Do I need any NAT for use of LAN side CARP VIPs?
-
I wasn't sure about whether to put this discussion in the NAT topic or here for HA, etc.:
I have a pair of SG-1100s in an HA cluster. They are setup with 4 VLANs on the LAN side.
Some select devices need to communicate to devices across VLANs.As per the HA tutorials I see the need and have setup Outbound NAT for my WAN VIP for proper internet fail-over using HA.
Do I also need to setup some kind of NAT for inter-VLAN routing so as to properly utilize the CARP VIPs on the 4 VLANs?
If not, is the reason inherent in the differences between the functionality of a router vs layer 3 switching?
Thanks.
-
When you are routing between VLANs you are actually routing between the subnets on different VLANs. CARP doesn't actually make a difference for routing between subnets at all, except that devices has to use the VIP IP address as their default gateway (not one of the firewalls IPs).
Then you just need to have a pass rule that allows traffic in the firewall on the right interface from one subnet or IP to another. That's all you have to do there.
Traffic that is destined for another subnet/VLAN will go to the default gateway (CARP VIP) and then get routed to the other subnet that belongs to the second VLAN.
-
Great. Thanks for the clarity.
