Help with setting up 2 x 5520 Firewall & 2 x 2960G Switches

Answered Question
Mar 3rd, 2010

I'm looking to do the following... but am lost with all the options and variable.

Hopefully one of the guru's here can help with a sample config I can expand upon.


P.S.  I'm new to Cisco IOS so please be gentle.


I have two firewalls set to active/standby using the management port for failover communication.  Works great.

I have two switches that I need to do something similar, but am unsure how to do it.

diagram.gif

Can you please provide a configuration that would work for what I am looking for in the diagram above?

Thank you very much in advance!

Correct Answer by Jon Marshall about 6 years 11 months ago

derek.bannard wrote:


Sorry, guess I should have clarified.


I have the firewalls setup so they failover and the vlnas are seperated on them.  I however do not have any configuration on the switches... and thus my dilema.  I don't know how to setup the switches.


Ahh okay.


As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside

The 2 switches will interconnect via an etherchannel trunk


2960 switch

=========


create vlans on switch -


vtp mode transparent

vlan 10

name outside

vlan 11

name dmz

vlan 12

name inside


create L2 etherchannel trunk -


int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12


int gi0/1

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on


int gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on


then choose ports for the outside/dmz/inside vlans


int gi0/4

switchport mode access

switchport access vlan 10


int gi0/5

switchport mode access

switchport access vlan 11


etc..


Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -


2960 configuration guide


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Wed, 03/03/2010 - 09:38

Hi,


Clarify few things how is the traffic flow is between the zones and towards outside world, from the diagram what i feel all the traffic are routed via firewall only as 2960G series are purely a L2 switches and is there any defaultgateway command configured in 2960g switches.


Ganesh.H

derek.bannard Wed, 03/03/2010 - 09:47

The traffic flow is as follows:


Source:  Internet

Into Outside VLAN (SW), then route to Firewall Outside VLAN, then based on IP, to DMZ or Internal VLAN's.


Source:  Internal

Based on IP routes to internal machines, DMZ or Outside for Internet access.


Source:  DMZ

Based on IP routes to internal machines, DMZ or Outside for Internet access.

Jon Marshall Wed, 03/03/2010 - 09:45

Derek


Not sure what you are looking for. If the diagram is a representation of what you have then you are fine already because your 2 switches are interconnected via a trunk link which i assume is allowing the outside/dmz/inside vlans across. The vlans are being routed through the 5520 firewalls which is as it should be.


Is there something specific you need help on ?


Jon

derek.bannard Wed, 03/03/2010 - 09:49

Sorry, guess I should have clarified.


I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point.  I however do not have any configuration on the switches... and thus my dilema.  I don't know how to setup the switches.

Correct Answer
Jon Marshall Wed, 03/03/2010 - 09:55

derek.bannard wrote:


Sorry, guess I should have clarified.


I have the firewalls setup so they failover and the vlnas are seperated on them.  I however do not have any configuration on the switches... and thus my dilema.  I don't know how to setup the switches.


Ahh okay.


As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside

The 2 switches will interconnect via an etherchannel trunk


2960 switch

=========


create vlans on switch -


vtp mode transparent

vlan 10

name outside

vlan 11

name dmz

vlan 12

name inside


create L2 etherchannel trunk -


int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12


int gi0/1

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on


int gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on


then choose ports for the outside/dmz/inside vlans


int gi0/4

switchport mode access

switchport access vlan 10


int gi0/5

switchport mode access

switchport access vlan 11


etc..


Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -


2960 configuration guide


Jon

Ganesh Hariharan Wed, 03/03/2010 - 10:00

Sorry, guess I should have clarified.


I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point.  I however do not have any configuration on the switches... and thus my dilema.  I don't know how to setup the switches.

Hi,


Jon's explantion about configuring l2 switches is sufficient for your setup as your firewall is doing the routing stuff which is already configured in Active/Standby fashion,so better configure vlans in your switches and allow them over the trunk as suggested by Jon.


Ganesh.H

Actions

This Discussion

Related Content