nainasipra
asked on
how to stop inter-vlan routing on Nexus 5548?
Dear Experts,
I have NEXUS 5548 and VLAN interfaces are configured on it for HSRP purpose. I want to stop Inter-vlan Routing and want to allow VLAN to VLAN routing only via Firewall.
how I can stop inter-vlan routing on Nexus or can allow between few vlans and rest of all vlans via firewall ?
thanks
I have NEXUS 5548 and VLAN interfaces are configured on it for HSRP purpose. I want to stop Inter-vlan Routing and want to allow VLAN to VLAN routing only via Firewall.
how I can stop inter-vlan routing on Nexus or can allow between few vlans and rest of all vlans via firewall ?
thanks
You can disable inter VLAN routing with the command "no ip routing". This command may impact the HSRP configuration though, so review the configuration of the Nexus carefully before applying that command.
ASKER
Dear Don,
I have two Nexus Switch and HSRP is working on these, now what i want to do is I have multiple vlans and I don't want to allow them to communicate with each other but sure all VLANs have to communicate with Server.
but with server vlan only specific protocols or port numbers. I have checked on my NEXUS even service object is not supporting to have service base ACL.
or I can stop these inter-vlan routing and let them communicate via Firewall only.
I have attached diagram for reference, please have a look.
I want that SERVER VLAN and VOICE VLAN can communicate direct but rest of all VLAN communicate with SERVER only via Firewall.
How it could be possible, please help.
Thanks
I have two Nexus Switch and HSRP is working on these, now what i want to do is I have multiple vlans and I don't want to allow them to communicate with each other but sure all VLANs have to communicate with Server.
but with server vlan only specific protocols or port numbers. I have checked on my NEXUS even service object is not supporting to have service base ACL.
or I can stop these inter-vlan routing and let them communicate via Firewall only.
I have attached diagram for reference, please have a look.
I want that SERVER VLAN and VOICE VLAN can communicate direct but rest of all VLAN communicate with SERVER only via Firewall.
How it could be possible, please help.
Thanks
No diagram is attached.
ASKER
There's only one 5548 in the diagram. I thought you said that you had two?
ASKER
Dear Don,
Yes I have two, please consider this as logical diagram. Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.
Thanks,
Yes I have two, please consider this as logical diagram. Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.
Thanks,
Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.It might not make any difference to you, but it does to me. In order to understand what you're attempting to do, an understanding of the network is required.
You want to disable routing to force traffic to be routed by the firewall, right?
Which begs the question of why is the 5548 doing any routing in the first place?
The bottom line is that HSRP is a layer 3 protocol (Hot Standby Routing Protocol). Which means that. Routing must be enabled for HSRP to provide its functionality. So at the most basic level, what you are asking is contradictory. It would be like me saying "I want to run a routing protocol but I don't want the routers talking to each other." You can't have one without the other.
ASKER
Dear Don,
Thank you so much for explaining, I understand totally. My objective to use firewall between routing is only to filter traffic for Servers VLAN. How I can filter traffic for Servers VLAN without Firewall. Filtering e.g. some ports or protocols (almost 40 to 50 different ports to allow only for servers VLAN.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.
Thank you so much for explaining, I understand totally. My objective to use firewall between routing is only to filter traffic for Servers VLAN. How I can filter traffic for Servers VLAN without Firewall. Filtering e.g. some ports or protocols (almost 40 to 50 different ports to allow only for servers VLAN.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.
And this is why I asked for the full diagram.
If your topology and firewalls support it, put them into an HSRP or Active/Standby configuration. Disable ip routing on the 5500's and let the firewalls do all inter-VLAN routing.
ASKER
Dear Don,
My Nexus not supporting Service Base ACL thats why I want to do it by Firewall but for NEXUS I want redundancy as well. and second thing is Voice VLAN and Servers VLAN should communicate direct without firewall.
Suppose forget about HSRP, is it possible without HSRP that two VLANs can route but rest of all VLANs routing via Firewall only as per same attached diagram with one NEXUS and one Firewall.
thanks
My Nexus not supporting Service Base ACL thats why I want to do it by Firewall but for NEXUS I want redundancy as well. and second thing is Voice VLAN and Servers VLAN should communicate direct without firewall.
Suppose forget about HSRP, is it possible without HSRP that two VLANs can route but rest of all VLANs routing via Firewall only as per same attached diagram with one NEXUS and one Firewall.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I consider about VRF, I need help what will be the static routes on VRF zone and Global Zone.
I need help what will be the static routes on VRF zone and Global Zone.I'm sorry. I don't understand what you're asking. If you want to know about creating static routes, then there is not nearly enough information available to answer that question.
ASKER
Dear Don,
as per given diagram.
My question is suppose I have created VRF VLAN10, now vlan10 is isolated and how the traffice will go to Firewall. what will be the routing leaking procedure?
is static route OK "0.0.0.0/0 192.168.1.1" or I need more configuration.
thanks
as per given diagram.
My question is suppose I have created VRF VLAN10, now vlan10 is isolated and how the traffice will go to Firewall. what will be the routing leaking procedure?
is static route OK "0.0.0.0/0 192.168.1.1" or I need more configuration.
thanks
If you want to remove the vlan routing from your Nexus just remove the vlan IP address from it and put the IP address as an "interface" on the firewall/router
It can't route to the Vlan if it is not the vlan router
It can't route to the Vlan if it is not the vlan router
what firewall are you using?
ASKER
Fortinet 600C UTM
I want to use vlan IP for vlan gateway, any other solution. suggestion please
I want to use vlan IP for vlan gateway, any other solution. suggestion please
I’m a little confused by what you want.
Correct me if I’m wrong.
You don’t want the VLANs to communicate at the NEXUS level?
You want the VLANs to have the routing handled by the FortiGate?
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate
basically turning the NEXUS to a switch for all but the HSRP traffic
Correct me if I’m wrong.
You don’t want the VLANs to communicate at the NEXUS level?
You want the VLANs to have the routing handled by the FortiGate?
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate
basically turning the NEXUS to a switch for all but the HSRP traffic
^if right why not put the VLAN ip for the VLAN gateway on the FortiGateThat's what I said a while back.
basically turning the NEXUS to a switch for all but the HSRP trafficIf the Nexus isn't routing then HSRP is irrelevant.
Don maybe he's got other plans or we are not understanding the question correctly.
I know that voids out HSRP
Author has mention "can allow between few vlans and rest of all vlans via firewall"
Maybe they have a secret network they don't want people to know about that will be using the HSRP
I know that voids out HSRP
Author has mention "can allow between few vlans and rest of all vlans via firewall"
Maybe they have a secret network they don't want people to know about that will be using the HSRP
Well, there's clearly more to this than we're aware of. :-)
ASKER
Dear Don,
Let me clear it, I have multiple VLANs for different Departments and one VLAN for Servers and one VLAN for VOICE. Now what I want to do all VLANs can't route each other but only there should be routing for VLANs to Server VLAN. Now next step is that Routing to Server VLAN but limited not all.
As I have already mentioned that I want to allow almost 40-50 ports/protocols from User VLANs to Server VLAN.
How I can do this?
If I use VRF, what will be the route leaking configuration?
please suggest.
Thanks
Let me clear it, I have multiple VLANs for different Departments and one VLAN for Servers and one VLAN for VOICE. Now what I want to do all VLANs can't route each other but only there should be routing for VLANs to Server VLAN. Now next step is that Routing to Server VLAN but limited not all.
As I have already mentioned that I want to allow almost 40-50 ports/protocols from User VLANs to Server VLAN.
How I can do this?
If I use VRF, what will be the route leaking configuration?
please suggest.
Thanks
I"m not sure what this means:
Have you considered private VLAN's? You could put all the departments in an isolated VLAN and the server in a promiscuous VLAN. Then you ACL's to limit the type of traffic between departments and servers.
Now next step is that Routing to Server VLAN but limited not all.
Have you considered private VLAN's? You could put all the departments in an isolated VLAN and the server in a promiscuous VLAN. Then you ACL's to limit the type of traffic between departments and servers.
ASKER
Hi Don,
Yes I consider private VLAN, what I face Issues
1)- My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
2)- what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?
Thanks,
Yes I consider private VLAN, what I face Issues
1)- My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
2)- what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?
Thanks,
ASKER
"Now next step is that Routing to Server VLAN but limited not all. "
its mean only 40-50 ports/protocols allowed to route between servers VLAN and user VLANs, rest of all traffic must be block.
its mean only 40-50 ports/protocols allowed to route between servers VLAN and user VLANs, rest of all traffic must be block.
Okay why not have a vACL on the NEXUS that way you still get the most out for HSPR and you can restrict that way.
It suddenly occurred to me why didn't i recommend that in the first instance, oops.
It suddenly occurred to me why didn't i recommend that in the first instance, oops.
ASKER
Dear Stolsie,
even in VACL, still you have to use IP Access List then how can you filter 40-50 protocols only. need your suggestion please.
thanks
even in VACL, still you have to use IP Access List then how can you filter 40-50 protocols only. need your suggestion please.
thanks
My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?No. But you won't be able to use VTP (if you are).
what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?An extended, routed ACL would be used. If you still don't want to do that, then you can either replace the 5500 with a 7004 (which supports object groups) or let the firewall handle all the routing (I'm assuming that your firewall has some type of object group capability).
ASKER
if firewall will do everything then my Nexus Switches are doing nothing. I want to use Nexus as well and want to reduce load from Firewall. Firewall is a UTM devices and is doing many many other jobs as well including VPN, IPS/IDS, Web Filtering etc.
thanks
thanks
Then you're going to have to use ACL's.
