Solved: Help with setting up 2 x 5520 Firewall & 2 x 2960G Switches

derek.bannard · ‎03-03-2010

I'm looking to do the following... but am lost with all the options and variable.

Hopefully one of the guru's here can help with a sample config I can expand upon.

P.S. I'm new to Cisco IOS so please be gentle.

I have two firewalls set to active/standby using the management port for failover communication. Works great.

I have two switches that I need to do something similar, but am unsure how to do it.

Can you please provide a configuration that would work for what I am looking for in the diagram above?

Thank you very much in advance!

Jon Marshall · ‎03-03-2010

derek.bannard wrote:

Sorry, guess I should have clarified.

I have the firewalls setup so they failover and the vlnas are seperated on them. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.

Ahh okay.

As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside

The 2 switches will interconnect via an etherchannel trunk

2960 switch

=========

create vlans on switch -

vtp mode transparent

vlan 10

name outside

vlan 11

name dmz

vlan 12

name inside

create L2 etherchannel trunk -

int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

int gi0/1

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on

int gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on

then choose ports for the outside/dmz/inside vlans

int gi0/4

switchport mode access

switchport access vlan 10

int gi0/5

switchport mode access

switchport access vlan 11

etc..

Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -

2960 configuration guide

Jon

View solution in original post

Ganesh Hariharan · ‎03-03-2010

Hi,

Clarify few things how is the traffic flow is between the zones and towards outside world, from the diagram what i feel all the traffic are routed via firewall only as 2960G series are purely a L2 switches and is there any defaultgateway command configured in 2960g switches.

Ganesh.H

derek.bannard · ‎03-03-2010

The traffic flow is as follows:

Source: Internet

Into Outside VLAN (SW), then route to Firewall Outside VLAN, then based on IP, to DMZ or Internal VLAN's.

Source: Internal

Based on IP routes to internal machines, DMZ or Outside for Internet access.

Source: DMZ

Based on IP routes to internal machines, DMZ or Outside for Internet access.

Jon Marshall · ‎03-03-2010

Derek

Not sure what you are looking for. If the diagram is a representation of what you have then you are fine already because your 2 switches are interconnected via a trunk link which i assume is allowing the outside/dmz/inside vlans across. The vlans are being routed through the 5520 firewalls which is as it should be.

Is there something specific you need help on ?

Jon

derek.bannard · ‎03-03-2010

Sorry, guess I should have clarified.

I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.

Jon Marshall · ‎03-03-2010

derek.bannard wrote:

Sorry, guess I should have clarified.

I have the firewalls setup so they failover and the vlnas are seperated on them. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.

Ahh okay.

As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside

The 2 switches will interconnect via an etherchannel trunk

2960 switch

=========

create vlans on switch -

vtp mode transparent

vlan 10

name outside

vlan 11

name dmz

vlan 12

name inside

create L2 etherchannel trunk -

int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

int gi0/1

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on

int gi0/2

switchport mode trunk

switchport trunk allowed vlan 10,11,12

channel-group 1 mode on

then choose ports for the outside/dmz/inside vlans

int gi0/4

switchport mode access

switchport access vlan 10

int gi0/5

switchport mode access

switchport access vlan 11

etc..

Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -

2960 configuration guide

Jon

Ganesh Hariharan · ‎03-03-2010

Sorry, guess I should have clarified.

I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.

Hi,

Jon's explantion about configuring l2 switches is sufficient for your setup as your firewall is doing the routing stuff which is already configured in Active/Standby fashion,so better configure vlans in your switches and allow them over the trunk as suggested by Jon.

Ganesh.H

derek.bannard · ‎03-03-2010

Thank you to both of you!

You guys rock!