L3 switch VLAN and routing

Unanswered Question
Oct 30th, 2009
User Badges:

Hi,

We have L3 switch with VLAN 10,20, and 30. There are no interfcaes for VLAN 20 and 30 on this L3 switch. But interfces are created with IP addresses. Other L2 switches are connected by trunk to this L3 switch. On L3 switch there are interfaces only with VLAN 10. One interface connectd in VLAN 10 is firewall. Hosts in VLAN 20 and 30 have their default gateway as L3 switch VLAN interface. Devices from VLAN 20 and VLAN 30 can communicate with eachn other - inter VLAN routing is working. Now we need to forward traffic to firewall from L3 switch which belongs to internet and not VLAN 20 and 30.

So the interface connected to firewall which is memeber of VLAN 10 group need to be in trunk ?

In my opinion when L3 switch is forwarding the frame to firewall it will remove the VLAN-tag-id from frame and will forward that frame to firewall as if the firewall is next hop router. ( It will send a untagged frame to firewall then firewall will NAT-PAT and will send it to internet, also firewall will have reverse route for VLAN 20 and VLAN 30 subnet ).

Please share the experience.

Thanks in advance.

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thotsaphon Fri, 10/30/2009 - 09:42
User Badges:
  • Gold, 750 points or more

Subodh,

It's not easy to do so. (J/K)

- You have an IP address assigned to the Firewall. The firewall has been connected to the interface on the L3 switch with the access port of vlan 10.

- Create a default route pointing to the IP address of the Firewall.


Edit: What you thought is right. Untagged frames will be sent to the firewall. You just have to make sure that there is a route to forward packets out to the firewall. However, If I were you, I will design a new network to connect to the firewall. I properly use a routed port to do so. No need to send any broadcast traffic from vlan 10 to it. If the interface on the firewall is the routed port, I don't see any reason to send BPDUs to it. That's why I'd better create a new network to connect them together and use a routed port on L3 Switch.

Hopes I help you some.

Toshi

bapatsubodh Fri, 10/30/2009 - 09:49
User Badges:

hi,

Got it.

I need to put one default route in L3 switch


Ip route 0.0.0.0 0.0.0.0 Firewall_Inside_Ip.

Is that correct.

Thanks

subodh

thotsaphon Fri, 10/30/2009 - 09:50
User Badges:
  • Gold, 750 points or more

Subodh,

Yep, Try it.(grin)


P.S. Don't forget to tell the firewall to route packets from vlan20,30 back to the place they were born. heheh.


HTH,

Toshi

Actions

This Discussion