NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M4300-8X8F InterVLAN routing and existing native VLAN on firewall
Hello,
We always had a rather "flat" VLAN domain in leaf/spine architecture with a firewall on top as gateway, stacked M4300-8X8F as core and a few Aruba access switches on the bottom. Currently we are planning to segregate our network in different VLANs and letting the M4300-8X8F switches do the interVLAN routing with ACL's and let the firewall focus on being on firewall. This should not be too hard to accomplish.
While moving to this new topology, we want to minimize downtime and as such we are trying to build and route the new VLAN's with the current native VLAN to have an opportunity for migrating clients, printers, servers etc. Some information:
- The firewall is the gateway for the native VLAN (VLAN 1), let's say 192.168.1.1 /24
- Created a few VLAN's on the M4300 switches and SVI's, let's say:
- VLAN 99- 192.168.99.254 /24
- VLAN 100 - 192.168.100.254 /24
- Set the switchport mode to trunk for the above VLAN's on the LAG to the firewall
- Using the service-port on the M4300 stack with an IP in the native VLAN
- Enabled Global Routing mode on the M4300 stack
- Created a default route to the firewall on the M4300 stack
- Created the same VLAN's (tagged) as L2 subinterface (to the stack) on the firewall
- Created static routes on the firewall for the 192.168.99.0 and 192.168.100.0 networks to the SVI's
- No ACL's in place yet on the M4300 stack between the VLAN's - so everything is allowed
Routing table on the M4300 stack as attachment.
The problem:
I have no problems communicating between VLAN 99 and 100 (stacked switches are the gateway), but I have a problem communicating between VLAN 99/100 and VLAN 1. ICMP is working but other protocols are not. The only way I get it working is whenever I change the gateway of a client on the native VLAN from 192.168.1.1 (firewall) to 192.168.1.30 (service-port M4300). I have a feeling it has something to do with the 192.168.1.0 route to the service-port as above, which only disappears whenever put the service-port in a different subnet, but after that the default route will not work as it has no interface with an IP in that subnet.
Basically, I think the M4300 stack needs to forward all VLAN 1 traffic to the firewall instead of checking it's own ARP.
What to do?
Best regards.
1 Reply
Need to correct my text regarding service-port, which is not used and in a different subnet. I have the IPv4 Management VLAN configured within the native VLAN and Routing Mode enabled.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
