Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1516
Views
10
Helpful
5
Replies

Alternate route setup

Go to solution
marioabuyabor
Level 1
Level 1

‎05-08-2018 05:17 PM - edited ‎03-08-2019 02:57 PM

Our industrial network infrastructure is sitting behind a firewall (Fortigate) to isolate it from the enterprise network, just south of the firewall is our DMZ switch (Cisco 2960-X),  a number of firewall DMZs are then mapped to their respective subnet's VLAN which were defined in the switch, our VMWare, SAN, and other physical servers are connected to the DMZ switch, south of the DMZ switch are daisy chained switches where different automation devices are connected to like PLC, servos, and remote IO, some line servers are also connected to them as well. The firewall is the default gateway of all devices south of it, technically it does the routing job. We are having one issue right now with one of our automation system, one of the servers is a VM, all required TCP and UDP ports are already open between the two VLAN where the different hosts that needs to communicate belongs to, we already trunk the switch interface to all the VLAN of the industrial network where the ESXi host is connected to, the other server is a physical one connected to one of the daisy chained switch, the interface on the DMZ switch where the daisy chain is terminated is trunk as well. The vendor of the system recommends to bypass the firewall to isolate if it is the cause of the issue. What I have done so far is I set a static route in server's (Server 2012) routing table to point to the SVI interface of the VLAN where the other server belongs to and hoping to let the switch do the inter VLAN routing locally, still waiting for the result on this one. What other possible steps that you can suggest that I can take to bypass the firewall for this test?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cofee
Level 5
Level 5
In response to marioabuyabor

‎05-10-2018 09:05 AM

Hi,

The access-list you provided is denying everything in and out of all SVIs. I believe the reason you have this access-list in place because you don't want the switch to do any inter-vlan routing and packets that need to traverse from one vlan to another has to go through the firewall since it's the gateway for all these vlans.

 

This access-list is there for more like a double protection to prevent a host to use the SVI interface as a default gateway and that would only happen if someone makes a mistake and assign SVIs interface as a default gateway. This access-list would only be useful when a packet lands at the SVI and the SVI has to route the packet, and that's what is happening in your case since you are using the SVIs to route specific packets. You would need to allow source and destination ip address both inbound/outbound on target SVIs.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cofee
Level 5
Level 5

‎05-08-2018 07:16 PM

Hi,

I am not sure if I understand your topology correctly, so I will  make my suggestions based on how I understand it. It appears all the inter Vlan routing is done by the firewall or communication between different subnets/vlans will never go through the firewall.

 

If my understanding is correct then step you have taken to bypass the firewall should work, make sure that servers on both ends are pointing to the SVIs configured on the switch for their VLANs and it appears that end devices are not connected to same switch, so in that case you would need to provide reachability between these 2 SVIs without going up to the firewall. If end devices are connected to the same switch then you should no problem.

 

Question regarding other ways of bypassing firewall - There are so many different ways to bypass the firewall, but that may require outage of target systems and not sure if it would be worth it to do additional configuration if traffic between these hosts at last would need to go through the firewall.

 

Go to solution
marioabuyabor
Level 1
Level 1
In response to cofee

‎05-08-2018 08:26 PM

You pretty much got the basic idea of the topology, inter VLAN/routing is done by the firewall.

 

Another suggestion I received is to use a bypass switch, configure it with IPs belonging to the different VLANs and route the traffic there instead.

Preview file
21 KB
0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to marioabuyabor

‎05-09-2018 04:38 AM

Sure, but that would only be helpful if for some reason the rechability between SVIs won't work with the current set up. You would to need modify your existing configuaration, but it will work without adding a new switch.

 

in my opinion adding a new switch to bypass the firewall would only be beneficial if you will be directly connecting cables from the servers to this switch that need to bypass the firewall, and for that you would also need to work with the system team to reconfigure the new interfaces on the server. Pretty much you will be setting up a new network for severs that need to bypass the firewall, if that's not the intention then I think it would only add complexity to your existing network.

 

 

Go to solution
marioabuyabor
Level 1
Level 1
In response to cofee

‎05-09-2018 09:38 PM - edited ‎05-09-2018 10:13 PM

Still can't seem to communicate the two VLAN with hosts pointing to their respective SVI as gateway, does it matter that the switch has ACL deny ip any any set? 

 

access-list 102 remark DMZ NETWORK
access-list 102 deny ip any any

 

Here is my VLAN setup:

 

!
interface Vlan703
description "DMZ-3"
ip address 10.208.51.193 255.255.255.224
ip access-group 102 in
ip access-group 102 out
no ip route-cache
!
interface Vlan705
description "DMZ-5"
ip address 10.208.64.253 255.255.255.0
ip access-group 102 in
ip access-group 102 out
no ip route-cache
!
interface Vlan706
description "DMZ-6"
ip address 10.208.65.253 255.255.255.0
ip access-group 102 in
ip access-group 102 out
no ip route-cache
!

 

 So basically I have a host at VLAN 703 that wants to communicate to hosts at VLAN 705 and 706, at my server from VLAN 703 which is Server 2012, I set the following persistent routes:

 

10.208.51.64.14 255.255.255.0 10.208.51.193

10.208.51.65.14 255.255.255.0 10.208.51.193

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to marioabuyabor

‎05-10-2018 09:05 AM

Hi,

The access-list you provided is denying everything in and out of all SVIs. I believe the reason you have this access-list in place because you don't want the switch to do any inter-vlan routing and packets that need to traverse from one vlan to another has to go through the firewall since it's the gateway for all these vlans.

 

This access-list is there for more like a double protection to prevent a host to use the SVI interface as a default gateway and that would only happen if someone makes a mistake and assign SVIs interface as a default gateway. This access-list would only be useful when a packet lands at the SVI and the SVI has to route the packet, and that's what is happening in your case since you are using the SVIs to route specific packets. You would need to allow source and destination ip address both inbound/outbound on target SVIs.

 

0 Helpful
Customers Also Viewed These Support Documents