topic Re: Cisco FPR-2110 as router on a stick in Network Security

Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 09:48:52 GMT

Hi, I want to know, can we use FPR-2110 firewall as router on stick?

Re: Cisco FPR-2110 as router on a stick

Rob Ingram — Thu, 16 Mar 2023 09:52:44 GMT

@Mit_har yes you can, you create a subinterface on the FPR2110 for each VLAN to be routed.

Re: Cisco FPR-2110 as router on a stick

MHM Cisco World — Thu, 16 Mar 2023 09:57:10 GMT

Yes since the FW is L3 device like Router and support subinerface, you can config it as router on stick.
only make sure you config link to SW as trunk from SW side.

Re: Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 10:03:03 GMT

HI Rob, Thanks for your reply. I have below scenario where we are using core switch with no routing functionality, only to create VLAN's. Routing between different VLAN should happen via firewall and come back to core switch on the same physical interface as there is only one physical link between firewall and core switch. We have requirement from client that routing should happen on firewall only. At the same time, I wanted to allow policy based forward to send the traffic from core switch network to DMZ switch network via firewall. is this design is correct?

Re: Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 10:18:16 GMT

Hi, Thanks for your response. I have below scenario where we are using core switch with no routing functionality, only to create VLAN's. Routing between different VLAN should happen via firewall and come back to core switch on the same physical interface as there is only one physical link between firewall and core switch. We have requirement from client that routing should happen on firewall only. At the same time, I wanted to allow policy based forward to send the traffic from core switch network to DMZ switch network via firewall. is this design correct?

Re: Cisco FPR-2110 as router on a stick

Rob Ingram — Thu, 16 Mar 2023 10:37:23 GMT

@Mit_har this seems overly complex (PBR) for a simple design. Why not just create a static route on the core switch for the Voice recording server network, via the FPR2110's inside interface IP address.

Re: Cisco FPR-2110 as router on a stick

MHM Cisco World — Thu, 16 Mar 2023 10:48:12 GMT

NO issue,
Core with VLAN x,y no ip routing
FW have subinterface for VLAN x,y meaning the FW is GW for all client
any traffic between x,y will pass through FW
DMZ SW have vlan Z no ip routing
FW have subinterface for VLAN z meaning the FW is GW for all client
the traffic will pass from x,y to z through FW
so no problem

Re: Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 10:54:10 GMT

Hi Rob, Its is client requirement and as communication between different between VLAN or network should happen through firewall. We will using DMZ switch for windows update server and voice recording server as voice recorder will get traffic from all VLAN in one direction only that is communication from all VLAN's to voice recorder only not in vice versa.

Re: Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 10:55:21 GMT

Thank you 🙂

Re: Cisco FPR-2110 as router on a stick

Rob Ingram — Thu, 16 Mar 2023 11:00:06 GMT

@Mit_har sure I understand, my suggestion was to route the traffic via the FW.

The other option would be to configure the FW in transparent mode.

Re: Cisco FPR-2110 as router on a stick

Mit_har — Thu, 16 Mar 2023 11:05:55 GMT

HI Rob, Thanks for your reply. So our design is correct. we shall route the traffic via firewall from Vlan x to vlan y towards core switch on the same physical interface and at the same time we will allow PBR to forward the traffic from core switch to DMZ switch network.