Solved: Cisco FPR-2110 Trunk port and allow routing via firewall

inhamit · ‎04-19-2023

Hi, Can we configure the trunk port on Cisco FPR-2110 to communicate with Cisco 9300 series switches? I want to use Cisco FPR-2110 to allow routing between vlans after trunk port configuration.

MHM Cisco World · ‎04-21-2023

Hi, I got confused with this point "FW internet must connect to one Core SW not to both since the Core SW not run VSS nor vPC".
you Use FW(internet) HA, so I say perfect
I say FW must connect to one Core according to @Aref Alsouqi topology you can make second review you use one FW and connect it to both Core (which not run any stack), we could not connect one FW to two standalone SW, so I mention if you need to use two link use redundancy (one link active and other passive).

hope this clear to you

View solution in original post

Rob Ingram · ‎04-20-2023

@inhamit yes, you need to configure sub-interfaces on the FTD for each VLAN trunked from the switch.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-firewall.html#id_86348

You then must configure Access Control rules to permit traffic between the interface zones.

MHM Cisco World · ‎04-20-2023

the 9300 must not config without any SVI and ip routing must disable
the FRP must config with trunk and subinterface for each vlan

this will make FPR inter-vlan and inspect all traffic between VLAN

inhamit · ‎04-20-2023

Hi, Thanks for your reply.

Not sure whether I understood the sentence correctly "the 9300 must not config without any SVI". This means that we have to configure the 9300 with SVI for each vlan and default gateway for each vlan will be via sub interfaces on FPR.

MHM Cisco World · ‎04-20-2023

Yes if you config 9300 with SVI then the intervlan done in SW not in FPR and FPR will never see the traffic between VLAN.

inhamit · ‎04-20-2023

Hi, We will not do intervlan in 9300 switch. All routing will take place via firewall over the sub interfaces in each vlan. We will using HSRP to have redundancy at 9300 switches, I think in that case we have configure the SVI and standby IP for each vlan in the switch. Please correct me if I am wrong or better design for this network with HSRP at core switch and routing through firewall.

Rob Ingram · ‎04-20-2023

@inhamit Another option, you could place the VLANs in different VRFs on the 9300s, with a default route for each VRF via the FTD. Therefore intervlan traffic would be routed by the FTD, whilst still maintaining SVIs on the 9300s.

MHM Cisco World · ‎04-20-2023

inhamit · ‎04-20-2023

Thanks. As per solution 2, we dont need HSRP and SVI at the switch side. Redundancy in the network will be achieved from the firewall HA configuration. We got one more requirement from client to add dedicated firewall for ISP connection. In that case, How traffic will work to have Internet connection to end devices? Please suggest.

MHM Cisco World · ‎04-21-2023

I will check and see the best design with new requirement

inhamit · ‎04-21-2023

HI, When we config sub interfaces on firewall, routing between all vlans works by default. What config I should do so I can restrict the traffic between few vlans or IP address?

Rob Ingram · ‎04-21-2023

@inhamit you would need to configure Access Control rules to permit/deny the traffic between the VLAN interfaces. If you do not know what traffic to restrict, permit the traffic and review the logs regularly then granularly modify the rules to become more restrictive.

MHM Cisco World · ‎04-21-2023

I think @Rob Ingram give perfect answer for this Q

Aref Alsouqi · ‎04-21-2023

I would go for this design if possible:

- No SVIs on the core switches would be needed as you want to use the core firewalls as the default gateway for the internal VLANs. Having the SVIs on the core switches in itself wouldn't be an issue for the inter-VLAN routing unless the endpoints use those SVIs IP addresses as their default gateway.

- No HSRP is needed on the switches as you won't use them as the default gateway.

- I wouldn't connect the ISP firewall to the internal switches, even if that will be in a dedicated VLAN, but still not recommended from the security perspective.

- The ISP firewall traffic should pass through the core firewalls for inspection.

- The core firewalls will have subinterfaces as mentioned by Rob where you will apply the security policies for enforcement.

- Interfaces monitor should be enabled to trigger the HA failover in case a link should fail.

inhamit · ‎04-21-2023

Thanks for your reply. I am listing the steps to make this network work:

1) No SVI or HSRP on the core switches A and B.

2) Default gateway will be on firewall with HA using sub interfaces and Inter vlan traffic will be restricted using Access control list.

Pending is: Client wanted t connect the ISP firewall direct to the core switches. Can you please suggest what configuration I should do to make the internet work to device via core switch?

Client wanted to connect the ISP firewall to core switch. Can you please suggest, what