Link to home
Start Free TrialLog in
Avatar of nainasipra
nainasipra

asked on

how to stop inter-vlan routing on Nexus 5548?

Dear Experts,

I have NEXUS 5548 and VLAN interfaces are configured on it for HSRP purpose. I want to stop Inter-vlan Routing and want to allow VLAN to VLAN routing only via Firewall.
how I can stop inter-vlan routing on Nexus or can allow between few vlans and rest of all vlans via firewall ?

thanks
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

If you're running HSRP on the 5548, then you must have routing enabled.  Otherwise, HSRP is pointless.

Can you elaborate of what you're trying to accomplish?  For example, do you want to limit routing between specific VLAN's?
Avatar of eeRoot
eeRoot

You can disable inter VLAN routing with the command "no ip routing".  This command may impact the HSRP configuration though, so review the configuration of the Nexus carefully before applying that command.
Avatar of nainasipra

ASKER

Dear Don,

I have two Nexus Switch and HSRP is working on these, now what i want to do is I have multiple vlans and I don't want to allow them to communicate with each other but sure all VLANs have to communicate with Server.
but with server vlan only specific protocols or port numbers. I have checked on my NEXUS even service object is not supporting to have service base ACL.
or I can stop these inter-vlan routing and let them communicate via Firewall only.

I have attached diagram for reference, please have a look.
I want that SERVER VLAN and VOICE VLAN can communicate direct but rest of all VLAN communicate with SERVER only via Firewall.
How it could be possible, please help.

Thanks
No diagram is attached.
Dear Don,

Please find attachment.

Thanks
network-diag.png
There's only one 5548 in the diagram.  I thought you said that you had two?
Dear Don,

Yes I have two, please consider this as logical diagram. Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.

Thanks,
Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.
It might not make any difference to you, but it does to me.  In order to understand what you're attempting to do, an understanding of the network is required.

You want to disable routing to force traffic to be routed by the firewall, right?

Which begs the question of why is the 5548 doing any routing in the first place?  

The bottom line is that HSRP is a layer 3 protocol (Hot Standby Routing Protocol). Which means that. Routing must be enabled for HSRP to provide its functionality.  So at the most basic level, what you are asking is contradictory. It would be like me saying "I want to run a routing protocol but I don't want the routers talking to each other." You can't have one without the other.
Dear Don,

Thank you so much for explaining, I understand totally. My objective to use firewall between routing is only to filter traffic for Servers VLAN. How I can filter traffic for Servers VLAN without Firewall. Filtering e.g. some ports or protocols (almost 40 to 50 different ports to allow only for servers VLAN.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.

And this is why I asked for the full diagram.

If your topology and firewalls support it, put them into an HSRP or Active/Standby configuration.  Disable ip routing on the 5500's and let the firewalls do all inter-VLAN routing.
Dear Don,

My Nexus not supporting Service Base ACL thats why I want to do it by Firewall but for NEXUS I want redundancy as well. and second thing is Voice VLAN and Servers VLAN should communicate direct without firewall.
Suppose forget about HSRP, is it possible without HSRP that two VLANs can route but rest of all VLANs routing via Firewall only as per same attached diagram with one NEXUS and one Firewall.

thanks
ASKER CERTIFIED SOLUTION
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I consider about VRF, I need help what will be the static routes on VRF zone and Global Zone.
I need help what will be the static routes on VRF zone and Global Zone.
I'm sorry. I don't understand what you're asking.  If you want to know about creating static routes, then there is not nearly enough information available to answer that question.
Dear Don,
as per given diagram.
My question is suppose I have created VRF VLAN10, now vlan10 is isolated and how the traffice will go to Firewall. what will be the routing leaking procedure?
is static route OK "0.0.0.0/0 192.168.1.1"  or I need more configuration.

thanks
If you want to remove the vlan routing from your Nexus just remove the vlan IP address from it and put the IP address as an "interface" on the firewall/router
It can't route to the Vlan if it is not the vlan router
what firewall are you using?
Fortinet 600C UTM
I want to use vlan IP for vlan gateway, any other solution. suggestion please
I’m a little confused by what you want.
Correct me if I’m wrong.
You don’t want the VLANs to communicate at the NEXUS level?
You want the VLANs to have the routing handled by the FortiGate?
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate

basically turning the NEXUS to a switch for all but the HSRP traffic
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate
That's what I said a while back.

basically turning the NEXUS to a switch for all but the HSRP traffic
If the Nexus isn't routing then HSRP is irrelevant.
Don maybe he's got other plans or we are not understanding the question correctly.
I know that voids out HSRP
Author has mention "can allow between few vlans and rest of all vlans via firewall"
Maybe they have a secret network they don't want people to know about that will be using the HSRP
Well, there's clearly more to this than we're aware of. :-)
Dear Don,

Let me clear it, I have multiple VLANs for different Departments and one VLAN for Servers and one VLAN for VOICE. Now what I want to do all VLANs can't route each other but only there should be routing for VLANs to Server VLAN. Now next step is that Routing to Server VLAN but limited not all.
As I have already mentioned that I want to allow almost 40-50 ports/protocols from User VLANs to Server VLAN.
How I can do this?
If I use VRF, what will be the route leaking configuration?
please suggest.

