Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
3
Replies

Vlans and Firewall (internal QA)

Go to solution
smitty0375
Level 1
Level 1

‎08-02-2011 11:56 AM - edited ‎03-07-2019 01:31 AM

Hello world!

I have a virtual machine environment setup for QA purposes. It has 3 vlans that need to be separated by firewall.

2 3560's 1 asa 5510.

The vlans are on Switch A & B with the ESX boxes plugged into A and the firewall into B. The 3 interfaces on the firewall are in their respective vlans.

All servers ping each other and totally ignore that the firewall is even there, even with explicit rules.

Thoughts? I put the switchports that the firewall are plugged into as trunks but that didn't help either.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to smitty0375

‎08-04-2011 01:18 PM

Jerry

You don't need to turn off ip routing but you cannot have L3 vlan interfaces for the vlans you want to firewall. If these vlans contain other servers as well then you can either use acls on the L3 SVIs or you need to move the server(s) you want to firewall between into new vlans.

As long as L3 vlan interface exists on the 3560 you will route around the firewall.

You could in theory use PBR i guess to send the specific server traffic to the firewall interfaces and allow the rest of the servers in the same vlan to use their L3 vlan interface on the 3560 but -

1) you need IP Services on your switch

2) if you really require firewalling then standard acls or PBR are not really sufficient.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-02-2011 11:58 AM

Do you have L3 vlan interfaces on the 3560 for these vlans ? If so you would need to remove them and only route off the ASA for the firewall to come into effect.

Jon

0 Helpful

Go to solution
smitty0375
Level 1
Level 1
In response to Jon Marshall

‎08-04-2011 01:07 PM

I am using these switches for routing too so I cannot turn off IP routing. When I do a traceroute from one vm on a subnet to another on a different subnet it simply hits the default gateway, in this case the vlan ip, then straight to the destination. The connected routes of the vlans are bypassing the firewall.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to smitty0375

‎08-04-2011 01:18 PM

Jerry

You don't need to turn off ip routing but you cannot have L3 vlan interfaces for the vlans you want to firewall. If these vlans contain other servers as well then you can either use acls on the L3 SVIs or you need to move the server(s) you want to firewall between into new vlans.

As long as L3 vlan interface exists on the 3560 you will route around the firewall.

You could in theory use PBR i guess to send the specific server traffic to the firewall interfaces and allow the rest of the servers in the same vlan to use their L3 vlan interface on the 3560 but -

1) you need IP Services on your switch

2) if you really require firewalling then standard acls or PBR are not really sufficient.

Jon

0 Helpful
Customers Also Viewed These Support Documents