I have a network were all traffic should pass through a firewall (in a server) that implements some routing and filtering rules. As we can see in this picture, the server is connected to switch 3 (a layer 3 switch). To direct the traffic to the firewall, I added a static default route to 18.104.22.168 in switch 3. However, enabling the routing enables the inter VLAN routing too. So, switch 3 will enable the computer 192.168.3.1 to reach 192.168.2.1 without passing through the firewall
Is it possible de disable the VLAN routing for some VLANs? ex: disable routing between VLAN 2 and VLAN 3 in switch 3 and direct all traffic through 192.168.100.1?
This can be done by a router (which I don't have). Is it possible to do it by a layer 3 switch?
(switch 1 and 2 are catalyst 2960 and switch 3 is 3750 if it can help)
There is 2 Options,
1. you have ACL VLAN to block between VLAN 2 and VLAN 3
2. Move the VLAN Interface to FW, Make Switch 3 as Layer 2, so FW can block using ACL rules.
Both are feasible, Since you do not like to change any major changes, if you have already layer3 in Switch 3, using VLAN ACL / ACL is good to start.
For the first option, if I block between VLAN 2 and 3 by ACL, is it possible to route packets between these two VLANs through the firewall? since the source and destination are in VLAN 2 and 3 respectively.
For the second option: if I do only forwarding, how can switch 3 send the traffic to the firewall which is in VLAN 100?
policy based routing should work. Configure the below on your L3 switch:
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map VLAN_2 permit 10
match ip address 101
set ip next-hop 192.168.100.1
route-map VLAN_3 permit 10
match ip address 102
set ip next-hop 192.168.100.1
interface Vlan 2
ip policy route-map VLAN_2
interface Vlan 3
ip policy route-map VLAN_3
With this configuration, the traffic between Vlan 2 and Vlan 3 always goes through the firewall.
Thanks for you help. I have implemented this solution and I had this message "platform pbr-4-sdm mismatch pbr requires sdm template routing" when I apply the route-map to the ip policy of the Vlan interface
interface Vlan 2 ip policy route-map VLAN_2
I did sdm prefer routing and the message was gone. After rebooting the switch, the ping does not works at all.
If the F/wall recives the ping requst on ints in terfacevlan 100 (192.168.100.1) it will NOT
send that packet back out the same interface it received it on. (F/wall default to stop attacks).
To me you will need to create a trunk Layer-2 between the F/wall and switch-3.
With the default gateways for vlans 2 and 3 hosted in vlan-svis in the F/wall so
all ip routing is carried out in the f/wall.
Read this this to allow ingress/exit same interface - might help
I was able to route the data between the different VLAN by passing through the F/W 192.168.100.1. However, if the F/W is down, the two VLANs can reach each other directly through the switch.
I have a network were all traffic should pass through a firewall (in a server)
Relocate the L3 routing onto the server/firewall, creating sub interfaces for the vlans or the equivalent , disable L3 on switch 3 with trunk interconnect between fw/server and switch3, Then all traffic will need to traverse the server/firewall for intervlan routing.