Thanks
I"m not sure what this means:
Now next step is that Routing to Server VLAN but limited not all.

Have you considered private VLAN's? You could put all the departments in an isolated VLAN and the server in a promiscuous VLAN. Then you ACL's to limit the type of traffic between departments and servers.
Hi Don,
Yes I consider private VLAN, what I face Issues
1)- My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
2)- what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?

Thanks,
"Now next step is that Routing to Server VLAN but limited not all. "
its mean only 40-50 ports/protocols allowed to route between servers VLAN and user VLANs, rest of all traffic must be block.
Okay why not have a vACL on the NEXUS that way you still get the most out for HSPR and you can restrict that way.
It suddenly occurred to me why didn't i recommend that in the first instance, oops.
Dear Stolsie,

even in VACL, still you have to use IP Access List then how can you filter 40-50 protocols only. need your suggestion please.

thanks
My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
No. But you won't be able to use VTP (if you are).
what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?
An extended, routed ACL would be used. If you still don't want to do that, then you can either replace the 5500 with a 7004 (which supports object groups) or let the firewall handle all the routing (I'm assuming that your firewall has some type of object group capability).
if firewall will do everything then my Nexus Switches are doing nothing. I want to use Nexus as well and want to reduce load from Firewall. Firewall is a UTM devices and is doing many many other jobs as well including VPN, IPS/IDS, Web Filtering etc.

thanks
Then you're going to have to use ACL's.
When i said vACL you can create extended vACLs (UDP/TCP rules) but it going to be messy if you want to allow up to 50 protocols and at a guess the ranges will be all over the show.
You might be better of having the windows firewall block access to serviceson the server and leave the UTM firewall rule to handle external.
could not find solution,
as per me, I am thinking may be any addition license is required to support SERVICE OBJECT ACL on Nexus 5548.
OR its not supporting at all only 7000 series support SERVICE OBJECT.

thanks
I've requested that this question be closed as follows:

Accepted answer: 0 points for nainasipra's comment #a40786603

for the following reason:

could not find proper answer
The question was how to stop routing and allow HSRP.

It was explained that this can't be done and alternatives were provided (ACL's, VFR's and private VLAN's).
Hi Don,

These are sure alternates, but request was how to do it in Nexus 5548.
How to allow only 40-50 protocols/ports only:
1 - Service Object ACL not supporting by my NEXUS.
2 - VRF Routing Leaking no supporting as well
3 - Private VLAN's look acceptable but my access layer switches not supporting private vlan then how to do it.

Still looking for solution and wondering how I can do this?

thanks
I have never heard of a Switch that can't do vlans i think you have a bridge.
As for a license for ACL, not heard that either

ACL config
1) ACL's are supported on 5500's. If you want to stop inter-VLAN routing, you can.  Sorry if it's a lot of typing.

2) Inter-VRF traffic can be allowed with route maps.

3) Private VLAN's don't have to be supported on the access switches to accomplish your stated goals.
Dear Don,

First of all sorry for late reply and thank you so much for help throughout.
I want to use Private VLAN's feature but have confusion how I can use it.
It will work with my Core Switches that is OK but have doubt for edge switch configurations:
Edge Switch(Cisco 2960S)-
1)- what type of port will be core to edge and vice versa , like trunk or promiscuous?
2)- what will be port configuration on edge switches
    e.g.
     switch# configure terminal
     switch(config)# interface ethernet 1/2
     switch(config-if)# switchport mode private-vlan promiscuous
     switch(config-if)# switchport private-vlan mapping 5 109
this kind of port configuration is not supported on edge switches

thanks in advance, please need your suggestions.
Not sure what access or edge switches have to do with this.  You were saying that you wanted to stop inter-VLAN traffic on the 5500.  Are you saying that the 2960S is routing traffic as well? If so, then you're out of luck as the 2960s don't support Private VLANs.

If not, then the access or edge switches are irrelevant.

Make all the VLANs you don't want to talk to each other isolated. Make the port going to the firewall promiscuous.
OK I can do this on Core Switch, then on edge switches what VLANs will be and what will be the gateway for users VLANs on edge switches as I know there will be no interface ip other than primary VLAN.
Isolated VLANs on Core Switch and Edge Switches will be same vlan-id ?

thanks
I'm not sure I understand why you keep referring to the edge switches.  Private VLANs are locally significant.