04-19-2024 08:11 AM
My network endpoints use the IP addressed vlans on my core cisco layer three core switch as their gateway addresses. i.e.- vlan 11 endpoint address 192.168.11.3/24 with gateway 192.168.11.1/24 (vlan ip on core) and vlan 12 endpoint address 192.168.12.3/24 with gateway 192.168.12.1/24 (vlan ip on core). These vlans are then interconnected. I am attempting to create a path to the internet using the gateway of last resort out of the switch 0.0.0.0 0.0.0.0 10.2.2.1. 10.2.2.1, security zone "InsideTrunk," is the address of a physical inside interface on my Firepower 2130. I have created Access control policies to allow 192.168.11.0/24 and 192.168.12.0/24 from "InsideTrunk" to Outside on the Firepower. Also, the proper auto NATs for both subnets have been created. The endpoints are unable to reach the internet. All I am trying to do is create a transport network. Does anyone have an idea of what I am missing? I have attached the trunk config from the core switch.
Solved! Go to Solution.
04-25-2024 10:56 AM
Many points
1-This need to make both end send tag vlan
2- the vlan is depend on interface l2 to be up or down' where l3 interface is more fast tha vlan
3-any vlan in SW is effect by stp' vtp and any othet l2 protocol
He dont need that he can use l3 port and that it.
We use transit Vlan if as he ask in his original port need to use trunk.
Hope this clear to you abd Mr @jreynolds4
MHM
04-25-2024 11:04 AM
Sorry @MHM Cisco World but I don't agree with this. No VALN tagging will be involved here, when you configure the switch port in access mode it won't tag any traffic, and from the FTD perspective, it won't add or have to process any tag, all traffic will be flowing untagged in this case, and there is no need for any trunk link for what @jreynolds4 is trying to achieve. Also spanning tree won't apply here as the other end of the connection is a L3 interface. The VLAN 13 in this case will stay up as long as the physical port Gi1/0/21 is up, there is no dependency on any trunk link. I've always done it using the switch SVIs and never had any issues of any kind, including performance.
04-25-2024 11:07 AM
How you config vlan SVI or subinterface in FTD wihtout tag?
MHM
04-25-2024 11:15 AM
We are not referring to configuring any sub-interface on the FTD in this case. The switch SVIs do not require configuring any trunk link or apply any tagging. This link we are referring to between the switch and the FTD is going to be a transit link, the switch port Gi1/0/21 would be configured in access mode in VLAN 13 because the switch VLAN 13 SVI has an IP (10.2.2.2) within the same subnet as the FTD (10.2.2.1) which belongs to the transit subnet. The FTD will use its physical interface for this link, not a sub-interface.
04-25-2024 11:20 AM
And in end if FTD use l3 port why I need config vlan svi if I can use l3 interface directly?
MHM
04-25-2024 11:24 AM
Things can be done differently in multiple ways. Configuring routed interfaces on the switches is not common, in fact, some of the switches might not support it neither. I think what I suggested is just a simple common solution that meets @jreynolds4 requirements.
04-25-2024 11:25 AM
04-25-2024 11:29 AM
I don't see any problem, @jreynolds4. Those routes are specific for VLAN 11 and 12 subnets and will only affect the traffic destined to those VLANs from the FTD side.
04-25-2024 11:37 AM
04-25-2024 12:02 PM
Finally it solve' by the way TAC engineer is excellent' but I think they dont suggest network design
Glad issue is solved
Have a nice day
MHM
04-25-2024 12:07 PM
04-25-2024 12:09 PM
Sure help other and solve them issue is make my day.
Now it time for some tea.
MHM
04-25-2024 10:47 AM
Thank you both. I will make the changes as described in the routing for one of the vlans as described by Aref. I will later create the object as MHM describes if the add route works. This is all in a live environment, so fingers crossed that I don't blow anything up.
04-25-2024 10:51 AM
Did you use vlan or l3 interface between FW abd SW?
MHM
04-25-2024 11:01 AM
I am truly sorry, MHM, but the shorthand is stumping me a bit. It is your opinion that the Switchport should remain as a vlan tagged trunk? If I configure the routes as Aref suggests it should work even as a trunk? I believe the routes are the key to what I have been missing all along.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide