Layer 3 switch Inter-vlan routing with TZ400

光热斗

Hi,

I am new to Sonicwall firewall and this community. All our branch offices use TZ400 as a firewall and router, and an Aruba 2540 layer 3 switch as coreswitch.

Previously, I was able to a Router-on-a-stick to enable inter-vlan routing by creating sub interface with VLAN ID on TZ 400 and enabling DHCP for each sub-interface. On the switch, each vlan interface(SVI) has an IP address, and I added static route to the Firewall sub-interface, (the network default gateway). I copied some of the switch configuration here.

My question is that is it the correct way to set up? Although it works, using SVI layer 3 inter-vlan routing should not need sub-interface on the router/firewall, which it is the requirement of Router-on-a-stick set up? Am I correct?

Could you give me some idea or reference? Thanks for your time.

Arkwright

The route statements on the switch don't make any sense, why would you have a route to a network that the switch already has an IP in, via something else also in the same network?

You need to decide what is doing the routing, the firewall or the switch. If both devices have IPs in all networks then you will end up with connections taking a "triangular" route which the switch won't care about but the Sonicwall's state tracking will get upset with.

TKWITS

@Arkwright "why would you have a route to a network that the switch already has an IP in, via something else also in the same network?"

I have seen this so many times it becomes nauseating when I have to deal with it.

TKWITS

Here's a link that might help.

https://www.sonicwall.com/support/knowledge-base/router-on-a-stick-configuration-using-sonicwall-switch/200608062346153/

Basically no 'Layer 3 routing' should be performed by the switch in a 'router on a stick' configuration.

光热斗

https://community.sonicwall.com/technology-and-support/discussion/comment/18284#Comment_18284

Thank you Arkwright. It solved my question. I thought there were some unnecessary config in the setting.

Just want to make sure, for a Router on a Stick configuration, I will disable "IP routing" and remove all the static routes, no IP address for each vlan. The default gateway will be the firewall's physical interface IP address.

光热斗

https://community.sonicwall.com/technology-and-support/discussion/comment/18274#Comment_18274

Gotcha, thank you. I will test it out.

Also, I want to make sure how to configurate SVI inter-vlan routing:

1. Delete sub-interface on the Firewall
2. Delete IP route but keep one default route 0.0.0.0 to the Firewall interface.
3. Keep the vlan interface IP address.

Are there anything else I need to do?

TKWITS

https://community.sonicwall.com/technology-and-support/discussion/comment/18297#Comment_18297

Read the article thoroughly and come back with questions because you are missing the point.