Core Based Routing with VLANs question

[karimi]

Hi,

I don't have any available ports on my firewall, and need to route an extra internal network. It has been suggested I config a virtual interface.

Instead of doing this, can I route this new subnet to my core (10.10.0.1) which can bounce it off the Firewall (10.10.10.6), and then I can configure the policy rules to allow the traffic to get to the other network via the core through the same interface - sort of like "bouncing" it off the single interface.

This way I could accomplish routing traffic between the 2 networks without requiring an additional interface..

So today i have:

source (204.187.70.10) next hop is core (10.10.0.1). Core has a route to FW (10.10.0.6) for anything which is not local LAN (10.10.0.0). FW has a static route for 204.187.70.0/24 back to the core (10.10.0.1). This way, I am routing 2 networks through the core via my FW, without using up a dedicated interface on the FW for 204.187.70.xxx network.

Could I thus add a new network and do core routing without having to configure a virtual int on my FW ?

Thanks!!

[chillyjim]

Isn't the core router just going to route the traffic without sending it to the firewall?

[karimi]

Quote:

Originally Posted by chillyjim

Isn't the core router just going to route the traffic without sending it to the firewall?

The Core (10.10.0.1) router says to send anything not on the local LAN (10.10.0.0) to the firewall..(10.10.0.6). The FW has a static route which says anything from 204.187.70.xxx send back to the core (10.10.0.1).

In that sense, can I not add a new network and route it to my core, and send it to my FW and back to the core, without using up a separate interface on my FW ?

[chillyjim]

AFAIK you can, routing takes place after inspection. Make sure you add the new network into the topology or anti-spoofing will drop the packets.

[karimi]

Quote:

Originally Posted by chillyjim

AFAIK you can, routing takes place after inspection. Make sure you add the new network into the topology or anti-spoofing will drop the packets.

Thanks Chillyjim,

In this case, why does one require separate interfaces on a FW (aside from the internet outside) if you can route separate VLANs internally via a core to the inner FW interface and then use the policy to protect which protocols you want between these subnets? i.e. In the same respect, can I not take all my vendor networks and send them to my core - let's say VendorA=32.78.121.0/24 and VendorB=129.32.50.0/24 and then my core will have a route for these unknown networks to my FW (10.10.0.6), and as long as I have static routes on my FW going back to the core, it should send the traffic back to the vendors?

Someone say you can't send "routed" networks through a Switch, it won't work from a routed (VendorA+B) to a non-routed (my 10.100.0.0) address, but I can't see why not if my core knows where to send the traffic?

Thanks

~k

[chillyjim]

It becomes a question of why do you have separate networks then. The main reason for different networks on a LAN is to breakup broadcast domains and to isolate traffic flow. If you end up putting all of that on one "wire" anyway you might as well use a flat IP space.

You really should split this up into different VLANs from a traffic flow and management standpoint as well as a security standpoint. With just one physical network there is no way to force the traffic to the firewall, I can just send my packets straight to the system I want using it's MAC address and not its IP address.

[karimi]

Quote:

With just one physical network there is no way to force the traffic to the firewall, I can just send my packets straight to the system I want using it's MAC address and not its IP address.

Thanks Chillyjim,

However, i AM forcing traffic to the firewall because I have a static route on the core that says send all networks to the FW. The FW has an interface to my private network, and thus I can regulate or protect my internal network from vendors. I am trying to avoid using a new interface on the FW for each vendor. That is where I am confused...