topic Re: Cisco FPR-2110 Trunk port and allow routing via firewall in Network Security

Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Thu, 20 Apr 2023 06:23:40 GMT

Hi, Can we configure the trunk port on Cisco FPR-2110 to communicate with Cisco 9300 series switches? I want to use Cisco FPR-2110 to allow routing between vlans after trunk port configuration.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Rob Ingram — Thu, 20 Apr 2023 07:07:34 GMT

@Mit_har yes, you need to configure sub-interfaces on the FTD for each VLAN trunked from the switch.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-firewall.html#id_86348

You then must configure Access Control rules to permit traffic between the interface zones.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Thu, 20 Apr 2023 09:22:39 GMT

the 9300 must not config without any SVI and ip routing must disable
the FRP must config with trunk and subinterface for each vlan

this will make FPR inter-vlan and inspect all traffic between VLAN

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Thu, 20 Apr 2023 09:43:07 GMT

Hi, Thanks for your reply.

Not sure whether I understood the sentence correctly "the 9300 must not config without any SVI". This means that we have to configure the 9300 with SVI for each vlan and default gateway for each vlan will be via sub interfaces on FPR.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Thu, 20 Apr 2023 09:49:15 GMT

Yes if you config 9300 with SVI then the intervlan done in SW not in FPR and FPR will never see the traffic between VLAN.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Thu, 20 Apr 2023 10:01:28 GMT

Hi, We will not do intervlan in 9300 switch. All routing will take place via firewall over the sub interfaces in each vlan. We will using HSRP to have redundancy at 9300 switches, I think in that case we have configure the SVI and standby IP for each vlan in the switch. Please correct me if I am wrong or better design for this network with HSRP at core switch and routing through firewall.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Rob Ingram — Thu, 20 Apr 2023 10:08:24 GMT

@Mit_har Another option, you could place the VLANs in different VRFs on the 9300s, with a default route for each VRF via the FTD. Therefore intervlan traffic would be routed by the FTD, whilst still maintaining SVIs on the 9300s.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Thu, 20 Apr 2023 10:23:52 GMT

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Fri, 21 Apr 2023 03:23:19 GMT

Thanks. As per solution 2, we dont need HSRP and SVI at the switch side. Redundancy in the network will be achieved from the firewall HA configuration. We got one more requirement from client to add dedicated firewall for ISP connection. In that case, How traffic will work to have Internet connection to end devices? Please suggest.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Fri, 21 Apr 2023 08:43:12 GMT

HI, When we config sub interfaces on firewall, routing between all vlans works by default. What config I should do so I can restrict the traffic between few vlans or IP address?

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Rob Ingram — Fri, 21 Apr 2023 08:47:30 GMT

@Mit_har you would need to configure Access Control rules to permit/deny the traffic between the VLAN interfaces. If you do not know what traffic to restrict, permit the traffic and review the logs regularly then granularly modify the rules to become more restrictive.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Fri, 21 Apr 2023 10:06:04 GMT

I think @Rob Ingram give perfect answer for this Q

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Fri, 21 Apr 2023 10:11:25 GMT

I will check and see the best design with new requirement

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Aref Alsouqi — Fri, 21 Apr 2023 10:20:28 GMT

I would go for this design if possible:

- No SVIs on the core switches would be needed as you want to use the core firewalls as the default gateway for the internal VLANs. Having the SVIs on the core switches in itself wouldn't be an issue for the inter-VLAN routing unless the endpoints use those SVIs IP addresses as their default gateway.

- No HSRP is needed on the switches as you won't use them as the default gateway.

- I wouldn't connect the ISP firewall to the internal switches, even if that will be in a dedicated VLAN, but still not recommended from the security perspective.

- The ISP firewall traffic should pass through the core firewalls for inspection.

- The core firewalls will have subinterfaces as mentioned by Rob where you will apply the security policies for enforcement.

- Interfaces monitor should be enabled to trigger the HA failover in case a link should fail.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Fri, 21 Apr 2023 10:33:35 GMT

I prefer this Desing, the FW HA with transparent mode only do inspection of traffic and Core (agg) do routing. (Solution1)
since there is no meaning of Core SW (with L3 capability) in your network and with additional FW for internet.
then connect the both Core SW to FW (internet)

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Fri, 21 Apr 2023 10:45:30 GMT

Thanks for your reply. I am listing the steps to make this network work:

1) No SVI or HSRP on the core switches A and B.

2) Default gateway will be on firewall with HA using sub interfaces and Inter vlan traffic will be restricted using Access control list.

Pending is: Client wanted t connect the ISP firewall direct to the core switches. Can you please suggest what configuration I should do to make the internet work to device via core switch?

Client wanted to connect the ISP firewall to core switch. Can you please suggest, what

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Fri, 21 Apr 2023 10:53:01 GMT

Thanks for your recommendations. But as per the client requirement, network should work this way:

1) Routing between internal Vlan's (with few restriction on routing between vlans) should happen via dedicated Internal Firewall. Internal Firewall will be in HA mode and will be connected to core switch.

2) ISP firewall with HA should connect directly to core switch for internet access. Can you please suggest, what configuration I should do to have internet on devices via core switch?

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

MHM Cisco World — Fri, 21 Apr 2023 11:03:49 GMT

in Core you config new VLANx, this VLANx have subinterface (or connect to interface) in internal FW and interface in FW(internet)
NOW traffic
Client->Access SW->Core->internal FW HA -VLANx->Core->FW(internet)

in FW HA internal there is default route toward the FW (internet)

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Aref Alsouqi — Fri, 21 Apr 2023 12:23:53 GMT

Keep in mind please that connecting the external edge firewalls to the core switch is not recommended even if those connections will be placed into a separate VLAN, but still. I would personally try to convence the customer not to do so.

If there is no other option, then as @MHM Cisco World explained you would need to create a new VLAN and connect the ISP firewall to that VLAN, however, you also need to create a subinterface on the internal firewalls in that same VLAN and then allow it on the trunk ports between the internal firewalls and the core switches, then finally you configure the default route to the internet on the internal firewalls pointing to the external ones.

Re: Cisco FPR-2110 Trunk port and allow routing via firewall

Mit_har — Fri, 21 Apr 2023 13:54:41 GMT

Thanks for the architecture diagram. It is not clear to me. Just have a quick question here that we dont have stacking between the core switch 1 and 2. We only have fiber connection between them. I think this will not make any problem nor will create any loop in the network. Redundancy in the network to access switches will be taken via firewall HA. Do you have any other opinion on this?