I certainly understand wanting to have the firewall do the inter vlan routing so that it provides full visibility and control of the routed traffic. What I do not understand is why you want to enable routing on the switch and then do extra work to make sure that the switch is not really routing but is forwarding everything to the firewall (which it was already doing when it was simply layer 2). What is the advantage in making the switch layer 3 when you really do not want it to do routing?
the requirements that are passed to us are:
1. 2 active standalone (not A/S) firewalls to perform inter-VLAN routing, if 1 goes down, the other firewall can take over the routing.
2. The 2 core switches (L2/L3) are configured with HSRP.
3. All servers from various VLANs/subnets are connected to the core switches.
To achieve the above, do you have a better solution? I believe the design that is passed to us is already not common and according to best practice but the solution is also there to meet the limitations that the environment presents.
If you need all traffic between vlans to go via the firewalls then you need to go back and visit the reasons for the requirements (assuming this is a production system and not a lab exercise).
Make a choice -
1) let the switches do the routing and keep your firewalls separate
2) make the firewalls a pair.
Yes you can come up with a "fix" that would probably make it work but networks are better when they are kept as simple as possible, so push back on the requirements.
I believe that @Jon Marshall makes a good point in asking about these requirements. Where do they come from? Is there any possibility of discussing and of modifying the requirements? I find some issues in the requirements as stated that will be quite difficult to implement. Fox example the requirements say that HSRP will run on the switches. I am not clear whether that is suggesting that HSRP will run on the SVIs of the switches? If that is the case then the switches will be doing the inter vlan routing and the firewalls will not be able to supply the full visibility and control that seems to be the primary requirement. Or does the specification of HSRP mean that HSRP will be carried through the switches and HSRP will actually run on the gateway interfaces of the firewalls that are providing inter vlan routing? That would be possible if the gateways were routers. But assuming that the firewalls you mention are ASAs then the issue is that the ASA does not support HSRP.
As I stated in a previous post I believe that some of these requirements are mutually contradictory. The key requirements are 1) 2 firewalls are standalone. 2) firewalls do all of the inter vlan routing. 3) redundancy so that if first firewall fails the second will take over. You can easily have any 2 of them but having all 3 of them is difficult (or even impossible).
If you take away 1) that firewalls are standalone and make them a failover pair then it is easy to achieve 2) firewalls do all inter vlan routing and 3) redundancy.
If you take away 2) that firewalls do all inter vlan routing and enable routing between vlans on the switches, then it is easy to achieve 1) firewalls are standalone and 3) redundancy.
If you take away 3) redundancy then it is easy to have 1) firewalls are stand alone and 2) firewall does all inter vlan routing.
But I do not see a way to achieve all 3. It is easy to have firewalls be stand alone. Each firewall can have an interface in each vlan. (this gets 1) It is easy to have the inter vlan routing on the firewalls. In this case each host in the network (PC, server, etc) will have a default gateway that is either the first or the second firewall. Each firewall will be able to forward traffic to any host in any of the vlans. (this gets 2) But in this case a host default gateway will be either firewall 1 or will be firewall 2. If its gateway firewall goes down how do you change the host default gateway to use the other firewall? (can not get 3).
So is there any flexibility about these requirements?
Let me repaint the context of this requirement:
1. As seen in the picture (sample.jpeg)
2. Switches are now layer 3 instead of layer 2.
3. Hosts from various subnets are having their gateway on the L3 switch.
4. Firewall A and firewall A1 are both standalone firewalls.
5. If hosts from subnet A wants to communicate to subnet A1 (which are completely different subnets), the traffic do not have to go through the firewalls.
6. If hosts from subnet A wants to communicate to subnet B or B1, traffic has to be forced to the nearest firewall for routing.
7. If the nearest firewall fails, the other firewall takes over the routing.
8. Left network (subnet A and B with firewall A) and right networks (subnet A1 and B1 with Firewall A1) are located in 2 different locations.
Now, we are trying with VRF-lite on the L3 switch, with each VRF is a subnet (or VLAN). We are thinking:
a. Creating VRF A, VRF B, VRF A1 and VRF B1 on both sides of the network.
b. Having a trunk across the 2 L3 switches to carry all VRFs (or VLANs) across each site. Is this possible?
c. To have point 5 fulfilled, we will have a static route for VRF A1 in VRF A (and vice versa).
d. To have point 6 and 7 fulfilled, we forced all other traffic to the nearest firewall and have a floating static to the other firewall. Is this possible?
Problems we faced so far are:
i. We are not able to trunk all the VRFs (or SVIs) across each site. Are we to do a L2 or L3 trunk?
ii. Is point d above even possible?
To be detailed in the equipment we are using:
aa. We are using Cisco Catalyst 9300 with Network advantage for the L3 switch
bb. We are using a firepower 2130 (with FTD) as the Firewall A and Firewall A1 without FMC.
I know this is going against norms with this network. Thanks for your help.
Thanks for clarifying what equipment you are using. That should be helpful. I do not have experience with 9300 using VRF. If someone else does have that experience I invite them to join the conversation. I can see that vrf lite would help to isolate vlanA/subnetA from vlanB/subnetB.
I do not see any reason to try to trunk between the switches. A trunk would be useful if you want to extend vlan A from the left switch to the right switch. But as I understand your explanation of the environment vlan A is isolated on its switch. I think that what you want between the switches is not a trunk but is a routed link.
You have not described the connection from the switches to their firewalls. I hope that this is a routed subnet link rather than some type of trunk.
I think the routing would be something like this:
- on switch A
** vrf A has a route for subnet A1 using the routed link between switches.
** vrf A has a default route for all other traffic using the routed link to firewall A.
** vrf A has a floating static default route with a next hop of firewall A1 (this static route would need to be recursive indicating that the destination IP of A1 is reached using the switch to switch routed link.
** vrf B has a default route for all other traffic using the routed link to firewall A.
** vrf B has a floating static default route with a next hop of firewall A1 (this static route would need to be recursive indicating that the destination IP of A1 is reached using the switch to switch routed link.
- on switch B
** vrf A1 has a route for subnet A using the routed link between switches.
** vrf A1 has a default route for all other traffic using the routed link to firewall A1.
** vrf A1 has a floating static default route with a next hop of firewall A (this static route would need to be recursive indicating that the destination IP of A is reached using the switch to switch routed link.
** vrf B1 has a default route for all other traffic using the routed link to firewall A1.
** vrf B1 has a floating static default route with a next hop of firewall A (this static route would need to be recursive indicating that the destination IP of A is reached using the switch to switch routed link.
- on both firewalls you would need routing logic to reach all 4 subnets of both switches.
The challenge in this will be to make sure that the static default route is not used if the local firewall is not working. To achieve this you probably need something like tracking with IP SLA.
Hi @Richard Burts , thank you.
We hope to use routed ports on the links between the switches. With this in mind, do you have any idea how to configure the VRF to use the routed links on the global switch? Is there routing leak involved?