03-24-2021 12:41 PM
Hi All
I just got one Cisco 2960x switch & 2 Fortinet 80E firewalls from my work for learning purpose. I want to setup HA using two Fortinet 80E's. I can figure out HA part but where i am stuck right now is connecting Optimum TM1602 ISP modem to Cisco 2960. Here is my current working setup at home.
Optimum Modem-->Connected to one Fortinet 80E (port1) --> Two routers (A & B) connected to Fortinet 80E Firewall (Port 11,12)
both routers working fine and no issues.
Now i want to bring in Cisco 2960, i want to configure it to one Fortinet 80E firewall first and then will configure with second one.
Here is the end configuration that i want.
Optimum Modem--->Cisco 2960 switch-->Fortinet 80E Firewall--> Both Routers
steps taken so far but non of the router gets internet, nor my PC get internet if connected via NIC to Switch (Ethernet cable)
1. Factory reset Cisco 2960
2. enabled VLAN 1
3. unplugged Modem cable from Firewall Port1 & connected it to switch port24.
4. Connected a cable from Switch Port 1 to Firewall Port1
Since Cisco 2960 is factory reset and working is dumb switch i though it will pass internet from Modem to any other device , in this example Firewall 80E, connected to any port of the switch but it seems it is not happening. Even if i plug in any router to the switch available ports router does not get any internet.
Any suggestions please ?
Thanks in advance.
03-24-2021 12:47 PM
On a side note, this Optimum Cable Modem Arris TM1602 is owned by optimum. I do not have full control on this so i cannot make any advance changes to it.
03-24-2021 01:34 PM
Optimum Modem-->Connected to one Fortinet 80E (port1) --> Two routers (A & B) connected to Fortinet 80E Firewall (Port 11,12)
how is your second Fortinet connected to the modem ? have you tried to fail over to FW1 to FW2 is this works?
how is your internet network connected ? for now any dumb switch?(your Lan side).
below setup works but you need to create 2 VLAN inside and outside.
Optimum Modem--->Cisco 2960 switch-->Fortinet 80E Firewall--> Both Routers
Example :
Switch act as Layer 2 Only
VLAN 10 - connected ISP Modem example port 24
VLAN 10 - Connect your FW1 outside interface port 23
VLAN 10 - Connect your FW2 outside interface port 22
VLAN 20 - Connect your FW1 inside interface port 21 - this where you Lan segment
VLAN 20 - Connect your FW2 inside interface port 20 - this where you Lan segment
in this way, it should work as expected.
make a small diagram for your reference it is easy to build and understand.
03-24-2021 01:56 PM
thanks for your reply.
As i mentioned in my post, i am not using second firewall yet. I am going step by step. In my current configuration
(ISP Modem-->FW1-->Routers A & B) are connected and working fine. First in my current configuration i just want to add Cisco 2960 switch after Modem so it will be (ISP Modem-->Cisco Switch-->FW1-->Router A & B) & that's where i am stuck
Once this work successfully then i will proceed with (ISP Modem-->Cisco Switch-->FW1 & 2---> Router A & B). Adding diagram as well to further clarify.
What you suggested is configure it via VLAN's. Can't Cisco 2960 work as a dumb switch and just pass the internet from Modem to Firewall ?
03-24-2021 02:15 PM
As per the original setup, the FW is a Routed port (Means Laye3), not Layer 2, so we are not sure how the ISP Modem work here when you connect to switch.
What you suggested is configure it via VLAN's. Can't Cisco 2960 work as a dumb switch and just pass the internet from Modem to Firewall ?
it should work, if that was working we are not having a conversation here, so we need to see what Logs says on the Switch port when you connect ISP Modem to Switch and FW,
here i do the steps : ( just based on experience, may not work but need to try)
1. when you connect the modem to switch, is the switch port come up, what you see logs ?
2. when you connect to FW to switch, is the port come up, what you see the logs ?
3. is the FW getting IP DHCP from ISP or static ? if static, from FW can you able to ping ISP ?
try -
config the switch port -
interface Gi 0/24 -- change the port number where you connecting to ISP modem
switchport access vlan 1
switchport mode access
spanning-tree portfast
03-25-2021 01:20 PM
Thanks for your reply. Tried that already befo
interface GigabitEthernet1/0/24
description "ISP Links"
switchport access vlan 2
switchport mode access
spanning-tree portfast edge
interface GigabitEthernet1/0/1
description "ISP Links"
switchport access vlan 2
switchport mode access
spanning-tree portfast edge
I am pretty sure it is ISP modem because it assigns 1 public IP to 1 device only so when i plug in the switch it cannot assign public DHCP to it. Switch itself is working fine as i have tested it through router and FW. Will check with ISP if they can do something.
But thank you so much for your input.
03-25-2021 02:13 PM
yes good to contact ISP and explain what you intend to do, so they can guide you best.
as per description, ISP expects a device with DHCP request with MAC address,
03-26-2021 02:01 AM
Hello,
I haven't followed the entire thread, so maybe I am missing something that has already been discussed, but typically, the ISP modems dish out private space IP addresses to anything connected to them. If you put the switch (with all default settings) between the ISP modem and the Fortinet, and set the Fortinet interface to DHCP, does that interface get an IP address from the modem ?
03-26-2021 06:56 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide