Solved: Re: Achieving 10Gbps LAN Speed (or relatively close) - Page 4

TheGoob · ‎01-04-2024

Hi there

So, I have an FPR1010 which is the 1Gbps Interfaces.. Each Interface [using 7 of them] have their own vlan. Each interface is connected to the same Nexus 9K Series Switch, all L2, and their own vlans accordingly.

So, various endpoints connect to their respective Interfaces on Nexus which are associated with their own vlans in relation to the FPR1010 vlans.

Long story short... EVERYTHING connects on the Nexus, which are all 10Gbps Interfaces... But, will vlan1 communicate with vlan2,3,4,5 or 6 at 10Gbps [or relative] or does it drop down to 1Gbps because the "routing" is done on the 1Gbps FPR1010.

I would assume routing logic would dictate the packets never leave the Nexus other than vlan to vlan, but was not sure.

TheGoob · ‎01-07-2024

Whew! I’m barely grasping with straws onto the current setup of FPR and Nexus! Let me go look back at your picture, but man I don’t know. I am already in the verge of going insane.
And yeah, though my ACL’s compare nothing to the real world, for now like I said I’m just gonna do allow for vlan 1-6 to access vlan1-6.

TheGoob · ‎01-07-2024

Also, being the Nexus is 96 Ports I can configure some of the Ports to be the “other” router yeah?

Joseph W. Doherty · ‎01-07-2024

No. The Nexus "router" is logical, although you can configure "routed" ports.

TheGoob · ‎01-07-2024

For now I am going to K.I.S.S with this and set it up as we have discussed. The Port Channels and the other stuff will be phase 2.

Wouls you happen to know any links of ACL’s for Nexus? I am looking stuff up and seems all easy but didn’t know if you had advice.

for now like I said vlan 1-6 access vlan 1-6 no restrictions.

Joseph W. Doherty · ‎01-08-2024

"for now like I said vlan 1-6 access vlan 1-6 no restrictions."

Ah, I had thought to suggest that, at least for a test, but didn't know how important those ACLs might be.

Regarding how to do Nexus ACLs, too rusty to say off the top of my head. Searching the Internet might help for that.

TheGoob · ‎01-08-2024

I spent a good 2 hours trying various ways to do this and I can not find a single thing. It’s amazing, like for Catalyst or FPR K can find whatever, but for Nexus it is all different. For fun i even tried some rules I had used before, but they don’t work.

The ACL's are indeed important.. But the way my mind works is, if it is not working now, is it something I did wrong vs. if I get it to work, all access, I at least know it is an issue with my inputting ACL's

Would you agree or no that this is the correct [main] link to figuring out the ACL's?

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/security/configuration/guide/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x.html

It mentions IP ACL and VACLS? I have never heard of this VACL, but appears to be vlan based.

Joseph W. Doherty · ‎01-08-2024

What's the specific Nexus you're using and its specific IOS?

TheGoob · ‎01-08-2024

I had purchased it from a friend/customer for what I do in the field.. It is a N9K-C93120TX 96 Port, running I believe 9.3.x?

Been trying to use this as an example... To no avail.

https://freenetworktutorials.com/configuring-access-lists-or-acl-in-cisco-switch-using-object-group-with-examples/

Are SVI’s, at least in the manner you suggest, simply me adding an ip address to “interface vlan” or is it literally assigning a specific interface an ip address? I would assume, and by reading those 500 Cisco pages, that I would assign the ip to an interface vlan.

ebillinfo pk · ‎01-07-2024

In a scenario where you have VLANs distributed across multiple interfaces on the FPR1010 firewall, the inter-VLAN communication speed depends on various factors:

Intra-VLAN Communication: When devices within the same VLAN communicate with each other, the traffic generally stays within the same VLAN and doesn’t leave the switch. In this case, the communication speed can be at the speed of the interfaces within the switch, which, in your case, are 10Gbps interfaces.
Inter-VLAN Communication: When devices from different VLANs communicate, the traffic might need to pass through the FPR1010 firewall for routing. If the routing between VLANs is being handled by the FPR1010, the traffic may indeed be limited by the speed of the FPR1010’s 1Gbps interfaces.
Routing Bottleneck: If the FPR1010 is acting as the router between VLANs and the traffic needs to go through it for inter-VLAN communication, the routing process can become a bottleneck if the firewall’s interfaces operate at a slower speed compared to the switch's interfaces.

To optimize inter-VLAN communication speed:

Consider implementing Layer 3 switching on your Nexus 9K Series Switch if it supports it. Layer 3 switches can perform inter-VLAN routing at wire-speed, leveraging the higher throughput of the 10Gbps interfaces.
Ensure that traffic that doesn't require firewall inspection or policy enforcement can stay within the switch, bypassing the firewall for faster communication.
Review the FPR1010’s capabilities and configurations to optimize its routing performance or potentially upgrade interfaces to match higher speeds if necessary.

