07-12-2010 03:26 AM - edited 03-06-2019 11:59 AM
Hi All,
Is it possible that the firewall will be your gateway but you have inter vlan routing as well?
How will i configure the L3 switch to do that situation?
07-12-2010 03:43 AM
yes it’s possible if you have L3 Switch before the Firewall
so give me how many Vlan you need to create it and model for L3 you have it
and i will provide you all configuration
07-12-2010 04:12 AM
Hi All,
Is it possible that the firewall will be your gateway but you have inter vlan routing as well?
How will i configure the L3 switch to do that situation?
Hi,
If you are doing intervlan routing first and then firewall is coming into picture better recommednation is to have the gateway as svi of the vlan configured in switch and if you want firewall to be the gateway for the user make firewall ports to be the member of those vlans and then configure gateway for each users in vlan to be firewall.
http://cisco.biz/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
07-12-2010 05:34 PM
Hi All,
but in my situation firewall first before the L3 switch.
Is it possible that the firewall will be the gateway for that situation?
My L3 switch will be the cisco catalyst 3750.
07-12-2010 05:45 PM
Hello,
If the firewall is connected to internet and you want all the internet traffic to reach the firewall, the better way is to configure the switch as the default gateway and on the switch, configure firewall as default gateway. But if the firewall is sitting right in-between the VLANs i.e.one interface of the firewall is in one VLAN and the other on the second VLAN and you would like all traffic between those VLANs to go through the firewall, then, turn off the layer 3 interface for one of the VLANs and make the firewall as the default gateway for that VLAN.
Hope this helps.
Regards,
NT
07-12-2010 05:56 PM
How will i do that?
My firewall will be connceted to the internet.
Your first line of words fit to what i'am planning to make.
See below for your reference
07-12-2010 06:01 PM
Another thing, I will be using ACL on layer 3 instead of inter vlan routing.
07-12-2010 06:08 PM
Hello,
In your case, making L3 switch as the default gateway for all VLANs will be the best way. In this way, all traffic destined to local LAN will be handled by the switch and only the internet traffic will go to the firewall. If you want other VLANs also to access internet, you can do that with this implementation. Make sure that your default gateway on the switch is pointing to the firewall.
ip route 0.0.0.0 0.0.0.0
If you want VLAN 3 and VLAN 4 to access internet via the firewall, then on the firewall, have static routes configured for those subnets.
route inside
route inside
Hope this helps.
Regards,
NT
07-12-2010 06:20 PM
Hi Nagaraja Thanthry,
Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?
for example:
vlan 2 ip = 192.168.1.1/24
vlan 3 ip = 192.168.2.1/24
vlan 4 ip = 192.168.3.1/24
so i will do this command on my firewall:
for vlan 3:
route inside 255.255.255.0 192.168.1.1
for vlan 4:
route inside 255.255.255.0 192.168.1.1
am i right?
thank you!
07-12-2010 11:15 PM
Hi Nagaraja Thanthry,
Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?
for example:
vlan 2 ip = 192.168.1.1/24
vlan 3 ip = 192.168.2.1/24
vlan 4 ip = 192.168.3.1/24
so i will do this command on my firewall:
for vlan 3:
route inside 255.255.255.0 192.168.1.1
for vlan 4:
route inside 255.255.255.0 192.168.1.1
am i right?
thank you!
Hi,
Create a NAT rule in firewall for vlan subnet and then try to access the inetrnet from specified vlans.
https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
07-12-2010 11:29 PM
Hi
its very easy ,
L3 confugration :
ip routing
inter vlan 2
ip address 192.168.1.1 255.255.255.0
ip helper-address { DHCP ip address } if you use DHCP
inter vlan 3
ip address 192.168.2.1 255.255.255.0
ip helper-address { DHCP ip address } if you use DHCP
inter vlan 4
ip address 192.168.3.1 255.255.255.0
ip helper-address { DHCP ip address } if you use DHCP
ip route 0.0.0.0 0.0.0.0 { Fierwall IP address }
do trunk beteween any to switches
know all all vlans can comencate withe eache other and internet work fine
the defualt gateway for users is the same IP for vlan interface in L3 Switch
the defualt route meen any packet withe known distenation (internet) will send it to Fierwall
07-13-2010 01:15 AM
what if not all member of that vlan will be given internet connection?
Only choosen person will be given conncetion to the net.
will it be possible?
And not all vlan required to communicate with each other.
here is the situation to clarify my problem.
Catalyst 3750 consist of ACL and inter vlan routing
what if i want one of the pc in vlan 3 to have internet connection and the rest will not have net connection?
how will i configure it?
07-13-2010 01:42 AM
Give me reason to use ACL in core switch?
And the routing between vlan if you enable IP Routing it will do it for all, is that not required for you
About internet from firewall you can control hoe are can access internet (what firewall you used)
07-13-2010 05:57 PM
We need ACL because it is not required that all vlan should see each other.
But All vlan should see the servers or the vlan 2 in the figure.
And vlan 2 should see all the vlan (vlan 3 and 4)
Vlan 3 and 4 should not see ech other.
Only selected users in vlan 3 and 4 will be given access to the net.
Our firewall is ASA 5510
07-13-2010 06:11 PM
Hello,
In that case, you need to play around with the access-lists:
On the firewall:
route inside 192.168.2.0 255.255.255.0 192.168.2.1
route inside 192.168.3.0 255.255.255.0 192.168.2.1
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0
On the Switch:
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.2 (Firewalls IP)
access-list 103 permit ip host
ip access-group 102 in
exit
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: