HPE Community
LAN Routing
1755154 Members
5232 Online
108830 Solutions
New Discussion

L3 switch > routing to firewall > firewall is doing the routing?!

 
xrowtenma
Occasional Visitor

‎10-05-2020 06:35 AM

‎10-05-2020 06:35 AM

L3 switch > routing to firewall > firewall is doing the routing?!

Hey everyone

We have a L3 HP chassis switch with all our VLAN's on (along with interface IP's)

This switch has a 'route 0.0.0.0 0.0.0.0 GATEWAY IP' command in

ip routing command is on the switch config

We are noticing that the our firewall (the gateway that our route is set to) seems to be routing internal traffic, as looking at its GUI the internal NIC is way more utilised than the external NIC (internet)

We've tried removing this route command, but then internet access drops for everyone, despite having the 'ip default-gateway' command too

What's strange is that when we unplug the cable between the switch and the firewall, the internal routing still works between VLAN's

It's as though the L3 switch isn't doing any routing whilst the route out is active, and when this drops it then routes itself

Is there any way to make the route out only be for internet traffic?

I can't see any route exceptions for internal subnets etc, and I can't imagine the config length required if we have to put several static routes in before and after our 10 x private subnets, it would be huge.

Any advice would be appreciated

There is no real issue, things work great, but it's wrong, the switch should only really be sending traffic out that it does not know about itself.

Thanks!

0 Kudos
1 REPLY 1
parnassus
Honored Contributor

‎10-05-2020 11:56 AM - edited ‎10-05-2020 08:11 PM

‎10-05-2020 11:56 AM - edited ‎10-05-2020 08:11 PM

Re: L3 switch > routing to firewall > firewall is doing the routing?!

Hi!

When you wrote:

We are noticing that the our firewall (the gateway that our route is set to) seems to be routing internal traffic, as looking at its GUI the internal NIC is way more utilised than the external NIC (internet)

are you also aware about your Firewall need to have VLAN SVI defined to be the router for them (or to know where subnets are to route traffic to them)?

We've tried removing this route command, but then internet access drops for everyone, despite having the 'ip default-gateway' command too

That's on the Switch, that's the expected behaviour...it means that all clients that are loosing their connectivity to Internet are loosing it because they have their default gateway set to point to the Core Switch (your L3 Router on the internal network) and when it loose its route of last resort to your Firewall (0/0 via firewall) is pretty much easy to understand what will happen.

You need to be exactly sure about the uplink between your Core Switch and your Firewall (VLAN membership included) too...it's not unusual to see a Firewall with LAN interface placed on a internal subnet (routed by the Switch) instead of being connected to the Core Switch by means of a Transit VLAN (a /30 or /31 dedicated to one-to-one communication between your Core and your Firewall).

Also...default gateway on a Layer 3 switch is useful only for the switch itself...since IP Routing is enabled traffic managed by the Core is then routed by means of local connected VLAN SVI and static routing (included Route of Last Resort) and default gateway concept has nor relevance for clients.

Is there any way to make the route out only be for internet traffic?

It already works that way: I mean, the Route of Last Resort (destination network: 0.0.0.0 subnet mask: 0.0.0.0 via Next Hop Gateway <your-Firewall-LAN-IP>) is used by your Core Switch to route all NON local networks (its VLAN SVIs) to any other network outside its control...then the Firewall will route received requests accordingly (considering its configuration).


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.