Overall, for inter-VLAN communication passing through the firewall, the speed might be limited by the FPR1010's interfaces, but intra-VLAN communication within the Nexus switch can utilize the higher 10Gbps interfaces. Optimizing the network design and configurations can help achieve better performance between VLANs. read more

TheGoob · ‎01-07-2024

Making Notes here.

FPR1010;

Dynamic NAT- STATIC WAN IP to Network 

   I.E - x.x.x.177 NAT to 192.168.1.0

Static NAT (For Port Forwarding) STATIC WAN         to SPECIFIC LAN IP (Port Based)

ACL’s - WAN to LAN for Outside to In Access

Assign (6) vlans to (6) Interfaces. No DHCP…        I.E- 192.168.1.2

Nexus;

Assign 8 Interfaces to each vlan

Create an SVI (6) (adding an IP to each vlan) I.E 192.168.1.1, 192.168.2.1 and so on)

Create ACL’s for lan-to-lan access

Create DHCP Servers for each vlan.

Everything should run as it is, but now local (Nexus) access between vlans allowing 10Gbit throughout.

Also, after looking up various sources, it seems to me Port Channel simply groups separate Interfaces for increased bandwidth I.E 4 Gbps in Port Channel would be 16Gbps? Seems for what I want this is not what I need.

ALSO, So as I am messing around with this, am I not able to create a DHCP ServerPool on a Nexus?! If not, this changes everything.

TheGoob · ‎01-07-2024

Alright so for fun I messed around with it. I got all my IP's connected throught he way we mentioned [above]. Each vlan shows it's correct WAN IP when I connect to it and "whatsmyip.net" shows good.

For now, it seems, unless I have DHCP Server availability which from my lousy google results show I can not for each vlan, I have to manually input an IP. This is a no go.

Second, yeah you are right. vlan to vlan access needs ACL's and man alive, it has been so long, I am clueless. I looked at my cisco books, some online examples etc. No go. I could not get anything to communicate with anything.

Needless to say I put everything back the way it was for now so that it works.

Progress...Kind of.

With these ACL's, yeah, there's no way I am gonna easily figure this one out.

TheGoob · ‎01-09-2024

I am going to move over this thread/create a new one under Security, get a different more specific fine tuning on it. We got it to where I can not get it all working on the Nexus, except the ACL's and I know it is just the ACL's because the vlans can ping each other, so the "throughput" is there.

Joseph W. Doherty · ‎01-09-2024

So all appears to work as desired except for lack of Nexus ACLs?

BTW, did glace through Nexus ACL documentation. Appears very similar to IOS ACLs, but, of course, in appearance, much different from FPR.

TheGoob · ‎01-09-2024

Yeah I tried every variation.

TheGoob · ‎01-12-2024

So I am not gaining any momentum here. Any possible other suggestions?

I feel as if this whole thing got way too complicated and does not need to me. I will approach it as thus, and see if maybe a solution can be isolated and simplified.

I have a home LAN Workshop. I have No Internet, only a NEXUS 9K w/ 6 vlans, and I want each vlan to talk to and access all data on each other vlan [hosts]. Therefore, I need ACL's.

interface Vlan1
no shutdown
ip address 192.168.1.1/24
   GE 1/1 - GE1/8 [vlan1]

interface Vlan2
no shutdown
ip address 192.168.2.1/24
   GE 1/9 - GE 1/16 [vlan2]

interface Vlan3
no shutdown
ip address 192.168.3.1/24
   GE 1/17 - GE 1/24 [vlan3]
 
interface Vlan4
no shutdown
ip address 192.168.4.1/24
   GE 1/25 - GE 1/32 [vlan4]

interface Vlan5
no shutdown
ip address 192.168.5.1/24
   GE 1/33 - GE 1/40 [vlan5]

interface Vlan6
no shutdown
ip address 192.168.6.1/24
   GE 1/41 - GE 1/48 [vlan6]

I will refrain from the multitude of ACL's I have tried, but nothing I do will allow any Host on and vlan to be able to communicate on any Host on any other vlan.

Any possible examples out there or assistance? I did indeed refer to the documentation, and can even post here what I have found [i looked into IP ACL and VACL] and neither have any suggestion at all as to what I am trying to do. I have "some" familiarity with doing ACL's in CLI on FPR1010 and some of my older Catalysts, neither of those formats seems to do me any good.

Everyone else getting me this far has been a blessing, but I seem to simply be stuck on 6 vlans, all on same Nexus, being unable to communicate.

NOTE; When I got this Nexus, because at the time I simply did want just L2 capability, i changed everything to L2... Would this have disabled/removed routing capability as well and needs to be re-enabled for the vlan SVI's?