how to stop inter-vlan routing on Nexus 5548?

Dear Experts,

I have NEXUS 5548 and VLAN interfaces are configured on it for HSRP purpose. I want to stop Inter-vlan Routing and want to allow VLAN to VLAN routing only via Firewall.
how I can stop inter-vlan routing on Nexus or can allow between few vlans and rest of all vlans via firewall ?

thanks
nainasipraAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
If you're running HSRP on the 5548, then you must have routing enabled.  Otherwise, HSRP is pointless.

Can you elaborate of what you're trying to accomplish?  For example, do you want to limit routing between specific VLAN's?
eeRootCommented:
You can disable inter VLAN routing with the command "no ip routing".  This command may impact the HSRP configuration though, so review the configuration of the Nexus carefully before applying that command.
nainasipraAuthor Commented:
Dear Don,

I have two Nexus Switch and HSRP is working on these, now what i want to do is I have multiple vlans and I don't want to allow them to communicate with each other but sure all VLANs have to communicate with Server.
but with server vlan only specific protocols or port numbers. I have checked on my NEXUS even service object is not supporting to have service base ACL.
or I can stop these inter-vlan routing and let them communicate via Firewall only.

I have attached diagram for reference, please have a look.
I want that SERVER VLAN and VOICE VLAN can communicate direct but rest of all VLAN communicate with SERVER only via Firewall.
How it could be possible, please help.

Thanks
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Don JohnstonInstructorCommented:
No diagram is attached.
nainasipraAuthor Commented:
Dear Don,

Please find attachment.

Thanks
network-diag.png
Don JohnstonInstructorCommented:
There's only one 5548 in the diagram.  I thought you said that you had two?
nainasipraAuthor Commented:
Dear Don,

Yes I have two, please consider this as logical diagram. Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.

Thanks,
Don JohnstonInstructorCommented:
Even two 5548 diagram will not make difference because rest of all cabling and configuration is same.
It might not make any difference to you, but it does to me.  In order to understand what you're attempting to do, an understanding of the network is required.

You want to disable routing to force traffic to be routed by the firewall, right?

Which begs the question of why is the 5548 doing any routing in the first place?  

The bottom line is that HSRP is a layer 3 protocol (Hot Standby Routing Protocol). Which means that. Routing must be enabled for HSRP to provide its functionality.  So at the most basic level, what you are asking is contradictory. It would be like me saying "I want to run a routing protocol but I don't want the routers talking to each other." You can't have one without the other.
nainasipraAuthor Commented:
Dear Don,

Thank you so much for explaining, I understand totally. My objective to use firewall between routing is only to filter traffic for Servers VLAN. How I can filter traffic for Servers VLAN without Firewall. Filtering e.g. some ports or protocols (almost 40 to 50 different ports to allow only for servers VLAN.
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.
Don JohnstonInstructorCommented:
Is there any other way, if Service Object ACL is not supporting by Nexus 5548.

And this is why I asked for the full diagram.

If your topology and firewalls support it, put them into an HSRP or Active/Standby configuration.  Disable ip routing on the 5500's and let the firewalls do all inter-VLAN routing.
nainasipraAuthor Commented:
Dear Don,

My Nexus not supporting Service Base ACL thats why I want to do it by Firewall but for NEXUS I want redundancy as well. and second thing is Voice VLAN and Servers VLAN should communicate direct without firewall.
Suppose forget about HSRP, is it possible without HSRP that two VLANs can route but rest of all VLANs routing via Firewall only as per same attached diagram with one NEXUS and one Firewall.

thanks
Don JohnstonInstructorCommented:
You could use VRF's.  But without a lot more information, it's hard to say if that solution would meet your requirements.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nainasipraAuthor Commented:
I consider about VRF, I need help what will be the static routes on VRF zone and Global Zone.
Don JohnstonInstructorCommented:
I need help what will be the static routes on VRF zone and Global Zone.
I'm sorry. I don't understand what you're asking.  If you want to know about creating static routes, then there is not nearly enough information available to answer that question.
nainasipraAuthor Commented:
Dear Don,
as per given diagram.
My question is suppose I have created VRF VLAN10, now vlan10 is isolated and how the traffice will go to Firewall. what will be the routing leaking procedure?
is static route OK "0.0.0.0/0 192.168.1.1"  or I need more configuration.

thanks
StolsieCommented:
If you want to remove the vlan routing from your Nexus just remove the vlan IP address from it and put the IP address as an "interface" on the firewall/router
It can't route to the Vlan if it is not the vlan router
StolsieCommented:
what firewall are you using?
nainasipraAuthor Commented:
Fortinet 600C UTM
I want to use vlan IP for vlan gateway, any other solution. suggestion please
StolsieCommented:
I’m a little confused by what you want.
Correct me if I’m wrong.
You don’t want the VLANs to communicate at the NEXUS level?
You want the VLANs to have the routing handled by the FortiGate?
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate

basically turning the NEXUS to a switch for all but the HSRP traffic
Don JohnstonInstructorCommented:
^if right why not put the VLAN ip for the VLAN gateway on the FortiGate
That's what I said a while back.

basically turning the NEXUS to a switch for all but the HSRP traffic
If the Nexus isn't routing then HSRP is irrelevant.
StolsieCommented:
Don maybe he's got other plans or we are not understanding the question correctly.
I know that voids out HSRP
Author has mention "can allow between few vlans and rest of all vlans via firewall"
Maybe they have a secret network they don't want people to know about that will be using the HSRP
Don JohnstonInstructorCommented:
Well, there's clearly more to this than we're aware of. :-)
nainasipraAuthor Commented:
Dear Don,

Let me clear it, I have multiple VLANs for different Departments and one VLAN for Servers and one VLAN for VOICE. Now what I want to do all VLANs can't route each other but only there should be routing for VLANs to Server VLAN. Now next step is that Routing to Server VLAN but limited not all.
As I have already mentioned that I want to allow almost 40-50 ports/protocols from User VLANs to Server VLAN.
How I can do this?
If I use VRF, what will be the route leaking configuration?
please suggest.

Thanks
Don JohnstonInstructorCommented:
I"m not sure what this means:
Now next step is that Routing to Server VLAN but limited not all.

Have you considered private VLAN's? You could put all the departments in an isolated VLAN and the server in a promiscuous VLAN. Then you ACL's to limit the type of traffic between departments and servers.
nainasipraAuthor Commented:
Hi Don,
Yes I consider private VLAN, what I face Issues
1)- My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
2)- what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?

Thanks,
nainasipraAuthor Commented:
"Now next step is that Routing to Server VLAN but limited not all. "
its mean only 40-50 ports/protocols allowed to route between servers VLAN and user VLANs, rest of all traffic must be block.
StolsieCommented:
Okay why not have a vACL on the NEXUS that way you still get the most out for HSPR and you can restrict that way.
It suddenly occurred to me why didn't i recommend that in the first instance, oops.
nainasipraAuthor Commented:
Dear Stolsie,

even in VACL, still you have to use IP Access List then how can you filter 40-50 protocols only. need your suggestion please.

thanks
Don JohnstonInstructorCommented:
My Nexus Switches support private VLAN but not Access Layer Switches, does it effect ?
No. But you won't be able to use VTP (if you are).
what ACL to filter traffic, for ACL issue will be same again that its not support Service Object ACL and how to filter only 40-50 protocols/ports?
An extended, routed ACL would be used. If you still don't want to do that, then you can either replace the 5500 with a 7004 (which supports object groups) or let the firewall handle all the routing (I'm assuming that your firewall has some type of object group capability).
nainasipraAuthor Commented:
if firewall will do everything then my Nexus Switches are doing nothing. I want to use Nexus as well and want to reduce load from Firewall. Firewall is a UTM devices and is doing many many other jobs as well including VPN, IPS/IDS, Web Filtering etc.

thanks
Don JohnstonInstructorCommented:
Then you're going to have to use ACL's.
StolsieCommented:
When i said vACL you can create extended vACLs (UDP/TCP rules) but it going to be messy if you want to allow up to 50 protocols and at a guess the ranges will be all over the show.
You might be better of having the windows firewall block access to serviceson the server and leave the UTM firewall rule to handle external.
nainasipraAuthor Commented:
could not find solution,
as per me, I am thinking may be any addition license is required to support SERVICE OBJECT ACL on Nexus 5548.
OR its not supporting at all only 7000 series support SERVICE OBJECT.

thanks
nainasipraAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for nainasipra's comment #a40786603

for the following reason:

could not find proper answer
Don JohnstonInstructorCommented:
The question was how to stop routing and allow HSRP.

It was explained that this can't be done and alternatives were provided (ACL's, VFR's and private VLAN's).
nainasipraAuthor Commented:
Hi Don,

These are sure alternates, but request was how to do it in Nexus 5548.
How to allow only 40-50 protocols/ports only:
1 - Service Object ACL not supporting by my NEXUS.
2 - VRF Routing Leaking no supporting as well
3 - Private VLAN's look acceptable but my access layer switches not supporting private vlan then how to do it.

Still looking for solution and wondering how I can do this?

thanks
StolsieCommented:
I have never heard of a Switch that can't do vlans i think you have a bridge.
As for a license for ACL, not heard that either

ACL config
Don JohnstonInstructorCommented:
1) ACL's are supported on 5500's. If you want to stop inter-VLAN routing, you can.  Sorry if it's a lot of typing.

2) Inter-VRF traffic can be allowed with route maps.

3) Private VLAN's don't have to be supported on the access switches to accomplish your stated goals.
nainasipraAuthor Commented:
Dear Don,

First of all sorry for late reply and thank you so much for help throughout.
I want to use Private VLAN's feature but have confusion how I can use it.
It will work with my Core Switches that is OK but have doubt for edge switch configurations:
Edge Switch(Cisco 2960S)-
1)- what type of port will be core to edge and vice versa , like trunk or promiscuous?
2)- what will be port configuration on edge switches
    e.g.
     switch# configure terminal
     switch(config)# interface ethernet 1/2
     switch(config-if)# switchport mode private-vlan promiscuous
     switch(config-if)# switchport private-vlan mapping 5 109
this kind of port configuration is not supported on edge switches

thanks in advance, please need your suggestions.
Don JohnstonInstructorCommented:
Not sure what access or edge switches have to do with this.  You were saying that you wanted to stop inter-VLAN traffic on the 5500.  Are you saying that the 2960S is routing traffic as well? If so, then you're out of luck as the 2960s don't support Private VLANs.

If not, then the access or edge switches are irrelevant.

Make all the VLANs you don't want to talk to each other isolated. Make the port going to the firewall promiscuous.
nainasipraAuthor Commented:
OK I can do this on Core Switch, then on edge switches what VLANs will be and what will be the gateway for users VLANs on edge switches as I know there will be no interface ip other than primary VLAN.
Isolated VLANs on Core Switch and Edge Switches will be same vlan-id ?

thanks
Don JohnstonInstructorCommented:
I'm not sure I understand why you keep referring to the edge switches.  Private VLANs are locally significant.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.