Basic Question about Routing between L3 Switch and FW

danbowencisco · ‎03-29-2012

Ok, this is my setup.

I have a Layer 3 switch running 4 L2/L3 VLANs, each one has its own L3 interface on the switch. There is an "inside" trunk to the ASA FW that also has a L3 sub interface for each of these VLANs. I want to apply ACL's to both the te interfaces on the FW and the switch so the traffic is filtered in both places. However, when I set the clients gateway as the switch L3 interface, traffic doesnt work, when its the FW L3 interface as the gateway, it does work (talking icmp here). I get dest net unreachable when the gw is the switch.

How do I get the L3 interface of the switch to forward the traffic to the relevant interface on the FW? For example, VLAN 10 on the switch 10.11.120.1 to forward traffic to the L3 interface of the FW 10.11.120.2?

Thanks in advance,

Dan

Mohamed Sobair · ‎03-29-2012

Hello,

Use Policy Based Routing (PBR) on the Switch.

Regards,

Moahmed

danbowencisco · ‎03-29-2012

thanks Mohamed, but its only a 3560 and doesnt support it.

Dan

danbowencisco · ‎03-29-2012

my mistake, it is supported. I think I just create an ACL for the traffic I want the rm to apply to, create the route map and define the next hop as being the L3 int of the FW?

Dan

danbowencisco · ‎03-29-2012

even when applying PBR, the traffic still doesnt seem to go to the FW, as it has a VLAN interface that is directly connected.

Any way around this?

Dan

vijay.swaminathan · ‎03-29-2012

sorry.. I could not understand the following statement.

Daniel Bowen wrote:

. I want to apply ACL's to both the te interfaces on the FW and the switch so the traffic is filtered in both places.

not sure why the filter is applied on both the places?

also, can you pls share your PBR configs?

-Vijay

tabiv · ‎03-29-2012

Dan,

Sounds like it might be a routing issue. For example, how does VLAN 10 know the route to the firewall? You said "when its the FW L3 interface as the gateway, it does work". So it does work? I might have missed something there.

I dealt with this by getting rid of the virtual interfaces on the ASA and just having the single interface that I connected to my L3 switch and then routed the traffic to it from there.

For example ge0/1 on the L3 switch would connect to the ASA with the below info added to your config:

interface GigabitEthernet0/1

no switchport

ip address 10.11.120.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.11.120.2

I might be barking up the wrong tree, but hope that helps.

Ted

danbowencisco · ‎03-30-2012

Im a little confused myself. Yes, if I set the FW sub int as the default gateway, the traffic works fine, it hits the ACL on the FW interface and works. What I want to do is have the default gateway for each VLAN as the L3 switch interface, then route this traffic to the FW to be filtered.

For example:

VLAN 1 - Switch IP 10.10.10.1 - FW IP 10.10.10.2

default gateway 10.1

so I thought Id set up PBR to amend the next hop based on the traffic flow, as a single default route will not allow me to do this.

Dan

Henrik Grankvist · ‎03-30-2012

Isn't it just easier to just have a router-on-a-stick on the FW (if that is possible), than have routing done on the switch and on the FW, becuase it is going to the FW anyway...