Solved: Cisco 3650 static routing

roshan2099 · ‎11-22-2015

Hi guys,

Have cisco 3650 with 3 vlans data voice and mgmt and i have created SVI for each vlan.....my firewall is fortigate 200d and and is connected through a trunck port to my switch....My firewalls trunk inteface have an sub interface for all 3 vlans.

My SVI IP address is 192.168.10.1 for VLAN 10 that is DATA vlan

My SVI IP address for VOice VLAN 192.168.20.1 and is VLAN 20

SVI IP for MGMT VLAN is 192.168.30.1 and is vlan 30

now in my firewal trunk interface i have sub interfaces for all VLANs and the IP is

192.168.10.100

192.168.20.100

192.168.30.100

how can i route all my internet traffic to these sub interfaces....tried static routing...but no entry is showing in routing table.

When trying default route with any of these IP addresses like 0.0.0.0 0.0.0 192.168.10.100 is working.

and in routing table an entry S* 0.0.0.0 0.0.0.0 192.168.10.100 is showing.

How can I route using static routing, so that i can use sub interfaces at firewall side to connect to internet for each vlans....

please help

Masoud Pourshabanian · ‎11-22-2015

Hello,

Since you have created 3 sub interfaces on fortigate, if your clients and devices are currently connceted to 3650, you can simply change their gateways pointing to firewal sub interfaces. In this way, firewall will inspect the traffic between VLANs and VLANs to internet.

If you want to keep their default gateways on your clients, you only need to create one L3 interface (physical or SVI) between your 3560 and fortigate and route all the traffic to the firewall new interface. (Your switch will have 3 SVIs for clients and a new SVI or physical interface to connect to firewall)

In this way, firewall will have two zones. internet and local which is combination of three LANs.

Then you need to create a policy from local to internet and select NAT and give permission by defining object group for each subnet. By this topology, you forewall does not inspect the traffic between VLANs. Only it inspects traffic from VLANs to internet.

You can choose one of these topologies depending on your company policy.

Hope it helps,

Masoud

View solution in original post

Masoud Pourshabanian · ‎11-22-2015

Hello,

Since you have created 3 sub interfaces on fortigate, if your clients and devices are currently connceted to 3650, you can simply change their gateways pointing to firewal sub interfaces. In this way, firewall will inspect the traffic between VLANs and VLANs to internet.

If you want to keep their default gateways on your clients, you only need to create one L3 interface (physical or SVI) between your 3560 and fortigate and route all the traffic to the firewall new interface. (Your switch will have 3 SVIs for clients and a new SVI or physical interface to connect to firewall)

In this way, firewall will have two zones. internet and local which is combination of three LANs.

Then you need to create a policy from local to internet and select NAT and give permission by defining object group for each subnet. By this topology, you forewall does not inspect the traffic between VLANs. Only it inspects traffic from VLANs to internet.

You can choose one of these topologies depending on your company policy.

Hope it helps,

Masoud

roshan2099 · ‎11-22-2015

Hi Masoud,

Thank you for your quick response......now i am going to create a new VLAN called wan and an SVi for the same and put a default route to that SVI and connect the SVI to firewall....

I think thats what u advice......right....

Masoud Pourshabanian · ‎11-22-2015

Hello,

Thats correct. It can be a L3 interface also. L3 interface breaks your broadcast domain preventing firewall to receive L2 traffic from switch.

interface x/x

no switchport

Ip address x.x.x.x

Hope it helps,

Masoud

roshan2099 · ‎11-22-2015

Thankyou Masoud.

will go with the L3 interface...

Thanks for your support...

Masoud Pourshabanian · ‎11-22-2015

Glad to help.

Masoud