No announcement yet.

VLAN interfaces vs Route Table?

  • Filter
  • Time
  • Show
Clear All
new posts

  • VLAN interfaces vs Route Table?


    Putting NGFW in place of old equipment.

    Internet->NGFW->Cisco Nexus Core Switch>Rest of network

    VLans are managed by Cisco switches. DHCP managed by Windows Server.

    We have mutiple subnets and tagged VLans on the network.

    My question is this: should I define all subnets in Config>Network>Routes? Or should I set up virtual interfaces for the Vlans? Or both?

    Issue I think I will encounter is some devices have static IPs within those VLans. They aren't necessarily tagged on the port.

  • #2
    I have almost the same setup: Internet > NGFW > Cisco 3560G > 802.1q trunks to APs, managed L-2 switches, etc.

    Like you, I have inter-VLAN routing done on the switch, while DHCP and DNS from a Windows Server, among other services.

    The Cisco's default-gateway points to the NGFW and for the return traffic, the NGFW has static routes going to individual VLANs with the switch as the next-hop. I tried using dynamic routing (OSPF) between the Cisco and NGFW but NGFW seems to mess up. I've forgotten much about the problem details since this was years ago. Anyway, defining static routes are fine if you're not adding/removing/changing VLANs frequently.

    You can then make policies in NGFW to match individual VLANs, specifically their network, so the rules will apply to everyone in that subnet, regardless if they got their IP address dynamically or statically.


    • #3
      Originally posted by brianw19 View Post
      My question is this: should I define all subnets in Config>Network>Routes? Or should I set up virtual interfaces for the Vlans? Or both?
      Since they're tagged, you need to create interfaces via the 'add tagged VLAN interface' button in Config > Network > Interfaces. Without a corresponding interface, the NGFW can't route tagged VLAN traffic.
      Græme Ravenscroft • Technical Marketing Engineer
      ('gram', like the unit of measurement)
      Please don't reboot your NGFW.
      How can we make Arista ETM products better?


      • #4

        That just brings me back to my original question. If I have some static addresses within that tagged VLAN subnet (they are not necessarily on tagged vlan ports), will those be picked up by the virtual VLAN interface as well?


        • #5
          It's very simple.

          The interfaces are handled by the Linux kernel. A parent interface is untagged traffic, a tagged child interface is where tagged traffic so tagged goes. The interfaces are just that, they can have dynamic IP configurations, static configurations, multiple statics whatever.

          VLANs have nothing to do with IP configuration. So yes, you can pile IP aliases onto a child tagged interface, and have them work as expected.
          Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate

          Phone: 866-794-8879 x201
          Email: [email protected]


          • #6
            Ok, I'm really not trying to be difficult here. Please forgive my ignorance on this part of setup...

            Here's what I'm seeing. Say I have a VLAN 100 that corresponds to an IP scope of Now within that subnet, 90% of traffic is from tagged ports. There is, however, 10% of devices on that .100.x subnet that are on trunk ports and have static IP addresses.

            If I create a child VLAN interface that defines this VLAN 100 on NGFW. I then try to create an IP alias on the child tagged interface or static route (either one). It fails, stating there's a conflict because I've already defined that subnet as being part of the child VLAN interface.

            My question is, is the child VLAN interface all that is required?


            • #7
              Also, the parent interface (internal) is on a completely isolated subnet than the rest of the internal network.


              • #8
                For those wondering...the correct answer was route tables. Just cast a wide net on your subnets to capture everything and NGFW sees it all. Doesn't really matter at the edge what the traffic had been tagged (at least for my setup). I just needed the NGFW to see the traffic to apple firewall rules.