Hello @parnassus !
1. @parnassus wrote
"The VLAN id 1320 (no matter the SVI on the Switch for management) is directly transported at Layer 2 to the Firewall (uplink port needs to be tagged with VLAN id 1320, as it actually isn't...indeed actually the VLAN id 1320 is untagged on the uplink, this means that LAN Main interface on the Firewall has VLAN id set to 1320 instead of default VLAN id 1…but above you wrote that Firewall LAN has two subinterfaces for, respectively, 1320 and 3000...this, if I read it correctly, means exactly that downlink to Switch has 1320 and 3000 tagged and so the uplink on the switch should do the same...which brings us back to the fact that VLAN id 1320 should be tagged on the uplink along with VLAN id 3000)."
- These following way would be better?
- Creating a default vlan, to substitute the default VLAN 1
vlan 999
description PVID(native vlan)
quit
- On trank port. I substitute PVID 1320 for 999, so all traffic will be tagged, right? Is it better?
# TRUNK (uplink with Firewall)
interface GigabitEthernet 1/0/48
port link-type trunk
undo port trunk vlan 1
port trunk pvid 999
port trunk vlan 1010 1320 1800 3000 tagged
stp edged-port enable
undo shutdown
quit
2. @parnassus wrote
"Generally the Default Gateway is ignored when IP Routing is enabled. With IP Routing enabled you need o Route of Last Resort (0/0 via Next Hop Gateway directly connected) and/or ad-hoc static routes (not necessarily with a Route of Last Resort) for specific destination networks. More below on this part."
- As the Default Gateway will be ignored, must I create a static route like follow, right?
Ex. For GUESTs Network, VLAN 300, Where 172.16.151.10 is the SVI on Firewall.
ip route-static 172.16.151.0 255.255.255.0 Vlan-interface300 172.16.151.10
Is it correct, if not how will I perform this?
Is there some way to configure Default Dateway and using inter-vlan, or does it necessary to create a lot of static routes for all? For example to Internet access, the Switch need a default gateway. Ex. The Workstation 10.172.81.1 connect to Google DNS 8.8.8.8. The 10.172.81.1 sendo to next hop 10.172.81.10 (in this case is the this interface is on Switch), and? The package won't be to Internet, right?
3. @parnassus wrote
"That's pretty strange considering the VLAN membership of the uplink...but not having an idea how exactly is your Firewall configured in terms of LAN interface VLANs assignments..."
- For VLANs directely managed by Firewall (VLANs 1320 and 3000), for both of these VLANs the Firewall will tagged the frames, as they are managed by Firewall, so there is an IP configured, 10.172.32.2/29 and 172.16.151.10/24 respectively, then I need to creating nothing more.
Already for VLANs (VLAN 1010 and 1800) not directely managed by Firewall, I created an Virtual Interface but without IP, where I created static routes informing the Interface instead of next hop.
"it's possible that my assumptions above aren't correct (I really don't understand why the uplink port was configured as untagged member of VLAN id 1320)."
- I'm changing this as above, right?
4. @parnassus wrote
"The fact is that any host (clearly excluded the Firewall, giving its particular status of "router" for its interfaces) on VLAN id 1320's subnet uses the Firewall as its next hop gateway (default gateway) and the Firewall is probably configured to deny routing/access (ACL) back to VLAN id 1010 and 1800's Subnets (this to hide the asymmetricity) to essentially block traffic back to those subnets."
- As we doing some changing as above, it is no longer the scenario.
5. @parnassus wrote
"The initial question: will an host on VLAN id 1010 (or 1800)'s subnet (using the Switch as its gateway through VLAN id 1010 (or 1800)'s Switch SVI address) be able to reach the external networks behind the Firewall?"
- yes
6. @parnassus wrote
"(destination 0.0.0.0 mask 0.0.0.0 via 10.172.32.2)"
- How can I do this? Because I was thoughting that the command would be: 'ip default-gateway 10.51.32.2'.
'ip route-static 0.0.0.0 0.0.0.0 Vlan-interface132 10.172.32.2' Would be it?
7. @parnassus wrote
"A packet with destination the originating host need to be routed back to via (a) Firewall LAN interface on VLAN id 1320, so passing through 10.172.32.2, and should (b) be able to know how to reach, for the example I built, the 10.172.1.10/20 subnet through a directly reacheable Switch SVI…so through the VLAN 1320's Switch SVI which is (purpose: management) 10.172.32.1…provided that there is no other way to bypass that point...this means the Firewall should have a static route like destination 10.172.1.10 mask 255.255.240.0 via 10.172.32.1. The packet transit to/from the Firewall happens by routing over the uplink using the VLAN 1320."
- It's correct.
- In a perfect scenario, let's taking an example, only layer 2.
- Sending
The server 10.172.1.7 sent a frame, where the destination is 8.8.8.8, where this frame is belonging VLAN1010, that frame will arrive on port 1/0/048, where the port is a trunk port and the VLAN1010 is tagged, the Switch will tagged the frame and sending it. The Firewall will receive the frame and will remove the tagged and send it to Internet. - Returning
The 8.8.8.8 will respond, the Firewall will identify the frame and will tagged it (VLAN1010) and sending it back to Switch (port 1/0/48), the Switch will remove the tagged and take the frame to 10.172.1.7.
This example is right?
8. @parnassus wrote
"Does it sound reasonable?"
- Yes.
9. @parnassus wrote
"This opens up another question: why also tagging the uplink port with VLAN id 1010 and 1800?"
- I was thinking that is because without the tagged the Switch would reject the frame. Will it not? Or they will send using PVID?
------- // -------
@parnassus, this issue is being so big, I'm thinking about you this could annoying you. Sorry about that.
To try to simplify. I'll put bellow the new config. The firewall IP 10.172.32.2.
# VLAN
vlan 1010
description SERVER
quit
vlan 1320
description FIREWALL
quit
vlan 1800
description WORKSTATION
quit
vlan 3000
description WI-FI GUEST
quit
vlan 999
description PVID(native vlan)
quit
# VIRTUAL VLAN INTERFACE
interface Vlan-interface101
ip address 10.172.1.10 255.255.240.0
quit
interface Vlan-interface132
ip address 10.172.32.1 255.255.255.248
quit
interface Vlan-interface180
ip address 10.172.81.10 255.255.240.0
dhcp select relay
dhcp relay server-address 10.172.1.1
quit
ip routing
ip route-static 172.16.151.0 255.255.255.0 Vlan-interface300 172.16.151.10
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface132 10.172.32.2
# WORKSTATION
interface GigabitEthernet 1/0/1
description WORKSTATION
port link-type access
port access pvid 1800
port access vlan 1800
stp edged-port enable
undo shutdown
quit
# ACCESS POINT
interface GigabitEthernet 1/0/27
description ACCESS POINT
port link-type trunk
undo port trunk vlan 1 untagged
port trunk pvid 1800
port trunk vlan 3000 tagged
port trunk vlan 1800 untagged
stp edged-port enable
quit
# TRUNK (uplink with Firewall)
interface GigabitEthernet 1/0/48
port link-type trunk
undo port trunk vlan 1
port trunk pvid 999
port trunk vlan 1010 1320 1800 3000 tagged
stp edged-port enable
undo shutdown
quit
Is this new scenario works for you?