Solved: Re: Trunking an ip addressed inside interface on Firepower 2130 - Page 3

jreynolds4 · ‎04-19-2024

My network endpoints use the IP addressed vlans on my core cisco layer three core switch as their gateway addresses. i.e.- vlan 11 endpoint address 192.168.11.3/24 with gateway 192.168.11.1/24 (vlan ip on core) and vlan 12 endpoint address 192.168.12.3/24 with gateway 192.168.12.1/24 (vlan ip on core). These vlans are then interconnected. I am attempting to create a path to the internet using the gateway of last resort out of the switch 0.0.0.0 0.0.0.0 10.2.2.1. 10.2.2.1, security zone "InsideTrunk," is the address of a physical inside interface on my Firepower 2130. I have created Access control policies to allow 192.168.11.0/24 and 192.168.12.0/24 from "InsideTrunk" to Outside on the Firepower. Also, the proper auto NATs for both subnets have been created. The endpoints are unable to reach the internet. All I am trying to do is create a transport network. Does anyone have an idea of what I am missing? I have attached the trunk config from the core switch.

MHM Cisco World · ‎04-25-2024

Many points

1-This need to make both end send tag vlan

2- the vlan is depend on interface l2 to be up or down' where l3 interface is more fast tha vlan

3-any vlan in SW is effect by stp' vtp and any othet l2 protocol

He dont need that he can use l3 port and that it.

We use transit Vlan if as he ask in his original port need to use trunk.

Hope this clear to you abd Mr @jreynolds4

MHM

Aref Alsouqi · ‎04-25-2024

Sorry @MHM Cisco World but I don't agree with this. No VALN tagging will be involved here, when you configure the switch port in access mode it won't tag any traffic, and from the FTD perspective, it won't add or have to process any tag, all traffic will be flowing untagged in this case, and there is no need for any trunk link for what @jreynolds4 is trying to achieve. Also spanning tree won't apply here as the other end of the connection is a L3 interface. The VLAN 13 in this case will stay up as long as the physical port Gi1/0/21 is up, there is no dependency on any trunk link. I've always done it using the switch SVIs and never had any issues of any kind, including performance.

MHM Cisco World · ‎04-25-2024

How you config vlan SVI or subinterface in FTD wihtout tag?

MHM

Aref Alsouqi · ‎04-25-2024

We are not referring to configuring any sub-interface on the FTD in this case. The switch SVIs do not require configuring any trunk link or apply any tagging. This link we are referring to between the switch and the FTD is going to be a transit link, the switch port Gi1/0/21 would be configured in access mode in VLAN 13 because the switch VLAN 13 SVI has an IP (10.2.2.2) within the same subnet as the FTD (10.2.2.1) which belongs to the transit subnet. The FTD will use its physical interface for this link, not a sub-interface.

MHM Cisco World · ‎04-25-2024

And in end if FTD use l3 port why I need config vlan svi if I can use l3 interface directly?

MHM

Aref Alsouqi · ‎04-25-2024

Things can be done differently in multiple ways. Configuring routed interfaces on the switches is not common, in fact, some of the switches might not support it neither. I think what I suggested is just a simple common solution that meets @jreynolds4 requirements.

jreynolds4 · ‎04-25-2024

Both of you are such a great resource for me as the self-taught accidental network and firewall guy. Thank you both. Neither of the subnets for vlan 11 or 12 are being used for anything but test right now. The transit vlan 13 is also not in use for anything but this testing. Both the switch and firewall are live in a hospital environment, though, and loss of service is a concern as I figure this out. Do either of you see any danger to adding the FTD routes?

Aref Alsouqi · ‎04-25-2024

I don't see any problem, @jreynolds4. Those routes are specific for VLAN 11 and 12 subnets and will only affect the traffic destined to those VLANs from the FTD side.

jreynolds4 · ‎04-25-2024

Thank you sir. Here we go.

MHM Cisco World · ‎04-25-2024

Finally it solve' by the way TAC engineer is excellent' but I think they dont suggest network design

Glad issue is solved

Have a nice day

MHM

jreynolds4 · ‎04-25-2024

Thank you, MHM. Hope you have a great day as well.

MHM Cisco World · ‎04-25-2024

Sure help other and solve them issue is make my day.

Now it time for some tea.

MHM

jreynolds4 · ‎04-25-2024

Thank you both. I will make the changes as described in the routing for one of the vlans as described by Aref. I will later create the object as MHM describes if the add route works. This is all in a live environment, so fingers crossed that I don't blow anything up.

MHM Cisco World · ‎04-25-2024

Did you use vlan or l3 interface between FW abd SW?

MHM

jreynolds4 · ‎04-25-2024

I am truly sorry, MHM, but the shorthand is stumping me a bit. It is your opinion that the Switchport should remain as a vlan tagged trunk? If I configure the routes as Aref suggests it should work even as a trunk? I believe the routes are the key to what I have been missing all along.