inter (V)LAN routing - basic question network topology

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
Hello,

I have a basic question to inter (V)LAN routing and the related network topology with two routers in it.

I am a home user and today my set-up is a router-on-a-stick configuration. One L2 switch to manage VLANs. All ACLs and routing done on the firewall. So far, all OK. For performance reasons I would like to move the routing between the networks called "LAN" and "DMZ" to a L3 switch. For the other VLANs this is not required as there is no routing to or from other subnets (Guest_WLAN, IoT).

Is the routing including ACLs between LAN and DMZ possible on the L3 switch with a network topology as shown on the picture?
Or must I move the DMZ and LAN network completely to the L3 switch and create "transport networks" and static routes between router and L3 switch?

Network.png

Tobias
 

CreoleLakerFan

Active Member
Oct 29, 2013
478
176
43
You can have both router and switch connected to your VLANs ... you would use your firewall as the default route, and then create static routes on all hosts which communicate with the other VLANs via the switch, specifying the L3 virtual interface on the switch as the next hop.
 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
You can have both router and switch connected to your VLANs .
Thank you for this confirmation.
This will make some things easier in a small network instead of routing complete sub-nets. E. g. DHCP.

Anything specific I need to take care?
 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
I give up! Something I am doing wrong in the Ruckus / Brocade FastIron configuration.

I do not get connections between the L3 routed DMZ and LAN network as well not from the firewall to the DMZ network. LAN to outside is working. Also, the connection from the other VLAN where the switch is doing L2 switching are working.

All is set-up and connected. When I run the L2 configuration with VLAN as shone above all is running. But when I change to my L3 configuration it is not working. I cannot find any mistake in the ACL. Something I am doing wrong with the routing.

Any idea what's wrong with my config?

My real config is using different networks than my illustration in the post above:

LAN: 192.168.2.0/24
DMZ: 192.168.10.0/24

Code:
Current configuration:
!
ver 08.0.92eT213
!
stack unit 1
  module 1 icx7250-24p-poe-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-port 1/2/1
  stack-port 1/2/3
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
vlan 10 name DMZ by port
tagged ethe 1/1/9 ethe 1/2/6 ethe 1/2/8
untagged ethe 1/1/3 ethe 1/1/11 to 1/1/12 ethe 1/2/5 ethe 1/2/7
router-interface ve 10
!
vlan 20 name IoT by port
tagged ethe 1/1/5 ethe 1/1/7 ethe 1/1/9
!
vlan 30 name Guest by port
tagged ethe 1/1/5 ethe 1/1/7 ethe 1/1/9
untagged ethe 1/1/10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
optical-monitor
optical-monitor non-ruckus-optic-enable
aaa authentication web-server default local
aaa authentication login default local
enable telnet authentication
enable aaa console
hostname icx7250
ip dhcp-client disable
ip dns domain-list test.lan
ip dns server-address 192.168.2.1 192.168.2.15
ip route 0.0.0.0/0 192.168.2.1
ip route 0.0.0.0/0 192.168.10.1
!
telnet timeout 10
no telnet server
username admin password .....
!
!
snmp-server contact Administrator
snmp-server location Server Room
!
!
clock timezone gmt GMT+09
!
!
ntp
disable serve
server 192.168.2.1
!
!
web-management https
web-management frame bottom
web-management page-menu
web-management session-timeout 1200
!
!
manager registrar
!
!
!
!
!
!
!
!
!
interface ethernet 1/1/1
port-name OPNsense-2
!
interface ethernet 1/1/2
disable
!
interface ethernet 1/1/3
port-name OPNsense-3
!
interface ethernet 1/1/4
disable
!
interface ethernet 1/1/5
port-name OPNsense-4
!
interface ethernet 1/1/6
disable
!
interface ethernet 1/1/7
port-name WLAN-AP
!
interface ethernet 1/1/8
disable
!
interface ethernet 1/1/9
port-name Trunk-Office
!
interface ethernet 1/1/10
port-name Work-PC
!
interface ethernet 1/1/11
port-name Server-DMZ
!
interface ethernet 1/1/12
port-name PC-DMZ
!
interface ethernet 1/2/1
port-name PC-LAN
!
interface ethernet 1/2/3
port-name Server-LAN
!
interface ethernet 1/2/5
port-name PC-DMZ
!
interface ethernet 1/2/6
port-name PC-Trunk
!
interface ethernet 1/2/7
port-name Server-DMZ
!
interface ethernet 1/2/8
port-name Server-Trunk
!
interface ve 1
ip access-group lan_out in
ip address 192.168.2.2 255.255.255.0
!
interface ve 10
ip access-group dmz_out in
ip address 192.168.10.2 255.255.255.0
!
!
ip access-list extended lan_out
remark allow LAN to switch management
sequence 10 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq ssh
sequence 20 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq http
sequence 30 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq ssl
remark allow LAN to DMZ
sequence 40 permit icmp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
sequence 50 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq http
sequence 60 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq ssl
sequence 70 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq ssh
sequence 80 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq ftp
sequence 90 permit tcp 192.168.2.0 0.0.0.255 host 192.168.10.20 eq 8006
sequence 100 permit tcp 192.168.2.0 0.0.0.255 host 192.168.10.20 eq 26
sequence 110 permit tcp 192.168.2.0 0.0.0.255 host 192.168.10.40 eq smtp
sequence 120 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 8083
sequence 130 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 9090
sequence 140 permit tcp 192.168.2.0 0.0.0.255 host 192.168.10.60 eq 5001
sequence 150 permit tcp 192.168.2.0 0.0.0.255 host 192.168.10.60
sequence 160 permit udp 192.168.2.0 0.0.0.255 host 192.168.10.60
remark deny all other to DMZ
sequence 170 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
remark allow every else to everywhere
sequence 180 permit ip any any
!
ip access-list extended dmz_out
remark allow DMZ to LAN
sequence 10 permit tcp 192.168.10.0 0.0.0.255 host 192.168.2.15 eq dns
sequence 20 permit udp 192.168.10.0 0.0.0.255 host 192.168.2.15 eq dns
sequence 30 permit tcp host 192.168.10.10 host 192.168.2.15 eq ldap
sequence 40 permit tcp host 192.168.10.20 host 192.168.2.15 eq ldap
sequence 50 permit tcp host 192.168.10.10 host 192.168.2.15 eq ldaps
sequence 60 permit tcp host 192.168.10.20 host 192.168.2.15 eq ldaps
sequence 70 permit tcp host 192.168.10.10 host 192.168.2.15 eq microsoft-ds
sequence 80 permit tcp host 192.168.10.20 host 192.168.2.30 eq 2525
sequence 90 permit tcp host 192.168.10.40 host 192.168.2.30 eq 2525
sequence 100 permit tcp host 192.168.10.40 host 192.168.2.30 eq smtp
remark deny all other to LAN
sequence 110 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
remark allow every else to everywhere
sequence 120 permit ip any any
!
!
!
no lldp run
!
!
ip ssh  idle-time 0
!
!
!
!
!
end
 
Last edited: