Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
3
Replies

Configuring a cisco FTD 1120 FDM

S3C
Level 1
Level 1

‎01-18-2022 12:35 PM

Hi!

I have configured a 1110 before but it a much much lesser scale but that setup dont work here. Therefore my kinda noob post.

 

I got 7 vm servers on a esxi but i want them on each VLAN. I am connecting the esxi server to the FW with 1 connection/ethernet (for ie 2nd port (1/2) therefore my plan is to create subinterfaces for each VLAN (vm-server). Some servers are within the same subnet and IP range. For ie 2 servers got 192.168.2.3 and the other one got 2.4 etc.

 

But my problem is that I want more than 1 server per VLAN/Subint, for ie 2 servers on VLAN 30 and then 2 servers on VLAN 60.

How do i configure the subinterfaces do have more than 1 server per VLAN with their respective IP GW?

Do I skip the IP on the subinterfaces/VLANs and then specify the vms IP on the object?

Or am i thinking wrong?

 

I want to control ALL traffic between these devices even those on same VLAN/Subint.

 

Thanks

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2022 11:58 PM

As long as ESXi tags the traffic, the FTD should have no problem recognizing the source(s) - whether it is one VM or many.

Regarding segregating traffic among VMs in the same subnet (and same ESXi server), that is harder. Because the source host will send and arp for the destination and, if the other host is on the same subnet, the traffic does not go through the FTD.

0 Helpful

S3C
Level 1
Level 1
In response to Marvin Rhoads

‎01-19-2022 05:45 AM - edited ‎01-19-2022 05:50 AM

Thanks for quick reply Marvin.

On my esxi version/hardware there´s no tag option as its too old, only way i think i can do it through hard coding it in the vms os through the virtual network driver and maybe route it through a persistent route.

Yeah, this is so messy trying to explain but to clarify all servers will be same subnet /24 but not the same sub-IP range. Some will be same sub-IP range but different VLAN and some wont.

So my configuration could be like this? :

- set the subint/vlans without IP

- create objects/hosts with their specific IP

- create security zone and link it to that subint/vlan

Which I then control the traffic through these 2 servers using the objects in the ACL (object = network in the ACL setup). And now i dont have to change the servers already set IP or would i have to do that anyway and set a IP on the subint/vlan?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to S3C

‎01-20-2022 04:21 AM

An FTD device with routed interfaces requires IP addresses on the interfaces in order to pass traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card