07-03-2007 12:03 PM - edited 03-05-2019 05:06 PM
ok,
Here goes. Hope you can visualize this.
We have 2 6513's interconnected and setup with VLANs on both (1/2 the hosts in vlan 100 are on SW1 the other half on SW2). there's a total of 5 VLAN spread out this way. We use HSRP within the 2 switches in case the one goes down as far as gateway.
I setup route-map so to set the next hop to our external routers where we do inter-vlan routing there.
To our suprise, when the firewalls are disconnected, the inter-vlan routing is still going. This lead me to understand that the 6513's were doing the vlan routing and not our firewalls. So I implemented ACL's to stop intervlan routing on the switch. the acl's look like this:
ip access-list extended No-Inter-Vlan-Routing-1
Remark Deny Inter-VLAN Routing to Vlan 100
permit IP 192.168.2.0 0.0.1.255 192.168.2.0 0.0.1.255
Deny ip 10.98.0.0 0.0.255.255 192.168.2.0 0.0.1.255
Remark Deny Inter-VLAN Routing to Vlan 102
permit IP 10.98.2.0 0.0.1.255 10.98.2.0 0.0.1.255
Deny ip 10.98.0.0 0.0.255.255 10.98.2.0 0.0.1.255
Deny ip 192.168.0.0 0.0.255.255 10.98.2.0 0.0.1.255
Remark Deny Inter-VLAN Routing to Vlan 104
permit IP 10.98.4.0 0.0.1.255 10.98.4.0 0.0.1.255
Deny ip 10.98.0.0 0.0.255.255 10.98.4.0 0.0.1.255
Deny ip 192.168.0.0 0.0.255.255 10.98.4.0 0.0.1.255
Remark Deny Inter-VLAN Routing to Vlan 106
permit IP 10.98.6.0 0.0.1.255 10.98.6.0 0.0.1.255
Deny ip 10.98.0.0 0.0.255.255 10.98.6.0 0.0.1.255
Deny ip 192.168.0.0 0.0.255.255 10.98.6.0 0.0.1.255
Remark Deny Inter-VLAN Routing to Vlan 108
permit IP 10.98.8.0 0.0.1.255 10.98.8.0 0.0.1.255
Deny ip 10.98.0.0 0.0.255.255 10.98.8.0 0.0.1.255
Deny ip 192.168.0.0 0.0.255.255 10.98.8.0 0.0.1.255
Remark Allow traffic out
permit ip any any
!
Then, this ACL gets tagged against each VLAN interfaces
interface VLAN100
ip access-group No-Inter-Vlan-Routing-1in
interface VLAN102
ip access-group No-Inter-Vlan-Routing-1in
interface VLAN104
ip access-group No-Inter-Vlan-Routing-1in
interface VLAN106
ip access-group No-Inter-Vlan-Routing-1in
interface VLAN108
ip access-group No-Inter-Vlan-Routing-1in
My issue is this:
now, when you ping an address on another VLAN, it will drop the packet as the ACL's kick in saying NO NO !
I'm puzzle to trying to figure out why the frame doesnt go to the VLANs Next Hop as stated on the route-map for that interface so that the firewall can route the frame to the proper VLAN depending if we allow it or not.
Am I confused here and should'nt be using routing on the switches in the first hand? as my firewalls are suppose to do this themself?
Should I disable all routing on the switch and remove the HSRP and ROUTE-MAPs and simply let the packets go up to the firewall and have them make the descision?
Any feedback would be appreciated, as I'm wondering if im not adding a level of complexity to the network with HSRP and ROUTE-MAPs that I should'nt do...
Solved! Go to Solution.
07-04-2007 04:05 AM
Hi
A lot depends on thye functionality of your fortinet firewalls. Do they support 802.1q trunks and have you enough interfaces or subinterfaces on your fortinet to create layer 3 interfaces for all your vlans.
If yes, then if you want to control all traffic between your vlans then yes you should disable ip routing, remove the SVI's / HSRP off your 6513's together with the route-maps and make the connection(s) between your 6513 switche(s) and your firewall(s) 802.1q trunks.
As a side note, if you need this level of control between vlans the 6500 Firewall Services Module which slots into the 6500 chassis is a good match but
1) it is expensive
2) it might not have the functionality of the fortinet firewalls.
HTH
Jon
07-03-2007 12:19 PM
Which one is your setup?
Inside --> 6500 --> Firewall --> External Router
(or)
Inside --> 6500 -->External Router/Firewall
You stated the External router is doing inter-vlan routing are you doing router-on-a-stick, dot1q sub-interfaces?
07-03-2007 01:35 PM
hi,
What are you trying to accomplish with the route-map and disconnecting the firewalls, and alternate default route?
as sandar asked could you elaborate more on the design.
your firewalls can do anything you would want, however, you have to sort of follow a disign guideline if you will,
your 6513's are connected to each other and are basically your CORE/switch router carrying your VLANs and providing
intervlan routing for your local network as well failover architecture, let the firewall be involved on what they meant
to do "permissions/security/VPNs etc.. " and not inter-vlan routing.
07-04-2007 03:47 AM
our setup is Firewall -> Switch(6513) -> inside net.
We are not using routers, apart from the ISP's CPE which are setup for BGP.
What I am asking is why have the 6513's doing the inter-vlan routing instead of the Firewalls? as we want to use the Firewalls to take that functions (they are meant to do that, routing between zones).
Routemap was setup because the VLAN's int IP is a .11 for SW1 and .12 for SW2. then HSRP standby IP between the 2 would be .1, and routemap would point to .3 (firewalls zone interface).
for example:
All traffic of VLAN 100 goes to 192.168.2.3
All traffic of VLAN 102 goes to 10.98.2.3
All traffic of VLAN 104 goes to 10.98.4.3
All traffic of VLAN 106 goes to 10.98.6.3
All traffic of VLAN 108 goes to 10.98.8.3
We want to do this so we can controll which zones have access to which zones and what protocol. The fortinet FortiGate does this.
We dont want the switch to do the inter-vlan routing, we want our Fortinet firewalls to do that function.
So my question is: Should I remove IP routing, HSRP and Route-Map's?
07-04-2007 04:05 AM
Hi
A lot depends on thye functionality of your fortinet firewalls. Do they support 802.1q trunks and have you enough interfaces or subinterfaces on your fortinet to create layer 3 interfaces for all your vlans.
If yes, then if you want to control all traffic between your vlans then yes you should disable ip routing, remove the SVI's / HSRP off your 6513's together with the route-maps and make the connection(s) between your 6513 switche(s) and your firewall(s) 802.1q trunks.
As a side note, if you need this level of control between vlans the 6500 Firewall Services Module which slots into the 6500 chassis is a good match but
1) it is expensive
2) it might not have the functionality of the fortinet firewalls.
HTH
Jon
07-04-2007 05:49 AM
Thanks Jon,
I did just that and yes to all your questions. The Fortinet is a sofisticated piece of equipment. All HW based routing/ACL's ect...
Well, I did just that and all seems to work fine now. Thanks again for all your help guys !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: