Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6023
Views
5
Helpful
9
Replies

layer 2 vlan on Cisco 3750 connected to a Fortigate firewall

fbaijnauth
Level 1
Level 1

‎05-18-2014 08:15 AM - edited ‎03-04-2019 11:00 PM

Hi everyone

I am currently working on creating a DMZ zone on our FortiGate firewall. The DMZ is all setup and working fine. However I am running into some issues when I try to the DMZ port connected to our Cisco 3750 master stack switch.

I've created a new VLAN for the DMZ (layer 2 VLAN) since the firewall will be doing the routing. I can ping the DMZ interface from my switches (including all out layer 2 switches) but I cannot ping the server that is configured to be in the DMZ (switch port of that server is configured to access the DMZ VLAN)

When I look in the ARP tabe I do not see the MAC address of the server, so I manually added the server's MAC address but still cannot reach the server)

Any suggestions would be greatly appreciated. 

1 person had this problem
Labels:
0 Helpful
9 Replies 9

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-18-2014 09:53 AM

Hi ,

 DMZ zone is created on your fortigate firewall to dedicated DMZ port , assigned IP address directly on L3 interface with no vlan/sub-interface created right ??

1) show vlan from your cisco switch (vlan assigned for dmz zone )

I can ping the DMZ interface from my switches (including all out layer 2 switches) but I cannot ping the server that is configured to be in the DMZ (switch port of that server is configured to access the DMZ VLAN) - if your switch is pure layer 2 switch , even you cant ping from switch because layer 2 switch cant build ICMP packet , Layer 2 vlan/Layer 2 switch  cant have arp packets . 

 On your case though your switch is already running layer 3 functioning ., default route pointing to fortigate inside interface , thereby you are able to ping to DMZ interface of firewall . Your ICMP packets goes to inside interface for firewall then to DMZ interface . (to verify try ping <DMZ interface> using source interface/vlan , you will not have source for your DMZ vlan  ) 

when you want to ping to server which is connected to DMZ zone ., you need to allow ICMP packets on your fortigate firewall  . (traffic flow switch VLAN General -->inside(fortigate firewall )--> DMZ interface (fortigate firewall) --> switch VLAN DMZ )

When I look in the ARP tabe I do not see the MAC address of the server : They will be no arp table for layer 2 vlan created in switch (you need verify only using Mac-table) , arp table is seems only when you have L3 SVI vlan . 

 

HTH

Sandy 

0 Helpful

fbaijnauth
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-21-2014 07:59 AM

Hi Sandy 

Thank you for your reply and help. 

I got the issue resolved to a certain extent. I was connecting the server to the L2 switch previously which was causing the fail. I've now connected the server (VMware) to my master stack (L3) switch and I can reach the server and everything works.  

 

However I'm have a next issue. I would like certain ports on my (L2 switch) to be part of the DMZ so that they go to the internet only. But I'm getting a destination unreachable

Could you assist with this 

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to fbaijnauth

‎05-21-2014 08:08 AM

Hi ,

         Dont perform any testing from your layer 2 switch , until you have SVI Vlan on your switch which is part of DMZ segment and default gateway of your switch should be pointed to DMZ interface of firewall . 

  If you are testing from your VM machine , ensure switch port connecting to VM host is part of DMZ VLAN segment , to verify this ping to default -gateway from your VM machine . 

 

HTH

Sandy

0 Helpful

fbaijnauth
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-22-2014 08:01 AM

Hi Sandy

The current default gateway on my L2 switches are pointing to the L3 switch which is VLAN 4. I'm guessing this is why I'm having this issue.

If I'm to create a static route on L3 switch that point all DMZ traffic to the DMZ VLAN, would that work? 

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to fbaijnauth

‎05-22-2014 08:18 PM

hi

 you have only two option 

1) either connect your L2 switch directly to firewall DMZ interface 

2) if you have connected DMZ interface  of firewall to your L3 switch ,  in this case configure your port connected to layer 2 switch as access port on both end . when your layer 2 switch supports only for DMZ Vlan , then configure IP address for SVI VLAN interface from DMZ I{P subnet rage , point default gateway ip address as firewall interface . 

If this layer 2 switch support multiple vlan then port connecting to L3 switch must be trunk port . limitation is you need to have SVI VLAN for your switch from DMZ IP subnet , then only can you can ping using DMZ subnet IP address .

Else any testing you do should be done only from host not from switch SVI

HTH

Sandy

fbaijnauth
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-23-2014 11:52 AM

Hi Sandy 

Thank you for all your replies. 

The L2 switches does have multiple vlans at the moment. I've attached network topology. I think and correct me if I'm wrong. Because the default gateway on the L2 switch is the management VLAN on the core switch would that be the reason why I'm unable to access the DMZ from the L2 switches.  

What do you mean by - limitation is you need to have SVI VLAN for your switch from DMZ IP subnet

Preview file
30 KB
0 Helpful

zied.turki
Level 1
Level 1
In response to fbaijnauth

‎02-16-2016 07:28 AM

Hello,

I do have the same issue and I am unable to figure out why this won't work.

Does anyone have any idea?

Regards

Zied

0 Helpful

fbaijnauth
Level 1
Level 1
In response to zied.turki

‎02-16-2016 01:04 PM

Hi Zied,

Do you have port channel configured between  your core and uplink or access switches, if so ensure that the vlan is added to the port channel group 

0 Helpful

zied.turki
Level 1
Level 1
In response to fbaijnauth

‎02-16-2016 01:38 PM

Hi,

Thank you for your reply,

I have configured the port channel (connecting L3 et L2 switchs) to trunk mode allowing all vlans. 

When I create an interface vlan on the L3 3750 switch using an IP from DMZ IP subnet range, I can ping (from the switch) both the server (connected to the L2 2960 switch) and the DMZ interface on the fortigate firewall.

Otherwise, I cannot reach the server from the firewall using the DMZ Interface. I have several vlans on the DMZ Interface.

Actually, the same test passes when I use my administration vlan on the DMZ interface (vlan 1 which is the default native vlan to my both switchs).

Please let me know if additional information is needed to understand what would be the problem.

ps : I don’t see the DMZ interface mac address on the server side . When debugging the firewall, an arp reply is sent by the firewall to the server through the DMZ interface. But it seems that this arp packet never reaches the server..

KR,

Zied

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card