cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
0
Helpful
7
Replies
a2maridz
Beginner

Manage VLAN routing by firewall instead of the L3 switch

Hello,

 

I have a network were all traffic should pass through a firewall (in a server) that implements some routing and filtering rules. As we can see in this picture, the server is connected to switch 3 (a layer 3 switch). To direct the traffic to the firewall, I added a static default route to 102.168.100.1 in switch 3. However, enabling the routing enables the inter VLAN routing too. So, switch 3 will enable the computer 192.168.3.1 to reach 192.168.2.1 without passing through the firewall

 

switch conf.png

 

Is it possible de disable the VLAN routing for some VLANs? ex: disable routing between VLAN 2 and VLAN 3 in switch 3 and direct all traffic through 192.168.100.1?

 

This can be done by a router (which I don't have). Is it possible to do it by a layer 3 switch?

 

(switch 1 and 2 are catalyst 2960 and switch 3 is 3750 if it can help)

 

Thanks.

7 REPLIES 7
balaji.bandi
VIP Guru

There is 2 Options,

 

1. you have ACL VLAN to block between VLAN 2 and VLAN 3

2. Move the VLAN Interface to FW, Make Switch 3 as Layer 2, so FW can block using ACL rules.

 

Both are feasible, Since you do not like to change any major changes, if you have already layer3 in Switch 3, using VLAN ACL / ACL is good to start.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

For the first option, if I block between VLAN 2 and 3 by ACL, is it possible to route packets between these two VLANs through the firewall? since the source and destination are in VLAN 2 and 3 respectively.

 

For the second option: if I do only forwarding, how can switch 3 send the traffic to the firewall which is in VLAN 100?

Georg Pauwen
VIP Master

Hello,

 

policy based routing should work. Configure the below on your L3 switch:

 

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

 

route-map VLAN_2 permit 10

match ip address 101

set ip next-hop 192.168.100.1

 

route-map VLAN_3 permit 10

match ip address 102

set ip next-hop 192.168.100.1

 

interface Vlan 2

ip policy route-map VLAN_2

 

interface Vlan 3

ip policy route-map VLAN_3

 

With this configuration, the traffic between Vlan 2 and Vlan 3 always goes through the firewall.




 

Hello,

Thanks for you help. I have implemented this solution and I had this message "platform pbr-4-sdm mismatch pbr requires sdm template routing" when I apply the route-map to the ip policy of the Vlan interface

 

interface Vlan 2
ip policy route-map VLAN_2

I did sdm prefer routing and the message was gone. After rebooting the switch, the ping does not works at all.

 

 

Hi,
If the F/wall recives the ping requst on ints in terfacevlan 100 (192.168.100.1) it will NOT
send that packet back out the same interface it received it on. (F/wall default to stop attacks).

To me you will need to create a trunk Layer-2 between the F/wall and switch-3.
With the default gateways for vlans 2 and 3 hosted in vlan-svis in the F/wall so
all ip routing is carried out in the f/wall.

or

Read this this to allow ingress/exit same interface - might help
https://community.cisco.com/t5/network-security/allowing-entry-and-exit-of-a-packet-through-the-same-interface/td-p/1899044

 

Regards, Alex. Please rate useful posts.

I was able to route the data between the different VLAN by passing through the F/W 192.168.100.1. However, if the F/W is down, the two VLANs can reach each other directly through the switch.

paul driver
VIP Expert

Hello


@a2maridz wrote:

I have a network were all traffic should pass through a firewall (in a server) 


Relocate the L3 routing onto the server/firewall, creating sub interfaces for the vlans or the equivalent , disable L3 on switch 3 with trunk interconnect between fw/server and switch3, Then all traffic will need to traverse the server/firewall for intervlan routing.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul