Solved: Re: Adding new physical network and using same HSRP VIP as Gateway

mahesh18 · ‎11-20-2017

Hi Everyone,

We have 2 Cisco ASR running the HSRP between Them.

There VIP is say 191.x.x.20

here is current setup

FW---outside interface --Public IP-----Layer 2 Switch --------Cisco ASR

FW outside interface has public IP

And Gateway of FW is VIP 191.x.x.20.

I need to config new DMZ network for client with new FW say FW1

FW1(new) -- outisde interface --Public-IP----Layer 2 Switch-----------------Cisco ASR

Can i run the physical cable from new FW1 to layer2 switch and then to Cisco ASR and use the existing

VIP of ASR as default gateway for the new FW1?

Regards

MAhesh

tvanemmerik · ‎11-22-2017

Hi MAhesh,

I guess the answer depends on what you're trying to achieve.

I assume that the current FW's public ip address is in the same subnet as the ASR VIP address?

If you want to add a new customer (with a new FW) to the same topology, adding the new FW with an ip address in the same range as the current FW/ASR and connecting it to the L2 switch would technically work. However I suggest creating a new subnet for your new customer, a different VLAN on the L2 switch and make the connection towards the ASR a dot1q trunk. Then create a new VIP address for the new customer.

HTH

View solution in original post

Reza Sharifi · ‎11-24-2017

Hi Mahesh,

Yes, this will work. Basically, both firewalls will be on the same subnet and vlan (250). I originally thought you want to put the new firewall on a different vlan but using the same subnet and that would not have worked.

HTH

View solution in original post

tvanemmerik · ‎11-22-2017

Hi MAhesh,

I guess the answer depends on what you're trying to achieve.

I assume that the current FW's public ip address is in the same subnet as the ASR VIP address?

If you want to add a new customer (with a new FW) to the same topology, adding the new FW with an ip address in the same range as the current FW/ASR and connecting it to the L2 switch would technically work. However I suggest creating a new subnet for your new customer, a different VLAN on the L2 switch and make the connection towards the ASR a dot1q trunk. Then create a new VIP address for the new customer.

HTH

mahesh18 · ‎11-23-2017

Hi,

Yes Current FW Public IP is in same /24 subnet as of VIP.

On layer 2 switch I see the Public IP as /24 subnet.

New FW public IP will also in same subnet /24.

But on layer 2 switch for current /24 subnet it has vlan 250

IF I add new FW with public IP in same range can i use same vlan 250 on new port on layer 2 switch.

Regards

Mahesh

Reza Sharifi · ‎11-22-2017

Hi Mahesh,

I agree with tvanemmerik.

The second customer should be in a different vlan. This way it is easier to block one customer from the other if you need to.

HTH

mahesh18 · ‎11-23-2017

Hi Reza,

Public IP subnet on current FW is /24.

On Switch it has vlan 250 for Public IP subnet /24

IF i create new vlan say 251 then can i assign it same subnet as /24?

Regards

MAhesh

Reza Sharifi · ‎11-23-2017

Hi Mahesh,

No, you can't assign the same subnet to 2 different SVIs on the switch. One option is to divide the /24 to two /25s and then assign them to 2 different SVIs. If the first SVI is already in production, it will require downtime to make this change. The other option could be to get a second public IP range (/26 or /27) from the ISP and assign it to the second SVI. This way you don't have to touch the first subnet. You would have to talk to your provider about this option.

HTH

mahesh18 · ‎11-23-2017

Hi Reza,

Seems /24 subnet is already in production.

So what are my options?

I can configure Layer 3 port on FW and do the access port on the switch with default vlan 1 ?

Regards

Mahesh

mahesh18 · ‎11-23-2017

Can i do this

---FW outside interface public ip with /24 -------------------Sw port----vlan tag----ASR

Switch port connected to the FW will have no tagging and switch port going to the ASR router will have same vlan TAG 250.

As per me this should work as layer 2 switch just passes the traffic and it has 1 SVI that is for management network.

Reza Sharifi · ‎11-23-2017

Mahesh,

Is this your what you are trying to do:

FW---outside interface --Public IP-----Layer 2 Switch --------Cisco ASR-----Internet

FW1---outside interface --Public IP-----Layer 2 Switch --------Cisco ASR----Internet

Question:

Are you using the /24 public IP to peer the FW and the ASR or are you using a /30 between the FW and the ASR and the /24 is used for NAT and other stuff?

If the /24 is used, you can't use the same /24 for the second FW as well.

HTH

mahesh18 · ‎11-24-2017

Hi Reza,

I am using /24 between new FW and Cisco ASR.

I will use current VIP IP as gateway for new FW.

Here is current setup

FW-outside interface --Public IP-----port 1 Layer 2 Switch port 1 vlan 250---port 1Cisco ASR-----Internet

What I will do for new network is use same physical Connection between Layer 2 switch and ASR.

So new FW will also have IP in /24 port going to layer 2 switch will be untagged then as Gateway is

same for new FW1 it will use existing physical connection as shown below

New FW1--outside interface /24 public IP-----port 2 - untagged layer 2 switch port 1 vlan 250----port1 ASR.

I hope this should work as layer 2 switch is just acting as layer 2 domain in between layer 3 FW and ASR

Regards

Mahesh

Reza Sharifi · ‎11-24-2017

Hi Mahesh,

Yes, this will work. Basically, both firewalls will be on the same subnet and vlan (250). I originally thought you want to put the new firewall on a different vlan but using the same subnet and that would not have worked.

HTH

mahesh18 · ‎12-06-2017

IT worked great Reza.

Many thanks

Mahesh

Reza Sharifi · ‎12-06-2017

Glad to know it is all working for you, Mahesh.

Good Luck!

Reza