2

This for hypothetical purposes - more of a learning question than an production question.

If I have switch (Layer 3, lets say a Procurve) with a handful of VLAN's configured. Lets say:

DEFAULT VLAN  10.1.1.0/24
VLAN10        172.16.30.0/24
VLAN100       192.168.1.0/24

There are two firewalls - FW01 and FW02:

FW01 IP: 10.1.1.1
FW02 IP: 10.1.1.2

I want VLAN10 and VLAN100 to use FW01 for Internet (because this is a faster line lets say)

I want the DEFAULT VLAN to use FW02 because it has a greater upload (for arguments sake).

A few questions:

1). Firstly, what would the default gateway of the switch be? (Default VLAN)

2). Where would I/how would I configure additional default gateways for the other VLAN's. Assuming DHCP gives out switches as default gateways as this will enable inter-VLAN routing.

3). How would the switch know what default gateway to use per VLAN packet?

Thanks!

PnP
  • 1,684
  • 8
  • 39
  • 65

1 Answers1

6

This isn't as easy as you make it out to be. Answer to your first and third questions:

  • A default gateway is always in the same subnet as the IP address of an interface. Default gateways are used to get out of your local subnet, so if it wouldn't be in the same subnet, a computer doesn't know how to reach the subnet. So, for the default vlan to go through FW02, it's default gateway would be 10.1.1.2
  • Standard routing is done based on destination IP only. Routers and switches are fast at looking up destination IP addresses, but most hardware isn't built to also take source IPs into account.

Now, you can do this in two ways:

  1. Terminate the VLAN's on the firewalls. Two (sub)interfaces in VLAN 10 and VLAN 100 on FW01. Default gateways in those VLAN's would be the IPs you give FW01, for instance 172.16.30.1 and 192.168.1.1 respectively.
  2. Use policy based routing. If your layer 3 switch is capable, you can route based on policies. One of those policies could be source address. But be aware: since this mostly can't be done in hardware, everything will be punted up to the general CPU, crippling network performance under load.

Now, to answer your second question: In IPv4, you only have one default gateway. You could add several routes, but that would get unmanageable fast. So, what you do is: you terminate all VLANs on both firewalls, with a Layer two redundancy protocal configured, such as VRRP. You then configure the priority of the default VLAN so that FW02 is active for that one, and the priority for VLAN 10 and VLAN 100 so that FW01 is active for that one. Should one firewall die, the other one will take over, resulting in less bandwidth, but nearly no netwrok outage.

The Default Gateways in this case will be the virtual IP addresses you assign when configuring VRRP. See the wikipedia entry for an example.

JelmerS
  • 777
  • 6
  • 12