Comware

 View Only
Back to discussions
Expand all | Collapse all

L3 switch > routing to firewall > firewall is doing the routing?!

This thread has been viewed 2 times

  • 1.  L3 switch > routing to firewall > firewall is doing the routing?!

    Posted Oct 05, 2020 09:36 AM

    Hey everyone

    We have a L3 HP chassis switch with all our VLAN's on (along with interface IP's)

    This switch has a 'route 0.0.0.0 0.0.0.0 GATEWAY IP' command in

    ip routing command is on the switch config

    We are noticing that the our firewall (the gateway that our route is set to) seems to be routing internal traffic, as looking at its GUI the internal NIC is way more utilised than the external NIC (internet)

    We've tried removing this route command, but then internet access drops for everyone, despite having the 'ip default-gateway' command too

    What's strange is that when we unplug the cable between the switch and the firewall, the internal routing still works between VLAN's

    It's as though the L3 switch isn't doing any routing whilst the route out is active, and when this drops it then routes itself

    Is there any way to make the route out only be for internet traffic?

    I can't see any route exceptions for internal subnets etc, and I can't imagine the config length required if we have to put several static routes in before and after our 10 x private subnets, it would be huge.

    Any advice would be appreciated

    There is no real issue, things work great, but it's wrong, the switch should only really be sending traffic out that it does not know about itself.

    Thanks!



  • 2.  RE: L3 switch > routing to firewall > firewall is doing the routing?!

    Posted Oct 05, 2020 02:56 PM

    Hi!

    When you wrote:

    We are noticing that the our firewall (the gateway that our route is set to) seems to be routing internal traffic, as looking at its GUI the internal NIC is way more utilised than the external NIC (internet)

    are you also aware about your Firewall need to have VLAN SVI defined to be the router for them (or to know where subnets are to route traffic to them)?

    We've tried removing this route command, but then internet access drops for everyone, despite having the 'ip default-gateway' command too

    That's on the Switch, that's the expected behaviour...it means that all clients that are loosing their connectivity to Internet are loosing it because they have their default gateway set to point to the Core Switch (your L3 Router on the internal network) and when it loose its route of last resort to your Firewall (0/0 via firewall) is pretty much easy to understand what will happen.

    You need to be exactly sure about the uplink between your Core Switch and your Firewall (VLAN membership included) too...it's not unusual to see a Firewall with LAN interface placed on a internal subnet (routed by the Switch) instead of being connected to the Core Switch by means of a Transit VLAN (a /30 or /31 dedicated to one-to-one communication between your Core and your Firewall).

    Also...default gateway on a Layer 3 switch is useful only for the switch itself...since IP Routing is enabled traffic managed by the Core is then routed by means of local connected VLAN SVI and static routing (included Route of Last Resort) and default gateway concept has nor relevance for clients.

    Is there any way to make the route out only be for internet traffic?

    It already works that way: I mean, the Route of Last Resort (destination network: 0.0.0.0 subnet mask: 0.0.0.0 via Next Hop Gateway <your-Firewall-LAN-IP>) is used by your Core Switch to route all NON local networks (its VLAN SVIs) to any other network outside its control...then the Firewall will route received requests accordingly (considering its configuration).



Related Content