03-03-2010 09:31 AM - edited 03-06-2019 09:58 AM
I'm looking to do the following... but am lost with all the options and variable.
Hopefully one of the guru's here can help with a sample config I can expand upon.
P.S. I'm new to Cisco IOS so please be gentle.
I have two firewalls set to active/standby using the management port for failover communication. Works great.
I have two switches that I need to do something similar, but am unsure how to do it.
Can you please provide a configuration that would work for what I am looking for in the diagram above?
Thank you very much in advance!
Solved! Go to Solution.
03-03-2010 09:55 AM
derek.bannard wrote:
Sorry, guess I should have clarified.
I have the firewalls setup so they failover and the vlnas are seperated on them. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.
Ahh okay.
As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside
The 2 switches will interconnect via an etherchannel trunk
2960 switch
=========
create vlans on switch -
vtp mode transparent
vlan 10
name outside
vlan 11
name dmz
vlan 12
name inside
create L2 etherchannel trunk -
int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2
switchport mode trunk
switchport trunk allowed vlan 10,11,12
int gi0/1
switchport mode trunk
switchport trunk allowed vlan 10,11,12
channel-group 1 mode on
int gi0/2
switchport mode trunk
switchport trunk allowed vlan 10,11,12
channel-group 1 mode on
then choose ports for the outside/dmz/inside vlans
int gi0/4
switchport mode access
switchport access vlan 10
int gi0/5
switchport mode access
switchport access vlan 11
etc..
Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -
Jon
03-03-2010 09:38 AM
Hi,
Clarify few things how is the traffic flow is between the zones and towards outside world, from the diagram what i feel all the traffic are routed via firewall only as 2960G series are purely a L2 switches and is there any defaultgateway command configured in 2960g switches.
Ganesh.H
03-03-2010 09:47 AM
The traffic flow is as follows:
Source: Internet
Into Outside VLAN (SW), then route to Firewall Outside VLAN, then based on IP, to DMZ or Internal VLAN's.
Source: Internal
Based on IP routes to internal machines, DMZ or Outside for Internet access.
Source: DMZ
Based on IP routes to internal machines, DMZ or Outside for Internet access.
03-03-2010 09:45 AM
Derek
Not sure what you are looking for. If the diagram is a representation of what you have then you are fine already because your 2 switches are interconnected via a trunk link which i assume is allowing the outside/dmz/inside vlans across. The vlans are being routed through the 5520 firewalls which is as it should be.
Is there something specific you need help on ?
Jon
03-03-2010 09:49 AM
Sorry, guess I should have clarified.
I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.
03-03-2010 09:55 AM
derek.bannard wrote:
Sorry, guess I should have clarified.
I have the firewalls setup so they failover and the vlnas are seperated on them. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.
Ahh okay.
As an example - vlan 10 = outside, vlan 11 = DMZ, vlan 12 = inside
The 2 switches will interconnect via an etherchannel trunk
2960 switch
=========
create vlans on switch -
vtp mode transparent
vlan 10
name outside
vlan 11
name dmz
vlan 12
name inside
create L2 etherchannel trunk -
int po1 <-- this interface will be automatically created when you configure gi0/1 and gi0/2
switchport mode trunk
switchport trunk allowed vlan 10,11,12
int gi0/1
switchport mode trunk
switchport trunk allowed vlan 10,11,12
channel-group 1 mode on
int gi0/2
switchport mode trunk
switchport trunk allowed vlan 10,11,12
channel-group 1 mode on
then choose ports for the outside/dmz/inside vlans
int gi0/4
switchport mode access
switchport access vlan 10
int gi0/5
switchport mode access
switchport access vlan 11
etc..
Edit - you would still want to set a hostname and secure access to the switches. Attached is a link to the config guide for the 2960 switch -
Jon
03-03-2010 10:00 AM
Sorry, guess I should have clarified.
I have the firewalls setup so they failover and the vlans are seperated on them, nothing past that point. I however do not have any configuration on the switches... and thus my dilema. I don't know how to setup the switches.
Hi,
Jon's explantion about configuring l2 switches is sufficient for your setup as your firewall is doing the routing stuff which is already configured in Active/Standby fashion,so better configure vlans in your switches and allow them over the trunk as suggested by Jon.
Ganesh.H
03-03-2010 10:05 AM
Thank you to both of you!
You guys rock!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide