Wired Intelligent Edge

please any one can help me to verify if this is correct.. if this is wrong please share any modification to configure this correctly...i need to have intervlan routing on the switch L3..and get internet via FW.

Hi,

 

From the drawing I don't understand the following points:

- Why do you have subinterfaces from VLAN 100 and 80 when you default gateway for these VLANS is the switch?

- Did you configure the routes on the firewall back to the switch?

 

 

Regards, Dobias

hi thank you for replying, by the way for you what is the best configuration for this if i want only the routing be done at L3, meaning the intervlan routing happens only on the switch, do i need to create a VLAN on the FW or no need?

I don't know the exact set-up but from this drawing, it's not needed. You will need to add routes on the FW to the subnets of the two VLANS the next-hop will be the switch. Otherwise, the FW doesn't know how to send the traffic back. 

 

Cheers, Dobias

ok here is the scenario,

we have two VLANs, 100 and 80...our network has a FW as the gateway for all internal network hosts....and i want the intervlan routing be done in L3 switch.. what must be done to finish my setup?

The firewall is conected to the internet right? When you saw proctect itnernal host this probably means from the internet correct? 

 

From the drawing I see that internally you 192.168.1.1 IP address on the FW. Do you have IP addr on the switch in subnet? This is probably placed in different VLAN. 

 

If so than everything is fine you can remove the VLANs on FW and add routes from the FW to subnets of VLAN80 and 100 with switch as next-hop. 

 

Regards, Dobias

the 192.168.1.1 is the IP of port4 where i plugged in the 2930f L3 switch, the management VLAN of the L3 switch is VLAN60 which is 192.168.50.1...the concern is if i want the intervlan routing for VLAN100 and VLAN80 be done on the L3, what must be done? or is it a best practice to do it on L3 knowing i have a FW already as my gateway device?

Hi,

 

Hereby the steps you need to take:

• Remove VLAN 80/100 from the FW
• Add new VLAN on the switch (if not configured yet)
• Add IP address to this VLAN that is in the same subnet as FW (if not configured yet)
• Offcourse, untag or tag the port connected to the FW. Tag / untag depends on how FW is configured (IEEE .Q)
• Add static routes on FW to subnets of VLAN 80 and VLAN 100
• Make sure clients in both subnets get correct default gateway IP of the switch. Either DHCP or static.

 

This should be it.

Hi,

 

I am new here but I do have a solution for your request.

 

Switch has the following VLANS and SVI's

 

VLAN 700: 172.16.70.254 255.255.255.0

 

VLAN 710: 172.16.71.254 255.255.255.0

 

VLAN 800: 172.16.80.254 255.255.255.0

 

Imagine you have a Cisco ASA firewall - 

 

 

!
route outside 0.0.0.0 0.0.0.0 192.168.1.254 

 

 

route inside 172.16.70.0 255.255.255.0 10.100.100.2 
route inside 172.16.71.0 255.255.255.0 10.100.100.2 
route inside 172.16.80.0 255.255.255.0 10.100.100.2 
!

 

The route inside command tells the Firewall how to get to the appropriate vlans and the conduit or door to those respective subnets. Already the Firewall knows of the Switch's IP 10.100.100.2 and can ping to it. It does not know about the VLANS and the associated subnets and so you tell the firewall how to route traffic to them using the 10.100.100.2 (Switch's IP) to the appropriate VLANS. On Switch

ip route 0.0.0.0 0.0.0.0 10.100.100.1 (IP Address of Firewall)
ip routing

 

Hope this helps you. The secret is getting the firewall to know who to pass packets to should there be any.

Hi gascon,

I think your scenario could work as it, but no need of a 2930F doing VLAN routing or any kind of routing.

You must make these changes:
Default gateway Vlan 100: 192.168.10.99
Default gateway Vlan 80: 172.16.16.99

You should have configured switch Aruba 2930F with these SVIs :
Vlan 100: 192.168.10.100/24
Vlan 80: 172.16.16.100/24

Right? ... but from my perspective, 2930F does not need SVIs to route between VLANs because that function can be done by the firewall because it is directly connected to those VLANs. Try pinging 192.168.10.100 and 172.16.16.100 (hosts in each VLAN) from the firewall and if there is a response, the firewall knows how to reach and route between VLANs. If there is no response, maybe the firewall port has not the correct configuration in virtual subinterfaces vlan 100 and 80. Remember that firewall port that connects to the 2930F and the 2930F port must have the correct 802.1Q trunk configuration.

Imagine for a moment that the firewall is a router, and what you have is a router on a stick scenario, with a layer 2 switch (no need to have a L3 switch). This maybe could be called a firewall on a stick. See this link:
https://www.networkstraining.com/cisco-router-on-a-stick-with-switch/

If you want vlan routing in your 2930F, the firewall on a stick is not the best option.
You should create one more vlan, let´s call it a "gateway" VLAN where to place your firewall with just an IP in that VLAN (let´s call it IP1). You will also have to add in your firewall the return static addresses to the internal VLANs because the firewall would not know them.
Do not forget to add a default route in the 2930F pointing to IP1.
So, the hosts in each vlan will have as default router the 2930F on each VLAN, if the packet goes to the other VLAN, the 2930F directly connected to it, routes the packets back and forth.If the packet goes to Internet, the 2930F throws the packet to IP1 (it uses the default route you added), and makes the statefull translation towards internet. When the packet gets back to the firewall, the firewall makes the inbound translation and uses its static routes to the appropriate VLAN interface to make the packet arrive to its destination.

I hope this helps a little with your problem.

Kind regards