Solved: Re: Default gateway for vlan users

M Talha · ‎01-27-2019

Dear All,

I am working on a scenario where i have application firewall in place at edge of the network (internet edge) for the purpose of application and content filtering, besides that i have Cisco 3750 switch which is right now configured with a single vlan (in same subnet with firewall). Now as this subnet is getting full i am planning to add departmental vlans to distribute users. Right now the default gateway is firewall (192.168.0.1/21) for this vlan but if i add more vlans and after enabling ip routing i'll have to change the gateway to there respective vlan id in my Cisco 3750 switch. So my question here is how would i still implement the application and content filtering in this scenario to restrict my users in new and existing vlans ??

Current Network Topology

Internet <---- App Firewall (192.168.0.1/21) <---- Cisco 3750 (192.168.5.50/21) <---- Users switches

Regards,

Talha

Seb Rupik · ‎01-28-2019

Hi there,

There are only a few minor changes which need to be made. When traffic on one of the new VLANs arrives at the default gateway on the 3750 the existing default route to 192.168.0.1 will forward the traffic to the firewall.

The only two items you need to check is that the firewall has a route back to the 3750 for the new additional VLANs. Also that the firewalls NAT config permits the translation of the new VLANs.

Cheers,

Seb.

View solution in original post

balaji.bandi · ‎01-28-2019

If you looking to add more VLAN respected users, you need to create a more VLAN and respected SVI in the 3750 Switch.

and 3750 Switch Gateway is application firewall.

You can create a new rules in application FW for the new added subnet, how you like to filter for that users or if want to same policies like other users, you can add new subnet to same rules.

we are not sure what appliation FW is this ? do you have model ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Seb Rupik · ‎01-28-2019

Hi there,

There are only a few minor changes which need to be made. When traffic on one of the new VLANs arrives at the default gateway on the 3750 the existing default route to 192.168.0.1 will forward the traffic to the firewall.

The only two items you need to check is that the firewall has a route back to the 3750 for the new additional VLANs. Also that the firewalls NAT config permits the translation of the new VLANs.

Cheers,

Seb.

M Talha · ‎01-28-2019

Dear Seb Rupik,

If i change my firewall subnet mask to /16 from /21 do firewall will automatically NAT the incoming subnets within the range ?? and i'll have eight more subnets from 192.168.8.0/24 - 192.168.15.254/24 and add route back from firewall to 3750 will resolve the vlans scenario.

Seb Rupik · ‎01-28-2019

Yes, if you change the ACL used for NAT to permit 192.168.0.0 255.255.0.0, it would permit your entire 'inside' address space. Likewise, configuring a route on the inside interface of the firewall for the same /16 directing the traffic back to the 3750 would be sufficient.

Is this firewall an ASA. If you could share the running config we could confirm the correct configuration to use.

cheers,

Seb.

M Talha · ‎01-28-2019

Its not the Cisco ASA otherwise i would have share the configs with you, but i would like to say thanks a lot for your help regarding the scenario. It has certainly clear my doubts.

Andrew Khalil · ‎01-28-2019

Hello @M Talha,

Greetings,

According to what I understood, you would like to:

1- create more vlans, and SVI as a gateway to each vlan in the 3750.

2- ip routing in the 3750.

3- keep the same function of the firewall application for restricting and filtering traffic of all the vlans.

The easiest solution from my point of view, is to:

On the 3750:

1- Create vlans and it's SVIs:

example:

#vlan 10

#int vlan 10

#ip add 10.1.10.1 255.255.255.0

#no shut

2- Enable routing:

#ip routing

3- Assign ports to the desired vlans and don't forget to issue the correct gateway IP address for the host.

4- Give the ports that is connected to the FW an IP address in the same subnet:

For example: 192.168.0.2/21

But before that we will remove all users from this vlan (as I will not be used anymore)

5- Create a default route in the direction of the FW:

#ip route 0.0.0.0 0.0.0.0 192.168.0.1

6- Create Overload NAT, so that all vlans will be overloaded using the IP address 192.168.0.2

which means that we don't need to change anything to the FW app configuration and It will consider all vlans in the same subnet 192.168.0.0/21 as they are accessing it using the Outside IP (192.168.0.2):

#int g1/x

#ip nat inside

repeat it for all the inside interfaces.

#int g1/y

#ip nat outside

This is the interfaces connecting the FW with the 3750.

#access-list 1 permit 10.1.10.0 0.0.0.255

Repeat it for all the vlans subnets

#ip nat inside source list 1 interface g1/y overload

That's it

By this way, as a summary, we have just created the vlans and their SVIs and enabled routing in between, as well as separated the old vlan to be the network only in between the 3750 and FW then we enabled default route and NAT so that all new created vlans will be NATed over the outside IP address

Please don't forget to rate all helpful responses and mark solutions!

Bst Rgds,

Andrew Khalil