Switches, Hubs, and Modems
1748128 Members
4229 Online
108758 Solutions
New Discussion юеВ

individual static routes in VLANS

 
Garry MacGregor
Occasional Contributor

individual static routes in VLANS

We have a 8212 connected to multiple 54xx & 3500 switches.

We have 5 individual companies on the network and some require routing between VLANS. I finally have this working with ACLs to secure traffic and permit/deny.

The problem is that each of them would also like to use separate firewalls. I have set a global 0.0.0.0 0.0.0.0 FI.RE.WA.LL, and this is giving us access all together, but would prefer to be more accountable and surf via separate connections.
3 REPLIES 3
Matt79
Advisor

Re: individual static routes in VLANS

Hi Garry,

If you set the default gateway of all devices in each VLAN to their own specific firewall - attached to a port in their VLAN, then each company can use their own firewall.

Then on each firewall add static routes for any other required VLANs to bounce traffic back to your core switch :)

Kind regards,
Matt
Garry MacGregor
Occasional Contributor

Re: individual static routes in VLANS

Thanks Matt,

It is a real shame we can't do so. I must admit I had thought that was likely to be possible at this level of gear. I don't really want to load the firewall sending traffic back and forth at (max) gigabit speeds.

I guess I will investigate the VLAN options a bit further on the firewall.

One other thought I suppose would be to use the routing functionality on different switches - use the 8212 as the default for the network functionality; but use the 5412's for routing out the different organisations. we are using a 10G backbone.

My thinking would be to set the IP routing for each set of VLANS on different switches, & set the default 0000 route to a different VLAN on that particular switch.

Could that work?
Matt79
Advisor

Re: individual static routes in VLANS

You mean have Routing enabled on numerous switches, each with it's own default route to a particular firewall, and additional routes to the main core switch to reach the other subnets...

< pauses to think >

...I can't see why that wouldn't work, although it feels a little over-complicated. But I've just double-checked one of my switches and there definitely doesn't seem to be any option to add specific routes in the VLAN context.

Obviously each Edge switch (acting as the router for a set of VLANs) would have it's own IP Address, and then in addition the Core switch would also need an IP Address in each of the VLANs.

The Edge switches can just forward everything (other than 0000) to the Core and all your ACLs can remain solely in the Core.

Yes that should work - although an overall neater / simpler solution might be to configure a single firewall with various different outbound policies based on the subnets.

That's what I do, and then the firewall monitors bandwidth / usage for each individual subnet, and can restrict bandwidth for each subnet individually - without having to be VLAN aware at all.

I use FortiGates although I'm sure all of the other enterprise level firewalls can do the same job.

Kind regards,
Matt