ip routing for Inter-Vlan or not?

Answered Question
Jul 3rd, 2007

ok,

Here goes. Hope you can visualize this.

We have 2 6513's interconnected and setup with VLANs on both (1/2 the hosts in vlan 100 are on SW1 the other half on SW2). there's a total of 5 VLAN spread out this way. We use HSRP within the 2 switches in case the one goes down as far as gateway.

I setup route-map so to set the next hop to our external routers where we do inter-vlan routing there.

To our suprise, when the firewalls are disconnected, the inter-vlan routing is still going. This lead me to understand that the 6513's were doing the vlan routing and not our firewalls. So I implemented ACL's to stop intervlan routing on the switch. the acl's look like this:

ip access-list extended No-Inter-Vlan-Routing-1

Remark Deny Inter-VLAN Routing to Vlan 100

permit IP 192.168.2.0 0.0.1.255 192.168.2.0 0.0.1.255

Deny ip 10.98.0.0 0.0.255.255 192.168.2.0 0.0.1.255

Remark Deny Inter-VLAN Routing to Vlan 102

permit IP 10.98.2.0 0.0.1.255 10.98.2.0 0.0.1.255

Deny ip 10.98.0.0 0.0.255.255 10.98.2.0 0.0.1.255

Deny ip 192.168.0.0 0.0.255.255 10.98.2.0 0.0.1.255

Remark Deny Inter-VLAN Routing to Vlan 104

permit IP 10.98.4.0 0.0.1.255 10.98.4.0 0.0.1.255

Deny ip 10.98.0.0 0.0.255.255 10.98.4.0 0.0.1.255

Deny ip 192.168.0.0 0.0.255.255 10.98.4.0 0.0.1.255

Remark Deny Inter-VLAN Routing to Vlan 106

permit IP 10.98.6.0 0.0.1.255 10.98.6.0 0.0.1.255

Deny ip 10.98.0.0 0.0.255.255 10.98.6.0 0.0.1.255

Deny ip 192.168.0.0 0.0.255.255 10.98.6.0 0.0.1.255

Remark Deny Inter-VLAN Routing to Vlan 108

permit IP 10.98.8.0 0.0.1.255 10.98.8.0 0.0.1.255

Deny ip 10.98.0.0 0.0.255.255 10.98.8.0 0.0.1.255

Deny ip 192.168.0.0 0.0.255.255 10.98.8.0 0.0.1.255

Remark Allow traffic out

permit ip any any

!

Then, this ACL gets tagged against each VLAN interfaces

interface VLAN100

ip access-group No-Inter-Vlan-Routing-1in

interface VLAN102

ip access-group No-Inter-Vlan-Routing-1in

interface VLAN104

ip access-group No-Inter-Vlan-Routing-1in

interface VLAN106

ip access-group No-Inter-Vlan-Routing-1in

interface VLAN108

ip access-group No-Inter-Vlan-Routing-1in

My issue is this:

now, when you ping an address on another VLAN, it will drop the packet as the ACL's kick in saying NO NO !

I'm puzzle to trying to figure out why the frame doesnt go to the VLANs Next Hop as stated on the route-map for that interface so that the firewall can route the frame to the proper VLAN depending if we allow it or not.

Am I confused here and should'nt be using routing on the switches in the first hand? as my firewalls are suppose to do this themself?

Should I disable all routing on the switch and remove the HSRP and ROUTE-MAPs and simply let the packets go up to the firewall and have them make the descision?

Any feedback would be appreciated, as I'm wondering if im not adding a level of complexity to the network with HSRP and ROUTE-MAPs that I should'nt do...

Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

A lot depends on thye functionality of your fortinet firewalls. Do they support 802.1q trunks and have you enough interfaces or subinterfaces on your fortinet to create layer 3 interfaces for all your vlans.

If yes, then if you want to control all traffic between your vlans then yes you should disable ip routing, remove the SVI's / HSRP off your 6513's together with the route-maps and make the connection(s) between your 6513 switche(s) and your firewall(s) 802.1q trunks.

As a side note, if you need this level of control between vlans the 6500 Firewall Services Module which slots into the 6500 chassis is a good match but

1) it is expensive

2) it might not have the functionality of the fortinet firewalls.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Tue, 07/03/2007 - 12:19

Which one is your setup?

Inside --> 6500 --> Firewall --> External Router

(or)

Inside --> 6500 -->External Router/Firewall

You stated the External router is doing inter-vlan routing are you doing router-on-a-stick, dot1q sub-interfaces?

JORGE RODRIGUEZ Tue, 07/03/2007 - 13:35

hi,

What are you trying to accomplish with the route-map and disconnecting the firewalls, and alternate default route?

as sandar asked could you elaborate more on the design.

your firewalls can do anything you would want, however, you have to sort of follow a disign guideline if you will,

your 6513's are connected to each other and are basically your CORE/switch router carrying your VLANs and providing

intervlan routing for your local network as well failover architecture, let the firewall be involved on what they meant

to do "permissions/security/VPNs etc.. " and not inter-vlan routing.

npereira@nperei... Wed, 07/04/2007 - 03:47

our setup is Firewall -> Switch(6513) -> inside net.

We are not using routers, apart from the ISP's CPE which are setup for BGP.

What I am asking is why have the 6513's doing the inter-vlan routing instead of the Firewalls? as we want to use the Firewalls to take that functions (they are meant to do that, routing between zones).

Routemap was setup because the VLAN's int IP is a .11 for SW1 and .12 for SW2. then HSRP standby IP between the 2 would be .1, and routemap would point to .3 (firewalls zone interface).

for example:

All traffic of VLAN 100 goes to 192.168.2.3

All traffic of VLAN 102 goes to 10.98.2.3

All traffic of VLAN 104 goes to 10.98.4.3

All traffic of VLAN 106 goes to 10.98.6.3

All traffic of VLAN 108 goes to 10.98.8.3

We want to do this so we can controll which zones have access to which zones and what protocol. The fortinet FortiGate does this.

We dont want the switch to do the inter-vlan routing, we want our Fortinet firewalls to do that function.

So my question is: Should I remove IP routing, HSRP and Route-Map's?

Correct Answer
Jon Marshall Wed, 07/04/2007 - 04:05

Hi

A lot depends on thye functionality of your fortinet firewalls. Do they support 802.1q trunks and have you enough interfaces or subinterfaces on your fortinet to create layer 3 interfaces for all your vlans.

If yes, then if you want to control all traffic between your vlans then yes you should disable ip routing, remove the SVI's / HSRP off your 6513's together with the route-maps and make the connection(s) between your 6513 switche(s) and your firewall(s) 802.1q trunks.

As a side note, if you need this level of control between vlans the 6500 Firewall Services Module which slots into the 6500 chassis is a good match but

1) it is expensive

2) it might not have the functionality of the fortinet firewalls.

HTH

Jon

npereira@nperei... Wed, 07/04/2007 - 05:49

Thanks Jon,

I did just that and yes to all your questions. The Fortinet is a sofisticated piece of equipment. All HW based routing/ACL's ect...

Well, I did just that and all seems to work fine now. Thanks again for all your help guys !

Actions

This Discussion