10-04-2021 08:56 AM
Greetings to everyone
I need your technical advise based your knowledge and experience of the the best practice in configuring our new 2130 as transparent mode FWs inline between core switch of HQ and Core switch of remote sites.
The core switches share the same vlans and same subnet and customer wants the FW to just inspect the incoming traffic coming from Core switch of remote sites for the same vlan traffic.
But we are not able to configure this on sub-interface of FWs using FMC. What is the issue , please advise the right way.
What is the right way to deploy oconfigure in this scenario
Solved! Go to Solution.
10-06-2021 01:58 PM
Our FW engineer did some research and found that cisco has a option of inline pair mode in transparent mode that will require no changes in existing including vlan id.
We successfully
deployed and integrated Fw with cisco ring in lab as inline pair in transparent mode using fmc without need for any changes in existing network of Cisco core switches.
Rpvtsp is also fine with convergence time increasing more from earlier 1-2 sec to 30sec when FW is disconnected.
Additionally there are limitations in this mode like tcp cannot be inspected
10-04-2021 10:33 AM
Hello,
not sure I fully understand what you are trying to accomplish. You have one Vlan, and you want traffic WITHIN that Vlan (intra-Vlan traffic) to be inspected by the firewall ?
10-04-2021 11:34 AM
We have same 4 vlans across core switches of HQ and core switches of remote sites
Vlans are
10-mgmt
2-voip
3-cctv
4-scada
Remote site core switches have various systems connected on above vlans which need to communicate with their respective servers behind core switches in HQ in same vlan. Customer wants above communication between remote core and HQ core be inspected by inline firewall 2130.
But this 2130fw is not working as inspection solution under transparent mode as inside and outside sub interface having same vlan id which is not being accepted by fmc and hence even stopping the network reachability between HQ and remote
10-04-2021 01:07 PM - edited 10-04-2021 01:08 PM
Haven't used FMC but from experience using ASA and transparent mode you cannot have the same vlan ID on both the inside and outside of the firewall.
You need to use 2 vlans but the same IP subnet across both vlans and the firewall joins the 2 vlans together.
Jon
10-04-2021 01:55 PM - edited 10-04-2021 02:04 PM
Yes we tried this and fw is passing traffic now
But issue here is that after changing vlan IDs for HQ core keeping same subnet is that the same rpvstp that is running through all core switches of HQ and remote with HQ being root will get affected. The HQ after change of vlan ID of vlan 2 to 22 will not remain root for vlan 2 going through remote sites and remote sites will choose a seperate root and HQ will have seperate root.
Our customer does not want to change any of his network or vlans
The HQ and remote are connected like as below
HQ CORE1 -------- HQ CORE2
l l
Fw1 fw2
l l
Remote core 1-----remotecore2
10-06-2021 12:36 PM
That is the only way I know how to do it ie. you have to use two vlans.
If the customer does not want to change any vlans etc. then you can't do it.
Jon
10-06-2021 01:58 PM
Our FW engineer did some research and found that cisco has a option of inline pair mode in transparent mode that will require no changes in existing including vlan id.
We successfully
deployed and integrated Fw with cisco ring in lab as inline pair in transparent mode using fmc without need for any changes in existing network of Cisco core switches.
Rpvtsp is also fine with convergence time increasing more from earlier 1-2 sec to 30sec when FW is disconnected.
Additionally there are limitations in this mode like tcp cannot be inspected
10-06-2021 02:01 PM
Thanks for that information, did not know that.
Seems a strange limitation that it does not work with TCP but at least you have something you can use.
Jon
10-06-2021 02:13 PM
Above explains this inline pair mode
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide