Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
15
Helpful
8
Replies

Fw transparent mode for network wiith same vlans

Go to solution
adeebtaqui
Level 4
Level 4

‎10-04-2021 08:56 AM

Greetings to everyone

 

 

I need your technical advise based your knowledge and experience of the the best practice in configuring our new 2130 as transparent mode FWs inline between core switch of HQ and Core switch of remote sites.

 

The core switches share the same vlans and same subnet and customer wants the FW to just  inspect the incoming traffic coming from Core switch of remote sites for the same vlan traffic.

 

But we are not able to configure this on sub-interface of FWs using FMC. What is the issue , please advise the right way.

 

What is the right way to deploy oconfigure in this scenario 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
adeebtaqui
Level 4
Level 4
In response to Jon Marshall

‎10-06-2021 01:58 PM

Our FW engineer did some research and found that cisco has a option of inline pair mode in transparent mode that will require no changes in existing including vlan id.

 

We successfully 

deployed and integrated Fw with cisco ring in lab as inline pair in transparent mode using fmc without need for any changes in existing network of Cisco core switches.

 

 

Rpvtsp is also fine with convergence time increasing more from earlier 1-2 sec to 30sec when FW is disconnected.

 

Additionally there are limitations in this mode like tcp cannot be inspected 

View solution in original post

8 Replies 8

Go to solution
Georg Pauwen
VIP
VIP

‎10-04-2021 10:33 AM

Hello,

 

not sure I fully understand what you are trying to accomplish. You have one Vlan, and you want traffic WITHIN that Vlan (intra-Vlan traffic) to be inspected by the firewall ?

Go to solution
adeebtaqui
Level 4
Level 4
In response to Georg Pauwen

‎10-04-2021 11:34 AM

We have same 4 vlans across core switches of HQ and core switches of remote sites

 

Vlans are

10-mgmt

2-voip

3-cctv

4-scada

 

Remote site core switches have various systems connected on above vlans which need to communicate with their respective servers behind core switches in HQ in same vlan. Customer wants above communication between remote core and HQ core be inspected by inline firewall 2130.

 

But this 2130fw is not working as inspection solution under transparent mode as inside and outside sub interface having same vlan id which is not being accepted by fmc and hence even stopping the network reachability between HQ and remote 

 

 

 

 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adeebtaqui

‎10-04-2021 01:07 PM - edited ‎10-04-2021 01:08 PM

 

Haven't used FMC but from experience using ASA and transparent mode you cannot have the same vlan ID on both the inside and outside of the firewall. 

 

You need to use 2 vlans but the same IP subnet across both vlans and the firewall joins the 2 vlans together. 

 

Jon

0 Helpful

Go to solution
adeebtaqui
Level 4
Level 4
In response to Jon Marshall

‎10-04-2021 01:55 PM - edited ‎10-04-2021 02:04 PM

Yes we tried this and fw is passing traffic now

 

But issue here is  that after changing vlan IDs for HQ core  keeping same subnet is that the same rpvstp that is running through all core switches of HQ and remote with HQ being root will get affected. The HQ after change of vlan ID of vlan 2 to 22 will not remain root for vlan 2 going through remote sites and remote sites will choose a seperate root and HQ will have seperate root.

 

Our customer does not want to change any of his network or vlans

 

 

The HQ and remote are connected like as below

 

 

HQ CORE1 -------- HQ CORE2

l                                              l

Fw1                                        fw2

l                                               l

Remote core 1-----remotecore2

Preview file
73 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adeebtaqui

‎10-06-2021 12:36 PM

 

That is the only way I know how to do it ie. you have to use two vlans. 

 

If the customer does not want to change any vlans etc. then you can't do it. 

 

Jon

0 Helpful

Go to solution
adeebtaqui
Level 4
Level 4
In response to Jon Marshall

‎10-06-2021 01:58 PM

Our FW engineer did some research and found that cisco has a option of inline pair mode in transparent mode that will require no changes in existing including vlan id.

 

We successfully 

deployed and integrated Fw with cisco ring in lab as inline pair in transparent mode using fmc without need for any changes in existing network of Cisco core switches.

 

 

Rpvtsp is also fine with convergence time increasing more from earlier 1-2 sec to 30sec when FW is disconnected.

 

Additionally there are limitations in this mode like tcp cannot be inspected 

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adeebtaqui

‎10-06-2021 02:01 PM

 

Thanks for that information, did not know that. 

 

Seems a strange limitation that it does not work with TCP but at least you have something you can use. 

 

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card