Problem with VLAN routing on a C3750 Stack

Unanswered Question
Nov 10th, 2009
User Badges:

Hi,


we recently purchased 5 C3750 Switches. These switches should be used as a stack for two netowrks that need to be separated by a ACL. The problem we have is that on top of this stack, we have a firewall that we have no hands on. All outgoing traffic (web etc.) needs to go through this firewall. Before we purchased the stack we had separate switches for these networks. They were separated by the firewall. For testing I created two VLAN's with an ACL. That is working fine so far. But I only have one routing table. This is a problem because all outgoing traffic needs to go through this firewall.


e.g.


1st Network 192.168.0.0


2nd Network 10.1.0.0


In the routing table I set the default route to go to the firewall. But this is only working for the 1st network. I guess this is because the interface on the firewall that is connected to the stack only expects traffic coming from the 1st network but not the second.


Sorry, this is really not easy to explain.


Is there a way to have a separate routing table for each vlan?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 11/10/2009 - 08:25
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The FW needs to know how to reach the 2nd network via the 1st network so a static route needs to be added in the FW.


something like:


route add 10.1.0.0 255.255.0.0 192.168.0.1


Also, make sure to have 'ip routing' enable in all 3750s (disabled by default) and the user vlans are pointing to the correct gateway on their respective Vlan subnet.


Regards


Edison.

ciscoch1ef Wed, 11/11/2009 - 00:24
User Badges:

Hi,


that is exactly my problem. I have no hands on the firewall. If the changes would be transparent would be the best.

The admin of the firewall says it's not a good idea to have two networks behind one interface. He wants to leave it as is. That means a separate interace for each network on the firewall. That's why I thought about having individual routing tables for the VLAN's. But I don't understand enough of VRF-Lite. Will this still support ACL's between the two VLAN's?



Edison Ortiz Wed, 11/11/2009 - 10:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If the changes would be transparent would be the best.


The FW needs to know how to reach remote subnets via its directly connected subnet. You can do this with static route at the FW or implement a dynamic routing protocol between the FW or the switch.


Either solution, the FW needs to be involved.


The admin of the firewall says it's not a good idea to have two networks behind one interface.


This person does not understand the concept of routing...


That means a separate interace for each network on the firewall.


If he wants to sacrifice another physical interface in the FW, then have him add a new IP subnet to this interface and connect this FW interface to your switch and associate this switchport to Vlan 10.1.0.0/24


Regards


Edison.

Joseph W. Doherty Tue, 11/10/2009 - 09:08
User Badges:
  • Super Bronze, 10000 points or more

"Is there a way to have a separate routing table for each vlan? "


Yes, if you have a 3750 IOS image that supports VRF-Lite. However, from the your description, unclear how separate routing tables would help. Edison's suggestion might be what you need.

wandering_997 Wed, 11/11/2009 - 23:49
User Badges:

hi,


I got two objects from your description.


A) Let all outgoing traffic go to firewall.

So the traffic coming back should come from the firewall, right?

B) Let 2 networks not to access each other.


And your topology is {2 or more vlans}----[3750 stack]-----(firewall)----(internet).


I guess there's a l3 connection between stack and firewall.



So here's the solution:


1) create a default route point to firewall at stack

2) enable ip routing on stack

3) create routes on firewall destinate to your internal networks

4) create default route point to internet at firewall

5) create vlan acl to prevent both netowrks from accessing each other


I think this solution will works, and you can add more vlan as you want.



HTH

Wandering



Actions

This Discussion