Solved: Re: Cisco FPR-2110 Trunk port and allow routing via firewall - Page 2

inhamit · ‎04-19-2023

Hi, Can we configure the trunk port on Cisco FPR-2110 to communicate with Cisco 9300 series switches? I want to use Cisco FPR-2110 to allow routing between vlans after trunk port configuration.

MHM Cisco World · ‎04-21-2023

I prefer this Desing, the FW HA with transparent mode only do inspection of traffic and Core (agg) do routing. (Solution1)
since there is no meaning of Core SW (with L3 capability) in your network and with additional FW for internet.
then connect the both Core SW to FW (internet)

inhamit · ‎04-21-2023

Thanks for your recommendations. But as per the client requirement, network should work this way:

1) Routing between internal Vlan's (with few restriction on routing between vlans) should happen via dedicated Internal Firewall. Internal Firewall will be in HA mode and will be connected to core switch.

2) ISP firewall with HA should connect directly to core switch for internet access. Can you please suggest, what configuration I should do to have internet on devices via core switch?

MHM Cisco World · ‎04-21-2023

in Core you config new VLANx, this VLANx have subinterface (or connect to interface) in internal FW and interface in FW(internet)
NOW traffic
Client->Access SW->Core->internal FW HA -VLANx->Core->FW(internet)

in FW HA internal there is default route toward the FW (internet)

Aref Alsouqi · ‎04-21-2023

Keep in mind please that connecting the external edge firewalls to the core switch is not recommended even if those connections will be placed into a separate VLAN, but still. I would personally try to convence the customer not to do so.

If there is no other option, then as @MHM Cisco World explained you would need to create a new VLAN and connect the ISP firewall to that VLAN, however, you also need to create a subinterface on the internal firewalls in that same VLAN and then allow it on the trunk ports between the internal firewalls and the core switches, then finally you configure the default route to the internet on the internal firewalls pointing to the external ones.

inhamit · ‎04-21-2023

Thanks for the architecture diagram. It is not clear to me. Just have a quick question here that we dont have stacking between the core switch 1 and 2. We only have fiber connection between them. I think this will not make any problem nor will create any loop in the network. Redundancy in the network to access switches will be taken via firewall HA. Do you have any other opinion on this?

inhamit · ‎04-21-2023

Thanks for the architecture diagram. It is now clear to me. Just have a quick question here that we dont have stacking between the core switch 1 and 2. We only have fiber connection between them (no VSS nor HSRP, just as trunk between them via fibre). I think this will not make any problem nor will create any loop in the network. Redundancy in the network to access switches will be taken via firewall HA. Do you have any other opinion on this?

Aref Alsouqi · ‎04-21-2023

Yes that won't be a problem. The design can be different without affecting the connectivity between the switches and the firewalls. A simplified design would look like this and you can still achieve same result:

MHM Cisco World · ‎04-21-2023

this topology not correct
1- FW internet must connect to one Core SW not to both since the Core SW not run VSS nor vPC
2- Core SW must interconnect to provide redundancy and provide L2 for FW HA, otherwise the traffic must pass to access SW.

MHM Cisco World · ‎04-21-2023

for first point since Core is no stack then you can use redundant interface and connect to both SW.

inhamit · ‎04-21-2023

Hi, Can u please suggest as per reply from @MHM Cisco World? what will be the design. we are using C9300X-24Y-A switch as core switch which dosnt support VSS or vPC.

Rob Ingram · ‎04-21-2023

@inhamit or another option. Use traffic zones on the inside interfaces on the single internet firewall, this will ECMP over the two links (one to each 9300) - https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/interface-zones.html

Aref Alsouqi · ‎04-21-2023

Mmm, can't those interfaces on the ISP firewall be grouped? Regarding the HA, I don't think the firewalls HA would be affected by the interconnect link of the core switches. If you connect the firewalls HA link(s) directly you don't need any interconnection between the core switches.

inhamit · ‎04-21-2023

This design we have it from customer. Can @MHM Cisco World @Aref Alsouqi @Rob Ingram please suggest? Lot of confusion for me as of now.

MHM Cisco World · ‎04-21-2023

this design is perfect, which point confuse you ?
just make sure that both STP Core SW elect as root primary and root secondary

inhamit · ‎04-21-2023

Hi, I got confused with this point "FW internet must connect to one Core SW not to both since the Core SW not run VSS nor vPC". Core switches will be inter connected via fibre only for trunk port connection between them. Since we have Internet firewall in HA mode, we will have single link from each ISP firewall to core switch to achieve the redundancy from ISP network.

Yes, we will configure core switch 1 as root primary for all vlan and core switch 2 as root secondary.