Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
4
Replies

VLAN + HSRP + External FW

npereira
Level 1
Level 1

‎06-14-2007 04:51 PM - edited ‎03-05-2019 04:44 PM

ok, here is ,y scenerio...

I have 2 6513's 12.2(18)SXF8 with SUP720's and MSFC3

Theses are interconnected via 10Gb trunks. This is working fine.

I also have 6 different VLANS witch are adentical on each switch, SW1's VLAN IP ends with .11 and SW2's IP ends with .12

I have setup HSRP between theses 2 switches for each VLAN. The setup for that looks like this (example of VLAN100)

SW1:

int vlan 100

ip address 192.168.2.11

standby 100 ip 192.168.2.1

standby 100 priority 200 preempt

standby 100 track tengig 13/1 50

SW2:

int vlan 100

ip address 192.168.2.12

standby 100 ip 192.168.2.1

standby 100 priority 100

So far this seems correct right? The puzzling issue I have is my firewall (fortigate) has 1 phusical interface for each VLAN.

The FW interface IP to the VLAN 100 is 192.168.2.3

Now... how do I send the traffic to the firewall so we can do the routing and ACL's on the firewall?

Labels:
0 Helpful
4 Replies 4

anandramapathy
Level 3
Level 3

‎06-14-2007 08:20 PM

Put a route MAP on the L3 interfaces on both Switches with the Next Hop pointing to the Firewall IP

0 Helpful

npereira
Level 1
Level 1
In response to anandramapathy

‎06-15-2007 04:15 AM

can you explain how to do this exactly?

0 Helpful

anandramapathy
Level 3
Level 3
In response to npereira

‎06-15-2007 05:25 AM

Why do you want to do routing on the Firewall ?

I prefer it this way. Put 1 static default route on the switch to point towards the Firewall IP.

Internal traffic goes via the L3 switch. INternet traffic goes through the PIX.

If you have a DMZ inside, then your point is valid, all traffic has to go throught the DMZ interface

Anyway - This is how it goes

access-list 111 permit ip 192.168.2.0 255.255.255.255 any

route-map to-firewall permit 10

match ip address 111

set ip default next-hop

int vlan 100

ip policy route-map to-firewall

0 Helpful

npereira
Level 1
Level 1
In response to anandramapathy

‎06-15-2007 06:10 AM

ok, I will explain. The FW is a Fortinet box. Each VLAN is physicaly connected to the Fortinet. basicaly we have 6 VLANS, there is 6 cat5e going from the switch to the fortinet FW. This allows us to do ZONE ACL's on the Fortinet, for all VLANS instead of doing VACL's on the switch (basicaly easier to manage on the Fortinet). And also the fact that one of the vlan's is the DMZ like you mentioned.

ok, so I did this but in a litle different way...

route-map CORP permit 10

set next-hop 10.98.4.3

int vlan 104

ip policy route-map CORP

So I don't use ACL's.

What is the difference between :

"set ip default next-hop" and "set ip next-hop" ???

I want ALL traffic from the VLAN 104 going to the 10.98.4.3 without exceptions, unless it's destined to a host within VLAN 104...

Am I doing this correctly? If so, how can I visualy see the traffic going to the fortinet, then comming back ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card