When i said vACL you can create extended vACLs (UDP/TCP rules) but it going to be messy if you want to allow up to 50 protocols and at a guess the ranges will be all over the show.
You might be better of having the windows firewall block access to serviceson the server and leave the UTM firewall rule to handle external.
You might be better of having the windows firewall block access to serviceson the server and leave the UTM firewall rule to handle external.
ASKER
could not find solution,
as per me, I am thinking may be any addition license is required to support SERVICE OBJECT ACL on Nexus 5548.
OR its not supporting at all only 7000 series support SERVICE OBJECT.
thanks
as per me, I am thinking may be any addition license is required to support SERVICE OBJECT ACL on Nexus 5548.
OR its not supporting at all only 7000 series support SERVICE OBJECT.
thanks
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for nainasipra's comment #a40786603
for the following reason:
could not find proper answer
Accepted answer: 0 points for nainasipra's comment #a40786603
for the following reason:
could not find proper answer
The question was how to stop routing and allow HSRP.
It was explained that this can't be done and alternatives were provided (ACL's, VFR's and private VLAN's).
It was explained that this can't be done and alternatives were provided (ACL's, VFR's and private VLAN's).
ASKER
Hi Don,
These are sure alternates, but request was how to do it in Nexus 5548.
How to allow only 40-50 protocols/ports only:
1 - Service Object ACL not supporting by my NEXUS.
2 - VRF Routing Leaking no supporting as well
3 - Private VLAN's look acceptable but my access layer switches not supporting private vlan then how to do it.
Still looking for solution and wondering how I can do this?
thanks
These are sure alternates, but request was how to do it in Nexus 5548.
How to allow only 40-50 protocols/ports only:
1 - Service Object ACL not supporting by my NEXUS.
2 - VRF Routing Leaking no supporting as well
3 - Private VLAN's look acceptable but my access layer switches not supporting private vlan then how to do it.
Still looking for solution and wondering how I can do this?
thanks
I have never heard of a Switch that can't do vlans i think you have a bridge.
As for a license for ACL, not heard that either
ACL config
As for a license for ACL, not heard that either
ACL config
1) ACL's are supported on 5500's. If you want to stop inter-VLAN routing, you can. Sorry if it's a lot of typing.
2) Inter-VRF traffic can be allowed with route maps.
3) Private VLAN's don't have to be supported on the access switches to accomplish your stated goals.
2) Inter-VRF traffic can be allowed with route maps.
3) Private VLAN's don't have to be supported on the access switches to accomplish your stated goals.
ASKER
Dear Don,
First of all sorry for late reply and thank you so much for help throughout.
I want to use Private VLAN's feature but have confusion how I can use it.
It will work with my Core Switches that is OK but have doubt for edge switch configurations:
Edge Switch(Cisco 2960S)-
1)- what type of port will be core to edge and vice versa , like trunk or promiscuous?
2)- what will be port configuration on edge switches
e.g.
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# switchport mode private-vlan promiscuous
switch(config-if)# switchport private-vlan mapping 5 109
this kind of port configuration is not supported on edge switches
thanks in advance, please need your suggestions.
First of all sorry for late reply and thank you so much for help throughout.
I want to use Private VLAN's feature but have confusion how I can use it.
It will work with my Core Switches that is OK but have doubt for edge switch configurations:
Edge Switch(Cisco 2960S)-
1)- what type of port will be core to edge and vice versa , like trunk or promiscuous?
2)- what will be port configuration on edge switches
e.g.
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# switchport mode private-vlan promiscuous
switch(config-if)# switchport private-vlan mapping 5 109
this kind of port configuration is not supported on edge switches
thanks in advance, please need your suggestions.
Not sure what access or edge switches have to do with this. You were saying that you wanted to stop inter-VLAN traffic on the 5500. Are you saying that the 2960S is routing traffic as well? If so, then you're out of luck as the 2960s don't support Private VLANs.
If not, then the access or edge switches are irrelevant.
Make all the VLANs you don't want to talk to each other isolated. Make the port going to the firewall promiscuous.
If not, then the access or edge switches are irrelevant.
Make all the VLANs you don't want to talk to each other isolated. Make the port going to the firewall promiscuous.
ASKER
OK I can do this on Core Switch, then on edge switches what VLANs will be and what will be the gateway for users VLANs on edge switches as I know there will be no interface ip other than primary VLAN.
Isolated VLANs on Core Switch and Edge Switches will be same vlan-id ?
thanks
Isolated VLANs on Core Switch and Edge Switches will be same vlan-id ?
thanks
I'm not sure I understand why you keep referring to the edge switches. Private VLANs are locally significant.
Can you elaborate of what you're trying to accomplish? For example, do you want to limit routing between specific VLAN's?