Layer 3 switch and DMZ

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 07:57 AM - edited 03-07-2019 11:12 PM
I have a Layer 3 switch (MAIN) with IP Routing enabled with the following int VLANs
int VLAN 10
ip add 10.10.1.1
int VLAN 12
ip add 10.12.1.1
int VLAN 14
ip add 10.14.1.1
int VLAN 16
ip add 10.16.1.1
My friend wants to make a DMZ on the vlan 14 network and use a firewall on that network as the default gateway which would mean taking the 10.14.1.1 away from the int vlan 14 listed above. The problem I have is that all the switches are also on the 14 network, meaning they all have int vlan 14 with IP addresses 10.14.1.XX for example.
When I try to add an IP address on the int vlan 14 on the Layer3 switch (MAIN) for example 10.14.1.20, packets on the servers in the 14 network start to drop.
Also our tftp server is also on the 14 network so now it cannot be reached by the MAIN L3 switch to archive.
Do you have any advice regarding this? Please feel free to ask more questions.
Thanks
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 08:13 AM
If you want a DMZ then you don't want it accessible directly from the internal network.
To get to it you want to go through the firewall.
So create a new vlan together with a new IP subnet for your DMZ and readdress any servers you want to be in the DMZ.
Don't try and use the same vlan internally as well as in a DMZ, it doesn't make any sense.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 08:59 AM
As John mentioned, using VLAN 14 -- which is obviously a kind of management-vlan for your infrastructure -- is not a very good idea and shouldn't be done.
But if you for whatever reason have to stick on that vlan, you have to consider some things:
- The first step is to move the IP from the L3-switch to the firewall. If you already have the right access-control in place, no packets should drop.
- All the other switches shouldn't have L3 routing enabled as a system could use that IP and communicate around your firewall.
- Make sure that all your managed systems (i.e. the switches) don't accept management-connections from systems in the vlan14.
To sum it up: Trust Jon; don't do it! ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 09:41 AM
Hi,
Thank you both for your answers. I have attached now a graphic to illustrate my question a little better.
I am questioning now my own knowledge because I fear I am overcomplicating it a little.
What do you think?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 09:49 AM
If you can't ping the other switches from the main switch, that can have many reasons:
- Does the main-switch have a route into the network 10.14.1.0? If Vlan14 was also the vlan to get out of your network, you need to change that. The Main-switch needs a route with a next-hop in vlan 10 or vlan 12
- Does the Firewall allow echo-request from the other vlans to vlan14?
- Can the echo-replys come back? If the DMZ-firewall is an ASA, do you have ICMP-inspection enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 09:55 AM
- Does the main-switch have a route into the network 10.14.1.0? If Vlan14 was also the vlan to get out of your network, you need to change that. The Main-switch needs a route with a next-hop in vlan 10 or vlan 1
There is a route to the network on the main switch
- Does the Firewall allow echo-request from the other vlans to vlan14?
Yes
- Can the echo-replys come back? If the DMZ-firewall is an ASA, do you have ICMP-inspection enabled?
The DMZ firewall is a BSD Unix machine not cisco.
Actually thinking about this. I think I could make a mgt vlan on the main switch then make a passthrough rule on the DMZ firewall to allow traffic originating from that vlan, maybe?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 09:57 AM
I have attached now a graphic to illustrate my question a little better.
We understand the question, it's just you are not listening the answer :-)
You can't have the same vlan/IP subnet internally and as a DMZ on your firewall because they are separated by a L3 hop ie. the firewall.
If there are switches internally using IP addressing from vlan 14 and you have a DMZ using the same IP addressing this will never work because you have put a L3 hop, the firewall, in between the same subnet ie. the firewall would never send the traffic back to the switch.
If you add an SVI for vlan 14 to the switch you route round the firewall.
If you add a route to the switch pointing to the firewall for the vlan 14 IP subnet then the firewall has a directly connected interface in the IP subnet on it's DMZ interface so it won't work.
If you ran the firewall in transparent mode then you could do it but I was assuming you wanted to use the firewall in L3 routed mode.
Jon
