Server 1 and Server 2 can ping thier respective Vlan's as they are their gateways, They can also ping up to the Firewall interface they are connected to directly via the Vlan. I have a 3560x Cisco switch with IP Routing Enabled. I put in the route 0.0.0.0 0.0.0.0 10.10.20.254 so my servers will get out to Internet via the vlan 20 however with Vlan 10 they cannot get out. I perform a traceroute to 126.96.36.199 and it gets up to its gateway 10.10.10.254 but then for some reason the Firewall sees traffic coming from 10.10.20.254 and deny's it. This is probably due to the route I have enabled. I had removed this route and nothing gets out. The firewall allows the traffic but when I ping out to 188.8.131.52 from each server I get destination unreachables (not time outs) from thier respective vlans. It would seem the switch gets the packet and doesnt know where to send it. Thus, the 0.0.0.0 0.0.0.0 10.10.20.254 (my servers on this vlan is most important). I thought without the route the behavior of the switch should allow this traffic out its respective vlan. What am I missing. I have tried adding 2 routes 0.0.0.0 0.0.0.0 10.10.10.254 and 0.0.0.0 0.0.0.0 10.10.20.254 but this would allow Vlan 10 out and Vlan 20 gets denied (order of rules being processed it doesnt make it to rule 2). I was thinkning of adding a route map to the switch
access-list 100 permit ip host 10.10.10.50 any
route-map HTTP permit 10
match ip address 100
set ip next-hop 10.10.10.254
ip policy route-map HTTP
Does anyone have any suggestions or could tell me how to specify my routes better? this is the sh ip route command
Gateway of last resort is 10.10.20.254 to network 0.0.0.
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Vlan10
C 10.10.20.0 is directly connected, Vlan20
S* 0.0.0.0/0 [1/0] via 10.10.20.254
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.20.254
ip http server
ip http secure-server
in this case remove the default route from the sw.
make the FW interface as the default gateway on both vlans
VLAN Gateway should be 10.10.10.254 and 10.10.20.254 respectively.
that it and it will be working.
also disable the routing from SW and make the FireWall interface part of each respective vlans.
I thought you could only add a default gateway to the switch and not the vlan. Do you know the command structure for this?
This is the current vlan information
ip address 10.10.10.1 255.255.255.0
ip address 10.10.20.1 255.255.255.0
if you have created the interface vlan's on the SW, then make them as the default gateway for the Vlan users.
On the SW however you will give one default route towards the firewall.
What are you using for the servers default gateway it should be these 2 addresses for the servers. I would have then just used a single link with a /30 address in a different range to the firewall , this would then be your default static route for the internet .
ip address 10.10.10.1 255.255.255.0 --->server default gateway
ip address 10.10.20.1 255.255.255.0 ----> server default gateway
descr link to internet firewall
10.10.30.1 255.255.255.252 ----> FW end 10.10.30.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.30.2
Yes I have my servers pointing to the Vlan's as their default-gateways. I actually had implemented what you were talking about above, but decided to change some things around. It looks like I will have to go back to my original plan- Thanks for your input!
I would suggest that you change no ip classless to ip classless.
I am not clear about the connections from the 3560 to the firewall. Are there separate connections from the 3560 to the firewall for vlan 10 and vlan 20 and are the firewall interfaces in the same subnet/same broadcast domain as the servers? If so I would guess that when the firewall sees a packet from 10.10.10.x arriving on the 10.10.20.x interface that it may be doing some type of reverse path check and denying the traffic. In this case there is some merit to letting the 3560 do intervlan routing but having the default gateway for the hosts point to the firewall. The other suggestion that I could see would be to make the connection from the 3560 to the firewall to be a separate routed subnet so that the firewall does not participate directly in vlan 10 or 20.
RE: Are there separate connections from the 3560 to the firewall for vlan 10 and vlan 20 and are the firewall interfaces in the same subnet/same broadcast domain as the servers?
Yes- each Vlan has a seperate connection and the connected FW interface is in the same subnet I have the 10.10.10.1 connected to FW interface 10.10.10.254
RE: If so I would guess that when the firewall sees a packet from 10.10.10.x arriving on the 10.10.20.x interface that it may be doing some type of reverse path check and denying the traffic. In this case there is some merit to letting the 3560 do intervlan routing but having the default gateway for the hosts point to the firewall.
Yes- This has been the behavior when I had taken one link to FW and split it into 2 links and dedicating each link to its respective vlan.
RE: The other suggestion that I could see would be to make the connection from the 3560 to the firewall to be a separate routed subnet so that the firewall does not participate directly in vlan 10 or 20.
Yes- I had this on my original setup however I wanted to parse my traffic even more (to prevent Vlan hopping) but this seemed to have created more work to get it to function correctley (without having a router between the two devices)
Note: I had thought that somehow I could specify to the Switch if it is coming from 10.10.10.x use interface 10.10.10.254 as the hop but this would further complicate the configuration and I am thinking the more complicated the more chances a misconfiguration could compromise my network. Any Thoughts?
You could configure Policy Based Routing and have that forward traffic on the correct interface toward the firewall. But that certainly would complicate the configuration and you are quite correct that the more complicated the config becomes the more chances there are for misconfiguration that could impact your network. So I would advocate for a more simple solution.
There are several simple solutions that would work. And without knowing more about your situation it is hard to know if one is better than the other. If you want to keep two connections into the firewall then I would think it best to configure the default gateway on the servers to be the firewall and not the 3560. I could also see some benefit in configuring a single routed link from the 3560 to the firewall (it would reduce load on the firewall by taking it out of the path for traffic internal between the vlans.
I would like to investigate PBR on the Switch if possible. Thank you for that input. I will try that- have you tried that by chance? do you have any suggestions on something easy? I was given this gear and to make it work the way they want it to has become a daunting task.
I just responded to another post for you which I now realize is a re-statement of this thread. It would have been helpful in the new thread to reference this thread.
If you want something easy then I suggest that you make the connection(s) from the switch to the firewall be a separate routed subnet(s). That would be easy to do and would solve the issue.
Policy Based Routing is not easy. For what you need it is not especially complex, but I do not think that anyone would call it easy.
I have implemented PBR many times and it works well (when you need it). The steps to implement PBR are these:
- configure an access list that will identify the traffic that you want controlled by PBR.
- configure a route map which will use the access list in a match statement and will then set the ip next-hop for outbound traffic.
- configure ip policy route-map on the interface where the traffic arrives.
RE: If you want something easy then I suggest that you make the connection(s) from the switch to the firewall be a separate routed subnet(s). That would be easy to do and would solve the issue.
I am starting to think that this would solve my issue and have inter-vlan routing on the switch enabled. This is probably the only solution with the Firewall that is currently in place. I should have linked the posts, but I am not sure how to do that -its been sometime since I was in the community. Thanks
I believe this is the correct answer however I do have a few questions about that config specifically.
When I create the Vlan 30 for single egress point to firewall do I make that a trunk port and allow 10,20 vlans with native 30? or do I issue the no switchport command?
There are several options of how you could implement this. Making the connection from the switch to the firewall into a trunk is not one that you should consider since it would still present most of the issues that were problems discussed in this thread. What you want to do is to have VLANs 10 and 20 to connect to the switch and to terminate on the switch. There should not be anything on the firewall that has any connection to either of these VLANs.
It would be fine to use the no switchport command and make the switch port a routed port in a separate subnet (and in this case you do not need VLAN 30). Or it would be fine to leave the switch port connecting to the firewall as an access port, assign the switch port to VLAN 30, and configure interface vlan 30 and assign the IP address to the VLAN interface. In either case you will need to configure a default route using the firewall as the next hop.
My personal preference would be for no switchport. But either of these alternatives should work fine.