Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
0
Helpful
5
Replies

Firepower and VLAN to Cisco 2960 Compact switch

errMsg
Level 1
Level 1

‎07-13-2020 09:00 PM

I have a firepower 1010 with port 0/8 split into 2 sub interfaces/vlans that go to a ubiquit ac access point for 2 wireless networks.

This setup works BUT i want to use my switch to pass this vlan traffic.

I want to have a port on the firewall that carrys my VLAN 1 from port 2 and vlan 2 & 3 from port 8.

So I connected port 2 from the firepower to a trunk port on the switch but none of the vlan traffic carries over.  what could i be missing?

 

Labels:
0 Helpful
5 Replies 5

pieterh
VIP
VIP

‎07-13-2020 11:14 PM

VLANs work on Layer-2 of the OSI network design
a firewall is not a switch, unless in passtrru mode, it works on TCP/IP which is Layer-3
-> the firewall will not pass VLAN 2 & 3 from port-8 to port 2.

so it will not be sufficient to connect only port-2 and expect all vlans to pass over the switch

- you need both port-2 for vlan-1 AND port-8 for vlan 2 &3 connected to the switch
   the switch port connected to port-8 needs to be a trunk
   the switch port connected to port-2 need to match with trunk or access on the firewall
- and connect the access-point to another trunk port on the switch

this the switch will transport vlan 2 and 3 will from the AP to the firewall

 

0 Helpful

errMsg
Level 1
Level 1
In response to pieterh

‎07-14-2020 08:26 AM

If the firewall is not a switch... why can I create 2 sub-interface's/VLAN's on the firewalls interface and pass both vlans directly into the Ubiquiti access point and it work fine?

0 Helpful

DC Broderick
Level 1
Level 1
In response to errMsg

‎07-14-2020 09:12 AM - edited ‎07-14-2020 09:28 AM

Try this Cisco document on how to handle VLANs and Trunking.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html#task_zh5_ryn_b3b

0 Helpful

errMsg
Level 1
Level 1
In response to DC Broderick

‎07-18-2020 09:28 AM

Im using the FMC to manage the firewall

0 Helpful

pieterh
VIP
VIP
In response to errMsg

‎07-18-2020 11:58 AM - edited ‎07-18-2020 12:02 PM

>>> why can I create 2 sub-interface's/VLAN's on the firewalls interface and pass both vlans <<<

that is because the firewall IS dot1q (vlan tagging) aware

 

>>> If the firewall is not a switch... <<<
why do you question this? a switch is a switch a router is a router and a firewall is a firewall.
though routing can be enabled on a switch nowadays and a firewall has limited routing functions.
but they still are different devices with each its own properties.
on a switch you do NOT configure subinterfaces on a port carrying multiple vlans like you do on a router or a firewall.

on a firewall traffic between interfaces/subinterfaces depends on rules, 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card