2 - Wans - 2 - VLans - InterVLan Routing

jeremyd1
Conversationalist

2 - Wans - 2 - VLans - InterVLan Routing

I have two separate ISP Wan connections.  One is my main data network, the other is used for Voip services.  Both plug into a MS350-48LP Switch with Trunk ports.  I have a vlan 200(192.168.168.0/24) setup for The Voip Wan, and change the Native Vlan on all ports that phones are connected to vlan 200.  I am now adding some other services on vlan 200 that i would like to access from my native vlan1 (172.21.196.0/22).  I still want all wan traffic on vlan1 to go out gateway of 172.21.196.1 and all wan traffic on vlan 200 to go out 192.168.168.168.    I am new to vlan and layer 3 routing and not sure what the best approach is to accomplish this.  Any input is greatly appriciated.

 

thanks,

 

Jeremy

6 REPLIES 6
GIdenJoe
Kind of a big deal

The topology description is not really clear to me at least because you are mixing WAN and VLANs together.

 

First let's get your ISP stuff straight:

 

The VoIP subnet: 192.168.168.0/24 is that a subnet YOU created behind your L3 switch?  Or is there an ISP router that has that subnet on it's LAN side that is then trunked to your L3 switch on VLAN 200.  Or does the trunk come in directly from the provider and is the gateway on that subnet somewhere at the ISP itself?

 

Your DATA subnet: I have to assume this is 172.21.196.0/22.  Which device is 172.21.196.1 then?  Your L3 switch?  Or also a router from the ISP?  Is this the only path to the internet?  If not is there a firewall which is routed via your L3 switch and vice versa?

jeremyd1
Conversationalist

192.168.168.0/24 is the subnet on my Sonicwall firewall/router, it is trunked to L3 switch on vlan 200.  All internet traffic from VLAN 200 goes through the sonicwall with one isp.

 

172.21.196.0/22 is the subnet routed through a fortinet firewall/router it is the default vlan1 trunked to L3 Switch.  All traffic routed through vlan1 is routed through the fortinet firewall with another isp.

 

Should note that the 172.21.196.0/22 vlan has all my staff and users on it.  The plan was to keep the two networks separate by running on their own vlan, but now we are getting new equipment that will tie into our voip pbx, and the staff need to be able to log into those devices that are on vlan 200, while they are still connected to Vlan1

GIdenJoe
Kind of a big deal

I see, your L3 switch is not doing L3 at all, it's just serving VLANs where the firewalls are the actual gateways.

There are multiple ways to solve this.
The least intrusive one would be to introduce another VLAN which would server as a transit VLAN that both firewalls share.  And they point routes to VLAN 200 and VLAN 1 subnets to each other so traffic can flow.  In this case you will need to allow the traffic on both sides.

Another solution would be a redesign where your VLANs both have their gateway on the L3 switch instead and then have point to point subnets between the L3 switch and one firewall and another between the L3 switch and the other firewall.  However issue with this is that unless your VoIP traffic has a specific private subnet to go to all traffic will be going through one firewall.

The last solution would be to only terminate your Data VLAN on the L3 switch and then have both a point to point to the data WAN firewall, and just let VoIP be terminated at VoIP firewall as it is but introduce another subnet between those two to route to each other.

jeremyd1
Conversationalist

Below is what is currently setup for the voice vlan.  The data vlan is the default management vlan 1.  What would i need to add to a new transit vlan to make this work.  thanks for the help.vlans.JPG

GIdenJoe
Kind of a big deal

Eeek, why do all those switches have the same IP?

You'll first need to choose the scenario you wish to pursue.

But you cannot have multiple switches having the same IP, that's just nuts.

jeremyd1
Conversationalist

Got the switches updated with different IPs.    I have to get another party involved, as i don't have any control over one of the firewalls.  Thanks for the help. Our state manages one the firewalls and we manage the other.  So I will get them involved to see what option we can proceed with.  thanks, for the help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels