Switches, Hubs, and Modems
1748112 Members
3438 Online
108758 Solutions
New Discussion юеВ

Re: 5406zl/Firewall VLAN configuration

 
SOLVED
Go to solution
adurotec_1
Advisor

5406zl/Firewall VLAN configuration

For my network I have my WAN terminated to a Sonicwall E5500 firewall. From the E5500 I have a 5406zl configured with a few VLANs, 1,10,20,30,40 & 50 and all my hosts are terminated to the 5406. I want routing to occur at the 5406 not my firewall. For security purposes I want to move the mgmt VLAN to VLAN10.

I started to configure IP addresses for the VLAN interfaces on the 5406 and did so using the web gui so I could see what the default settings were as I muddled through the CLI, but am confused as to the proper configuration. With IP routing not enabled the only default gateway is the one assigned to the default vlan. I know without IP routing enabled vlan-to-vlan communication will not occur, but will the other vlans use this as the default gateway out to my firewall?

When i enable IP routing I notice that each VLAN now can be assigned a default gateway. What does the default gateway for each vlan need to be? Is this the IP of an interface that is capable of passing traffic towards my WAN?

Since at the moment the only route to my firewall is through the default vlan, do I need to create a new subnet just to pass traffic back and forth between the firewall and would this be a port on the switch that is tagged with all available VLANs?

As it stands I have my E5500 configured with a physcial interface that has vlan subinterfaces, one for each vlan I configured on the 5406. I assigned the first IP in a subnet to the 5406 vlan interface and the next IP to the E5500 vlan interface.

Guess my biggest confusion is how I route traffic to the E5500 from multiple vlans and not do it using the mgmt vlan.

Thanks,

David
8 REPLIES 8
Michael_Breuer
Esteemed Contributor
Solution

Re: 5406zl/Firewall VLAN configuration

Hi David,

if you want your switch to operate as L3 routing switch use the "ip routing" command to enable inter VLAN routing. The command "ip default-gateway" is only applicable if you are using the switch in layer 2 mode. In your case you have to use "ip route" command to point to your firewall. Best practice is to use a dedicated transfer VLAN (i.e. VLAN 60) with only two IPs: the firewall and the routing switch. On the switch you can route between the VLANs 10-50 and then you have a static (default) route to the IP address of the firewall within VLAN 60. On the firewall you have to use a static route for IP subnets of VLAN 10-50 in the opposite direction.

Hope this will help.

Cheers,

Michael
Ingentive Networks GmbH
adurotec_1
Advisor

Re: 5406zl/Firewall VLAN configuration

Michael,

Thank you for the information, it was a big help. I currently have the new vlan configured between the FW and my switch per your recommendation.

I turned on routing on the switch and I set the default route for the switch to be the IP of the FW interface that is within this new vlan. I can ping the FW from the switch, ping a site on the Internet from the switch and K can ping from the FW to the switch. I can also ping the IP of each vlan interface.

However I am not able to ping a host assigned to a vlan, nor is a host able to ping out of the vlan (Internet or other vlan). The host can't ping anything other then the IP assigned to the switches vlan interface for the vlan it is part of.

Any ideas?

Thanks,
David
Shadow13
Respected Contributor

Re: 5406zl/Firewall VLAN configuration

issue the command, tracert (ip address of the FW)

and check where the trace stops,

also i think he recommended that you use static routes on the FW poiting to the vlans on the switch, have you done that ?


Regards
adurotec_1
Advisor

Re: 5406zl/Firewall VLAN configuration

I had created a route on my firewall for 10.200.0.0/16 since I am using contiguous subnets such as 10.200.1.0/24 etc. Since I am able to ping the vlan interface IP from the firewall wouldn't that indicate I have a route from my firewall to all the vlans on my switch?

My network is setup as such:

10.200.5.0/29 is the vlan between my FW and my switch; VLAN500 (actually there are two switches LACP trunked together via 2 10Gb fiber links. IP 10.200.5.1 is assigned to my FW, 10.200.5.5 is assigned to Switch 1, 10.200.5.6 is assigned to switch 2.

VLAN 1 (not using it but its defined) has 10.200.1.0/26, switch 1 is assigned 10.200.1.1 and switch 2 is assigned 10.200.1.2.

VLAN 10 has 10.200.1.64/26, switch 1 is assigned 10.200.1.65 and switch 2 is assigned 10.200.1.66.

VLAN 20 has 10.200.2.0/26, switch 1 is assigned 10.200.2.1 and switch 2 is assigned 10.200.2.2.

VLAN 30 has 10.200.2.64/26, switch 1 is assigned 10.200.2.65 and switch 2 is assigned 10.200.66.

VLAN 40 has 10.200.3.0/26, switch 1 is assigned 10.200.3.2 and switch 2 is assigned 10.200.3.2.

VLAN 50 has 10.200.3.64/26, switch 1 is assigned 10.200.3.65 and switch 2 is assigned 10.200.3.66.

VLAN 60 has 10.200.4.0/24, switch 1 is assigned 10.200.4.1 and switch 2 is assigned 10.200.4.2.

I am offsite so I will have to wait to traceroute from a host.

This is what I have so far:

ping from a host to the vlan interface IP of the vlan the host is part of- succesful.

ping from a host to the vlan interface IP of another vlan - fail

ping from the firewall to all interface IPs of all vlans - successful

ping from the firewall to a host in a vlan - fail

ping from both switches to the firewall - pass

ping from the switches to the Internet - pass

David
Shadow13
Respected Contributor

Re: 5406zl/Firewall VLAN configuration

mmmm am not sure but this is routing issue, it seems that routing between vlans are not working fine, what routing setting have you configured on the switches ?
Michael_Breuer
Esteemed Contributor

Re: 5406zl/Firewall VLAN configuration

Hi David,

if you are using 2 switches you are running VRRP between the switches, aren't you? Check wether all virtual IP are sitting on the master (otherwise they are not pingable).
Best way is to check MAC, ARP and routing tables of the involved hosts:
sh mac
sh arp
sh ip route

Also check defualt GW of the PC.

Cheers,

Michael
Ingentive Networks GmbH
adurotec_1
Advisor

Re: 5406zl/Firewall VLAN configuration

Michael,

Not having VRRP configured was my issue and i see why now that you pointed it out, both switches were "competting" for the routing of packets.

So now I have all my vlans defined, vrrp running, mstp running and everything seems ok so far.

Thanks for all the help from everyone!!
adurotec_1
Advisor

Re: 5406zl/Firewall VLAN configuration

VRRP saved the day.