Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1553
Views
10
Helpful
6
Replies

Layer3 Switch - Firewall on a stick

Go to solution
Mathijs-Aartsen
Level 1
Level 1

‎10-06-2022 06:49 AM

I have a catalyst 9300 as L3 switch and a Fortinet Firewall.

I have multiple L3 vlan interfaces on the switch, and therefore shows their subnets as CONNECTED in the router table.
I would love to have the full power of the fortigate between the 2 vlans for firewalling, is there a way to send traffic to the firewall and have it send it back down?

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathijs-Aartsen
Level 1
Level 1

‎10-09-2022 10:27 PM

I found an accepted solution.

The C9300 has a routed link to the fortigate.

Now i have all vlan's terminated in the C9300 with SVI's.
Then i have a policy based route to the fortigate configured for IN on the svi's

The fortigate IP is also checked for availability, so if it's down the routing from the C9300 will take over.


View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎10-06-2022 06:59 AM

Yes config DHCP to send FW IP to client to use it as GW, 
config FW with static route to forward traffic to SW 
this make traffic go to FW inspect and then return to L3 SW

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-07-2022 11:35 AM

Am I correct in assuming that your firewall has a single IP address on its connection to your 9300? And is the connection from the 9300 to the firewall a routed link (subnet different from the subnets of the vlans)? In that case using the firewall as the gateway is going to be problematic.

I think that a better alternative would be to make your 9300 a L2 device and to trunk both vlans from the 9300 to the firewall (and configure the firewall to recognize and process both of the vlans).

HTH

Rick

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-08-2022 05:05 AM 

I would love to have the full power of the fortigate between the 2 vlans for firewalling, is there a way to send traffic to the firewall and have it send it back down?

This require more information for us to understand, if you looking 2 VLAN to be Firewall, then Make Fortigate as Gateway for the VLAN, so traffic VLAN X to VLAN Y will pass through the FW, so you can have allow or deny rule based on the requirement.

is this what you looking to achieve ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
KJK99
Level 3
Level 3

‎10-08-2022 10:56 AM

I think Mr MHM Cisco World is right on how to implement it. However, is it really a good idea to mess up a clean configuration just for the sake of “I would love to have the full power of the fortigate between the 2 vlans for firewalling?”

Kris K
0 Helpful

Go to solution
Mathijs-Aartsen
Level 1
Level 1

‎10-09-2022 10:27 PM

I found an accepted solution.

The C9300 has a routed link to the fortigate.

Now i have all vlan's terminated in the C9300 with SVI's.
Then i have a policy based route to the fortigate configured for IN on the svi's

The fortigate IP is also checked for availability, so if it's down the routing from the C9300 will take over.


0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mathijs-Aartsen

‎10-09-2022 11:06 PM

Thanks for the update. The key thing is that 9300 to fortunate is a routed link. PBR is a good solution for that environment. Glad to know that your solution is working.

HTH

Rick
Customers Also Viewed These Support Documents