hi all
looking for advise about vlan and routing.
we are using vlan at our sites. the goal is to make sure that client from diffrents vlan will get security and internet.
I am using 3com l3 switch with 3 vlan interface configured.
from the l/3 switch I connected FW 3 legs but (the FW unware vlan).
every vlan will have to go eventually through the FW and from it to cisco router.
vlan 1
'
vlan 10—cmm—L/3 trunk port -----FW ----Router
/
vlan 12
DG of the client station are configured to the L/3 vlan interface respectively.
i also configured static route 0.0.0.0 0.0.0.0 to the FW which belong to vlan 1
i can ping between the vlan but I can’t reach the FW if I tring from vlan 12 or 10
any advice?
Thanks
The switch port connected to the cmm should be setup as a trunk port, which is sounds like it is, and the port connected to the FW should be setup as a access port with all three vlans added
Depending on how the firewall works you may want your default route in the switch pointing to the router
that’s right!
this is exactly what I did .
point all packets that can’t find in the routing table of the 3com to the D.G
of the firewall (which configured -access port).
so I’m doing it correctly probebly i did mistake in the vlan inter face configuration.
thank you
tlsarles wrote: The switch port connected to the cmm should be setup as a trunk port, which is sounds like it is, and the port connected to the FW should be setup as a access port with all three vlans added
Depending on how the firewall works you may want your default route in the switch pointing to the router
thanks,
I still have problem
you said the port connected to the FW shuld configure as access port with all three vlan addes.
but access port can belong only to one vlan. I can't add multiple vlan like trunk port.
did you mean that the port which connected to the fw also need to be trunk? in that case the FW will discard all packet which is not belong to the native becouse it's unawre vlan device.
any idea?
Well, the FW does not do VLAN so it can’t be trunked.
So when i think about it… you would likely need to do something like…
VLANS - - - CMM - - - Tunk Port L3 Access Port Per VLAN - - L2 Switch - - FW
Which seems to defeat the purpose. I would say scrap the vlans all together. If people are really worried about security, offer consulting to secure their internal network, or just NAT the SM. In any case we filter SAMBA, Multicast, and Boot P Server on all SMs. Security is their issue. the vlans only secure them from others on your network anyhow, which is a small % of what they are exposed to by being on the internet.
If you really want to do what your trying to do, I think you will need a FW that is vlan aware. If you have a cisco router, get a IOS Image with Firewall and remove the extra hop from your network.
YOu need a Vlan aware FW like Mikrotik or setup the vlan subnets in the L3 switch. All of our network is vlaned using mikrtik routers/FW.
SM~~AP–CMM–L2Switch—MK ROuter
the ports on the l2 switch are set as trunked, the ports on the Mikrotik Router have multiple vlans attached
Gino
thank you for reply
i would like to share with you my solution based on our equipment
sm—ap----cmm----L3switch-----fw
so the trick is to set 3 vlan interface on the l3-Switch and configured static route on the l3-Switch pointing to the FW as a gateway. L3Switch will examine every packet based on destination and routed the packet bt his routing table and if the destination will not be in the routing table it will uses the static route as the D.G
Thanks all
the problem was solved