Showing results for 
Search instead for 
Did you mean: 

Manage VLAN routing by firewall instead of the L3 switch



I have a network were all traffic should pass through a firewall (in a server) that implements some routing and filtering rules. As we can see in this picture, the server is connected to switch 3 (a layer 3 switch). To direct the traffic to the firewall, I added a static default route to in switch 3. However, enabling the routing enables the inter VLAN routing too. So, switch 3 will enable the computer to reach without passing through the firewall


switch conf.png


Is it possible de disable the VLAN routing for some VLANs? ex: disable routing between VLAN 2 and VLAN 3 in switch 3 and direct all traffic through


This can be done by a router (which I don't have). Is it possible to do it by a layer 3 switch?


(switch 1 and 2 are catalyst 2960 and switch 3 is 3750 if it can help)



VIP Guru

There is 2 Options,


1. you have ACL VLAN to block between VLAN 2 and VLAN 3

2. Move the VLAN Interface to FW, Make Switch 3 as Layer 2, so FW can block using ACL rules.


Both are feasible, Since you do not like to change any major changes, if you have already layer3 in Switch 3, using VLAN ACL / ACL is good to start.



***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

For the first option, if I block between VLAN 2 and 3 by ACL, is it possible to route packets between these two VLANs through the firewall? since the source and destination are in VLAN 2 and 3 respectively.


For the second option: if I do only forwarding, how can switch 3 send the traffic to the firewall which is in VLAN 100?

Georg Pauwen
VIP Master



policy based routing should work. Configure the below on your L3 switch:



access-list 101 permit ip

access-list 102 permit ip


route-map VLAN_2 permit 10

match ip address 101

set ip next-hop


route-map VLAN_3 permit 10

match ip address 102

set ip next-hop


interface Vlan 2

ip policy route-map VLAN_2


interface Vlan 3

ip policy route-map VLAN_3


With this configuration, the traffic between Vlan 2 and Vlan 3 always goes through the firewall.



Thanks for you help. I have implemented this solution and I had this message "platform pbr-4-sdm mismatch pbr requires sdm template routing" when I apply the route-map to the ip policy of the Vlan interface


interface Vlan 2
ip policy route-map VLAN_2

I did sdm prefer routing and the message was gone. After rebooting the switch, the ping does not works at all.



If the F/wall recives the ping requst on ints in terfacevlan 100 ( it will NOT
send that packet back out the same interface it received it on. (F/wall default to stop attacks).

To me you will need to create a trunk Layer-2 between the F/wall and switch-3.
With the default gateways for vlans 2 and 3 hosted in vlan-svis in the F/wall so
all ip routing is carried out in the f/wall.


Read this this to allow ingress/exit same interface - might help


Regards, Alex. Please rate useful posts.

I was able to route the data between the different VLAN by passing through the F/W However, if the F/W is down, the two VLANs can reach each other directly through the switch.

paul driver
VIP Expert


@a2maridz wrote:

I have a network were all traffic should pass through a firewall (in a server) 

Relocate the L3 routing onto the server/firewall, creating sub interfaces for the vlans or the equivalent , disable L3 on switch 3 with trunk interconnect between fw/server and switch3, Then all traffic will need to traverse the server/firewall for intervlan routing.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards