Solved: Using a Firewall or Switch for inter vlan routing?

ConstantNSAH8220 · ‎10-19-2019

Hi Team,
I need some advice: I plan to replace the inter-vlan routing from firewall and implement it to the switch.

I'm a Security Engineer and I have some skill to Network

I have the following infra:
- a stack of 3 switch of SG350
- a SMB firewall that handles the Internet access
- 4 vlans:
vlan 10: 10.20.10.0/24
vlan 20: 10.20.20.0/24
vlan 30: 10.20.30.0/24
vlan 40: 10.20.40.0/24

Actually, these vlans are defined in an SMB firewall and this one is using for inter vlan routing.
In order to have best performance of network and there is no need of security between vlans, I have plan to use the stack of 3 switch of SG350 for inter vlan routing.
1)For each vlan, I will configure a VLAN Interface IPv4 Address as described in the https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350-series-managed-switches/smb5719-configure-vlan-interface-ipv4-address-on-an-sx350-or-sg350x.html
These IP will be the default gateway of each vlan.
2)I will enabled routing on SG350
3)I plan to define a new vlan between the firewall and stack, may be vlan 50 (10.20.50.0/24) with 10.20.50.x is IP of SG350 and 10.20.50.z is the IP of the firewall
And the default gateway of the SG350 will be in the firewall in the vlan 50 (10.20.50.z)

with this configuration
- The internal communication betweens the vlans will be handled by the SG350 and that will increase the performance
- When, each internal computer will try to reach an internet ressource, their gateway (SG350) will route traffic to the firewall

In advance, thank for your help.

Regards

Deepak Kumar · ‎10-19-2019

Hi,

Following more configuration required on the Switch and Firewall as:

Switch Configuration:

"And the default gateway of the SG350 will be in the firewall in the vlan 50 (10.20.50.z)"

You would not require a default but you require a Default route toward to 10.20.50.z (Firewall) as

ip route 0.0.0.0 0.0.0.0 10.20.50.z

Firewall Configuration:

You have to add static routes on the firewall for VLANs (10,20,30,40) with next hope 10.20.50.x

Also, you have to all VLANs subnet in the NAT configuration.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

balaji.bandi · ‎10-19-2019

Intravlan communication always stays in L2, Intervlan communication always to to Gateway of SVI and route the traffic.

it will not go to your VLAN 50. for sure.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎10-19-2019

You don't need a default gateway on the SG350 stack, what you'll need is a default route that points to 10.20.50.z.

The FW will also need a default route (or perhaps DHCP) to the next hop IP (i.e. the ISP device) and will either need static route(s) to your internal networks 10.20.10..40.0/24 (via 10.20.50.x) or will need to run a routing protocol between the FW and the SG350 stack. If the latter, you might be able to have the FW send the default route to the SF350 stack too.

BTW, your VLAN 50 might use a /30 (perhaps even a /31) and perhaps the FW and SG350 might support IPs on the physical interface (i.e. then VLAN 50 would not be needed).

Deepak Kumar · ‎10-19-2019

Hi,