Solved: Re: inter vlan routing manupilation

akanarya · ‎12-25-2020

Hi,

I have multiple vlans in my L3 switch(SG550XG).

Inter VLAN routing works ... ok

I can disable some routing between some vlans with ACL. This is also ok.

But I want to forward some traffic to external firewall for some VLANs.

For example I disabled the access between VLAN 2 and 3 with ACL.

I want to forward the traffic from VLAN 2 to 3 through external firewall.

I tried adding static route, not worked.

I tried to add PBR, not worked.

Probably inter vlan routing overrides, becuse I am using static routes for different purposes.

My last bullet is to disable inter vlan routing and add routes manually which i wont prefer for other conditions.

Is there a way to achieve to this purpose, or do I have to fire my last bullet?

May be i could forward to switch port on which firewal resides, which can be defined as L3 interface, but i didnt try before.

Sorry may be it is so straight forward but I am stuck.

Thank you very much for suggestions by now

Ali

akanarya · ‎12-28-2020

Hi,
I attached the diagram of desired configuration.
Clients' vlans should be talk with each other via inter-vlan routing (blue lines).
However, access to server vlan should be through the firewall (red lines).
All connections are on the same switch.

First i blocked the access to server vlan with ACL (reply to "Georg Pauwen")

ACL:
ip access-list extended "BLOCK TRAFIC" deny ip any any ace-priority 1

ACL binded to server vlan:
interface vlan 4
name server
ip address 10.10.10.1 255.255.255.0
service-acl input "BLOCK TRAFIC"

So there is no ip connection from other vlans to vlan 4

Then i used PBR rule.
I used it before and it wasnt worked but now i changed the input interface vlan of the firewall to a dedicated vlan.
In my older trials i have used the firewall input vlan from availables.

route-map fwdFW 1
match ip address access-list toVLAN4
set ip next-hop 10.10.13.2

interface vlan 1
ip address 10.10.11.1 255.255.255.0
ip policy route-map fwdFW

interface vlan 5
ip address 10.10.15.1 255.255.255.0
ip policy route-map fwdFW

interface vlan 6
ip address 10.10.16.1 255.255.255.0
ip policy route-map fwdFW

This configuration works as i expected.
Accesses to and from server vlan (4), are being done through firewall.

One thing i cannot find an answer (which doesnt make a problem in the application) is;
i cannot ping the server pc (which is behind the firewall) from the switch itself.
It doesnt matter which source interface of the switch is selected.
If I use the SVI of server vlan, or any other SVI of other vlans i cannot ping the server pc.
However each client can ping the server pc without any problem, switch routes the packets to the firewall
and firewall passes them to the server pc. All communicaton was observed.
Probably ping packets are directly discarded by ACL before being routed if it is originated inside the switch.
If you have any comment, i would like to see that to learn the mechanism.

Regards,
Ali

View solution in original post

Scott Hodgdon · ‎12-25-2020

akanarya,

Instead of terminating VLANs 2 and 3 on the switch, extend those VLANs to the firewall by an L2 connection. Create L3 interfaces on the firewall to terminate the VLANs , and then you can create firewall policies between the two VLANs.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

akanarya · ‎12-25-2020

Thanks Scott,

If I dont misunderstand, i cannot apply your suggestion.

I have to terminate the access between selected vlans on the switch, because i am occupying so many ports of the same vlan on same switch. Of course firewall will handle the traffic on its side. But switch will continue routing inside in either case.

Georg Pauwen · ‎12-25-2020

Hello,

according to the user guide:

--> Policy-based Routing (PBR) provides a means for routing selected packets to a next hop
address based on packet fields, using ACLs for classification. PBR lessens reliance on routes
derived from routing protocols

Can you run a routing protocol between the SG and the firewall, and then try PBR again ?

akanarya · ‎12-25-2020

Hello Georg,

"Can you run a routing protocol between the SG and the firewall"

Can you please expand this?

My firewall is connected two ports(for LAN and WAN of the firewall) of the swith.

One port belongs to VLAN2 and the other one belongs to VLAN3.

Enabled inter vlan routing makes a route between these two VLANs.

So there is a route and hence a routing protocol to the firewall.

However I want to block these routing on switch and forward the routing to firewall.

Blocking is ok with ACL.

If I used two swithches and different VLANs on which arent defined in mutual configurations, system will work.

But i have to use same single switch.

Does in switch intervlan routing propery override the other routing actions?

Georg Pauwen · ‎12-25-2020

Hello,

-->

So there is a route and hence a routing protocol to the firewall.

However I want to block these routing on switch and forward the routing to firewall.

Blocking is ok with ACL.

I don't see how the access list preventing inter Vlan access between Vlan 2 and Vlan 3 prevents forwarding of either Vlan to the firewall. How did you configure the access lists ?

Scott Hodgdon · ‎12-25-2020

akanarya,

Please provide a diagram of your environment. This should assist with providing the best advice.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

akanarya · ‎12-26-2020

Thanks all,

I could manage to solve the problem with fresh mind in the morning

I will tel how but i am testing deeper now and will wrap up.

Ali

paul driver · ‎12-28-2020

Hello

What @Scott Hodgdon is suggesting it to have the FW run L3 routing for vlan 2 & 3 thus any hosts residing in these vlans will be routed towards the firewall as it will be this device that holds the default-gateway for those vlans and not the L3 switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

akanarya · ‎12-28-2020

Hi Paul,

That means that i have to disable intervlan routing inside the switch.

I had tried to state in my first posts that it is the last thing i want to do.

Because there are many vlans which need and dont need to this application.

My primary router is the switch and wont be the firewall.

Regards,

paul driver · ‎12-28-2020

Hello

No it doesn't it means you re moving the L3 routing ofr just those two vlans off the L3 switch and onto the fw, you just add static routing pointing towards the fw for those two vlans

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

akanarya · ‎12-28-2020

Hi,
I attached the diagram of desired configuration.
Clients' vlans should be talk with each other via inter-vlan routing (blue lines).
However, access to server vlan should be through the firewall (red lines).
All connections are on the same switch.

First i blocked the access to server vlan with ACL (reply to "Georg Pauwen")

ACL:
ip access-list extended "BLOCK TRAFIC" deny ip any any ace-priority 1

ACL binded to server vlan:
interface vlan 4
name server
ip address 10.10.10.1 255.255.255.0
service-acl input "BLOCK TRAFIC"

So there is no ip connection from other vlans to vlan 4

Then i used PBR rule.
I used it before and it wasnt worked but now i changed the input interface vlan of the firewall to a dedicated vlan.
In my older trials i have used the firewall input vlan from availables.

route-map fwdFW 1
match ip address access-list toVLAN4
set ip next-hop 10.10.13.2

interface vlan 1
ip address 10.10.11.1 255.255.255.0
ip policy route-map fwdFW

interface vlan 5
ip address 10.10.15.1 255.255.255.0
ip policy route-map fwdFW

interface vlan 6
ip address 10.10.16.1 255.255.255.0
ip policy route-map fwdFW

This configuration works as i expected.
Accesses to and from server vlan (4), are being done through firewall.

One thing i cannot find an answer (which doesnt make a problem in the application) is;
i cannot ping the server pc (which is behind the firewall) from the switch itself.
It doesnt matter which source interface of the switch is selected.
If I use the SVI of server vlan, or any other SVI of other vlans i cannot ping the server pc.
However each client can ping the server pc without any problem, switch routes the packets to the firewall
and firewall passes them to the server pc. All communicaton was observed.
Probably ping packets are directly discarded by ACL before being routed if it is originated inside the switch.
If you have any comment, i would like to see that to learn the mechanism.

Regards,
Ali