cameras)

VLAN122 192.168.122.0 (Device management)

Question?

Where do I need to set the gateway of last resort to on Switch1?

Right now I do have set it like this

ip route 0.0.0.0 0.0.0.0 192.168.10.1

It works for VLAN10 but it is not correct for the other VLANs...

ISR



interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 zone-member security COMPUTERS
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 zone-member security GUESTS
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 zone-member security CAMERAS
!
interface Vlan122
 ip address 192.168.122.1 255.255.255.0
 ip nat inside
 zone-member security MANAGEMENT
!
interface GigabitEthernet0/0/0
 description WAN
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip access-group ACL-OUTSIDE-IN in
 zone-member security INTERNET
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/1/0
 description LAN
 switchport mode trunk
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Switch1

!
ip routing
!
interface GigabitEthernet0/10
 description Uplink
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.2 255.255.255.0
 ip access-group DenyGuest in
!
interface Vlan40
 ip address 192.168.40.2 255.255.255.0
 ip access-group 141 in
!
interface Vlan122
 ip address 192.168.122.2 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1

Richard Burts · ‎09-15-2018

It seems to me that we have several mutually contradictory things going on. Especially looking at the way that the ISR is configured with Zone Based Firewall to provide separation between the various vlans/subnets it is problematic to have routing done on the switch. When routing is enabled on the switch then traffic from all vlans/all subnets will be forwarded to the router on one vlan (currently vlan 10 but might be from the management vlan if suggestions in a previous response are followed).

I suggest that we need to clarify what the priorities are and to adjust the config based on that. If the priority is firewalling on the ISR (which is my impression of what the original poster has communicated) then I believe that the switch needs to disable routing and operate as a layer 2 switch. This would need each host connected to the switch to have a default gateway which was the router address for that vlan. This would assure that every packet forwarded to the ISR would arrive on the interface in the appropriate zone. If the priority is to have routing work on the switch then the security policy needs to be altered, zone based firewall removed and some other appropriate security policy implemented (which would be much more on the switch).

HTH

Rick

HTH

Rick

View solution in original post

paul driver · ‎09-09-2018

Hello

You have routing applied for all vlans on both the isr and the L3 switch which isn’t required

you only need the inter-vlan routing on the switch - And have an access port in vlan122 for connection between the isr and the switch

A default route on the switch towards the isr vlan122 IP address

Ip route 0.0.0.0 0.0.0.0 vlan122 192.168.122.1

on the isr all you will need is a default route pointing to its wan gif0/0 interface

Ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp

You can remove all the other vlans from the isr and give its lan facing interface an up address in vlan 122

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Osirison · ‎09-09-2018

Thanks for your reply.

The ISR is also the firewalI.

I want to restrict guest (VLAN20) internet access by only inspecting port 80/443.

For the trusted devices (VLAN10) I want to have more ports to be able to connect to the internet.

For the security cameras (VLAN40) I want only port 123 to be allowed to a single IP of the remote time server.

The ISR has Cisco Umbrella implementation that I would like to try out later, and want to use different DNS policies for guests and trusted devices.

So the ISR has to know what traffic is trusted and what traffic is guest traffic.

pieterh · ‎09-10-2018

The switch forwards vlans (L2 not L3) to the ISR, there (sub)interfaces handle separate type of clients.

so as Paul already concluded, in your current setup the switch does not need any routing for client traffic.

and as such it don't need a gateway of last resort (or any other IP connectivity) for all vlans, only for the management vlan.

if you want this management vlan accessible from the other vlans this is controlled by the firewall rules of the ISR, not by a gateway of last resort setting.

Osirison · ‎09-15-2018

When I do not set the IP default gateway to 192.168.10.1 then I cannot ping the internet from the switch and also not from the clients connected to the switch.

Richard Burts · ‎09-15-2018

It seems to me that we have several mutually contradictory things going on. Especially looking at the way that the ISR is configured with Zone Based Firewall to provide separation between the various vlans/subnets it is problematic to have routing done on the switch. When routing is enabled on the switch then traffic from all vlans/all subnets will be forwarded to the router on one vlan (currently vlan 10 but might be from the management vlan if suggestions in a previous response are followed).

I suggest that we need to clarify what the priorities are and to adjust the config based on that. If the priority is firewalling on the ISR (which is my impression of what the original poster has communicated) then I believe that the switch needs to disable routing and operate as a layer 2 switch. This would need each host connected to the switch to have a default gateway which was the router address for that vlan. This would assure that every packet forwarded to the ISR would arrive on the interface in the appropriate zone. If the priority is to have routing work on the switch then the security policy needs to be altered, zone based firewall removed and some other appropriate security policy implemented (which would be much more on the switch).

HTH

Rick

HTH

Rick

Osirison · ‎09-16-2018

Thank you Rick for your reply!

Its now clear to me that what I configured is not the way it should be.

What I wanted to do is to offload traffic from the security cameras (in VLAN40) from the ISR.
Did this by setting the Switch as the default gateway so all local traffic will be routed by the switch and internet traffic forwarded to the ISR.
But you made it clear that this is not the right setup.

My priority is to have a good firewall at home, I just don't like smart IOT devices having full internet access.

So I have now set the ISR as the default gateway for all sub networks and disabled ip routing on the switches.

Thanks for your input!

Richard Burts · ‎09-17-2018

I believe that you are on the right path here. I do appreciate the desire to off load from the router the processing for the cameras. But doing this compromises the security approach of the firewall. For zone based firewall to be effective all devices, including cameras, need to use the router as their default gateway. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

HTH

Rick

HTH

Rick

paul driver · ‎09-10-2018

Hello

Basically what your querying I don't see why you cannot negate the users via SVI ACL's on the L3 switch

then what ever is allowed to get through to the ISR will then be subject to the ZBFW policy's, So then inter-lvan routing will be on the L3 switch and ZBFW on the ISR

But if you wish to leave the setup as it is then regarding your OP have default route on the L3 pointing to the mgt vlan122 ip address of the ISR 192.168.122.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul