06-14-2007 04:51 PM - edited 03-05-2019 04:44 PM
ok, here is ,y scenerio...
I have 2 6513's 12.2(18)SXF8 with SUP720's and MSFC3
Theses are interconnected via 10Gb trunks. This is working fine.
I also have 6 different VLANS witch are adentical on each switch, SW1's VLAN IP ends with .11 and SW2's IP ends with .12
I have setup HSRP between theses 2 switches for each VLAN. The setup for that looks like this (example of VLAN100)
SW1:
int vlan 100
ip address 192.168.2.11
standby 100 ip 192.168.2.1
standby 100 priority 200 preempt
standby 100 track tengig 13/1 50
SW2:
int vlan 100
ip address 192.168.2.12
standby 100 ip 192.168.2.1
standby 100 priority 100
So far this seems correct right? The puzzling issue I have is my firewall (fortigate) has 1 phusical interface for each VLAN.
The FW interface IP to the VLAN 100 is 192.168.2.3
Now... how do I send the traffic to the firewall so we can do the routing and ACL's on the firewall?
06-14-2007 08:20 PM
Put a route MAP on the L3 interfaces on both Switches with the Next Hop pointing to the Firewall IP
06-15-2007 04:15 AM
can you explain how to do this exactly?
06-15-2007 05:25 AM
Why do you want to do routing on the Firewall ?
I prefer it this way. Put 1 static default route on the switch to point towards the Firewall IP.
Internal traffic goes via the L3 switch. INternet traffic goes through the PIX.
If you have a DMZ inside, then your point is valid, all traffic has to go throught the DMZ interface
Anyway - This is how it goes
access-list 111 permit ip 192.168.2.0 255.255.255.255 any
route-map to-firewall permit 10
match ip address 111
set ip default next-hop
int vlan 100
ip policy route-map to-firewall
06-15-2007 06:10 AM
ok, I will explain. The FW is a Fortinet box. Each VLAN is physicaly connected to the Fortinet. basicaly we have 6 VLANS, there is 6 cat5e going from the switch to the fortinet FW. This allows us to do ZONE ACL's on the Fortinet, for all VLANS instead of doing VACL's on the switch (basicaly easier to manage on the Fortinet). And also the fact that one of the vlan's is the DMZ like you mentioned.
ok, so I did this but in a litle different way...
route-map CORP permit 10
set next-hop 10.98.4.3
int vlan 104
ip policy route-map CORP
So I don't use ACL's.
What is the difference between :
"set ip default next-hop" and "set ip next-hop" ???
I want ALL traffic from the VLAN 104 going to the 10.98.4.3 without exceptions, unless it's destined to a host within VLAN 104...
Am I doing this correctly? If so, how can I visualy see the traffic going to the fortinet, then comming back ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide