cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4688
Views
20
Helpful
16
Replies
SaintEvn
Beginner

Inter-VLAN Routing configuration in Firepower

Hi

I would like to configure inter-vlan routing in firepower(FMC) using VLAN sub interface.

I've created sub interfaces with separate VLAN ID on physical interface. And I've configure trunking port at the access switch side with appropriate gateway.

But the inter-vlan is still not working .

What do I need to do in Firepower (FMC) in order to work inter-vlan routing?


Thank you so much all!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Rob Ingram
VIP Expert

@SaintEvn 

You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.

 

You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.

View solution in original post

Rob Ingram
VIP Expert

No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".

View solution in original post

16 REPLIES 16
balaji.bandi
VIP Guru

FTD is a  more of zone-based firewall, and same-security-traffic  required to achieve intra and inter interface communication. ACP rule is required to make this work

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help


Hi,

I've also try with allow any Access Control Policy  but the inter-vlan is still not working .


It was like I miss "ip routing" on core layer switch.


I have 3 vlans (vlan 10, 11,12) and only vlan 10 is pintable form access switch.

 

I also make sure " no ip routing" on access switch .But the inter-vlan on firepower still cannot work yet.

Do I need to miss out something in firepower ??

@SaintEvn 

Do you have NAT exemption rules setup, without them traffic could unintentially be natted.

 

If you ping the vlan10 ip address of the FTD from the access switch you would only expect to get a response from vlan10, you cannot be connected to one FTD interface (FTD vlan10) and ping through the FTD to the FTD's far interface (FTD vlan11), this would be denied - by design. You would need to ping through the FTD to a device connected to vlan11 (pc, printer etc). Obviously your ACP rules need to permit this.

 

Run packet-tracer from the CLI and provide the output for review.

Provide a screenshot of your ACP for this traffic.

Provide the output of "show nat detail"

balaji.bandi
VIP Guru

Can you post the switch config to look, how you configured.

 

is the VLAN Layer3  on Switch or FTD ? or both the places ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I've demonstrated a lab for my issue. Please help to review my configuration.

All the Layer3 VLANs are on firepower and switch as L2 only access switch.

Thank you so much

Rob Ingram
VIP Expert

@SaintEvn 

You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.

 

You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.

Thank you for your suggestion but according to my understanding , I already have trunk port configured between switch and firepower. And I also configured allow any policy .So, it should be able to ping form vlan 10 to other vlan interfaces on FTD. That is what I usually configure in other firewalls and ASA.

 

But now, It is more like when we missed "ip routing" command on L3 switch.

 

SaintEvn