Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3927
Views
0
Helpful
6
Replies

Layer 3 switch and DMZ

Chris Golden
Level 1
Level 1

‎03-22-2015 07:57 AM - edited ‎03-07-2019 11:12 PM

I have a Layer 3 switch (MAIN) with IP Routing enabled with the following int VLANs

int VLAN 10

ip add 10.10.1.1

int VLAN 12 

ip add 10.12.1.1

int VLAN 14

ip add 10.14.1.1

int VLAN 16

ip add 10.16.1.1

 

My friend wants to make a DMZ on the vlan 14 network and use a firewall on that network as the default gateway which would mean taking the 10.14.1.1 away from the int vlan 14 listed above.  The problem I have is that all the switches are also on the 14 network, meaning they all have int vlan 14 with IP addresses 10.14.1.XX for example.

 

When I try to add an IP address on the int vlan 14 on the Layer3 switch (MAIN) for example 10.14.1.20, packets on the servers in the 14 network start to drop.

Also our tftp server is also on the 14 network so now it cannot be reached by the MAIN L3 switch to archive.

 

Do you have any advice regarding this? Please feel free to ask more questions.

 

Thanks

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎03-22-2015 08:13 AM

If you want a DMZ then you don't want it accessible directly from the internal network.

To get to it you want to go through the firewall.

So create a new vlan together with a new IP subnet for your DMZ and readdress any servers you want to be in the DMZ.

Don't try and use the same vlan internally as well as in a DMZ, it doesn't make any sense.

Jon

0 Helpful

Karsten Iwen
VIP
VIP

‎03-22-2015 08:59 AM

As John mentioned, using VLAN 14 -- which is obviously a kind of management-vlan for your infrastructure -- is not a very good idea and shouldn't be done.

But if you for whatever reason have to stick on that vlan, you have to consider some things:

  1. The first step is to move the IP from the L3-switch to the firewall. If you already have the right access-control in place, no packets should drop.
  2. All the other switches shouldn't have L3 routing enabled as a system could use that IP and communicate around your firewall.
  3. Make sure that all your managed systems (i.e. the switches) don't accept management-connections from systems in the vlan14.

To sum it up: Trust Jon; don't do it! ;-)

0 Helpful

Chris Golden
Level 1
Level 1
In response to Karsten Iwen

‎03-22-2015 09:41 AM

Hi,

Thank you both for your answers.  I have attached now a graphic to illustrate my question a little better.

I am questioning now my own knowledge because I fear I am overcomplicating it a little.

What do you think?

 

Preview file
38 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to Chris Golden

‎03-22-2015 09:49 AM

If you can't ping the other switches from the main switch, that can have many reasons:

  1. Does the main-switch have a route into the network 10.14.1.0? If Vlan14 was also the vlan to get out of your network, you need to change that. The Main-switch needs a route with a next-hop in vlan 10 or vlan 12
  2. Does the Firewall allow echo-request from the other vlans to vlan14?
  3. Can the echo-replys come back? If the DMZ-firewall is an ASA, do you have ICMP-inspection enabled?
0 Helpful

Chris Golden
Level 1
Level 1
In response to Karsten Iwen

‎03-22-2015 09:55 AM

  1. Does the main-switch have a route into the network 10.14.1.0? If Vlan14 was also the vlan to get out of your network, you need to change that. The Main-switch needs a route with a next-hop in vlan 10 or vlan 1

There is a route to the network on the main switch

  1. Does the Firewall allow echo-request from the other vlans to vlan14?

Yes

  1. Can the echo-replys come back? If the DMZ-firewall is an ASA, do you have ICMP-inspection enabled?

The DMZ firewall is a BSD Unix machine not cisco.

 

Actually thinking about this.  I think I could make a mgt vlan on the main switch then make a passthrough rule on the DMZ firewall to allow traffic originating from that vlan, maybe?

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Golden

‎03-22-2015 09:57 AM

I have attached now a graphic to illustrate my question a little better.

We understand the question, it's just you are not listening the answer :-)

You can't have the same vlan/IP subnet internally and as a DMZ on your firewall because they are separated by a L3 hop ie. the firewall.

If there are switches internally using IP addressing from vlan 14 and you have a DMZ using the same IP addressing this will never work because you have put a L3 hop, the firewall, in between the same subnet ie. the firewall would never send the traffic back to the switch.

If you add an SVI for vlan 14 to the switch you route round the firewall.

If you add a route to the switch pointing to the firewall for the vlan 14 IP subnet then the firewall has a directly connected interface in the IP subnet on it's DMZ interface so it won't work.

If you ran the firewall in transparent mode then you could do it but I was assuming you wanted to use the firewall in L3 routed mode.

Jon

0 Helpful
Customers Also Viewed These Support Documents