Solved: Split Traffic between 2 Firewall from my Core Switch C3850

Herald Sison · ‎10-16-2024

The goal i want to achieve here based on from the diagram below:

i want user1 - 192.168.20.x to pass FG-FW01 192.168.1.1

i want user 2 -192.168.50.x to pass FG-FW02 192.168.1.111

currently the routing is going to FG-FW01 with static ip route 0.0.0.0 0.0.0.0 192.168.1.1

Switching, Catalyst 3000routing, Catalyst 2000routing, Catalyst 2000

- tried adding a static route ip route 192.168.50.0 255.255.255.0 192.168.1.111 - nothing is happening

- tried removing the 0.0.0.0 0.0.0.0 192.168.1.1 and retain the 192.168.50.0 255.255.255.0 192.168.1.111 - all traffic down

-tried adding 192.168.20.0 255.255.255.0 192.168.1.1 and 192.168.50.0 255.255.255.0 192.168.1.111 - all traffic still down

- tried removing all ip route and added 0.0.0.0 0.0.0.0 192.168.1.111 - all traffic went to FG-FW02

is there another approach to split these 2 vlans to each FW?

Richard Burts · ‎10-27-2024

You misunderstood an important detail in my suggestion: insert lines with deny traffic originating from vlan 30 to the subnets of the other vlans. So it would be like

access-list 100 deny 172.20.30.0 0.0.0.255 172.20.192.0 0.0.0.255

access-list 100 deny 172.20.30.0 0.0.0.255 172.20.1.0 0.0.0.255

access-list 100 permit 172.20.30.0 0.0.0.255 any

HTH

Rick

View solution in original post

Flavio Miranda · ‎10-16-2024

@Herald Sison

This

"-tried adding 192.168.20.0 255.255.255.0 192.168.1.1 and 192.168.50.0 255.255.255.0 192.168.1.111"

should work.

Now, how is the firewall connected to the switch? If you have one interface vlan with 192.168.1.2 IP address and two intefaces in layer2 going to firewall, it will not work.

You need to have two layer3 interfaces or two interfaces vlan with different interfaces going to firewall.

Assuming the switch have "ip routing" command on it and supports layer3.

Herald Sison · ‎10-16-2024

192.168.1.x is my vlan 1, 192.168.20.x is my vlan 2, 192.168.50.x is my vlan 50.

my core switch interface is just configured as switchport mode access for both firewall connections.

Flavio Miranda · ‎10-16-2024

You need to change the interface to layer3 and create to transit network between core and firewall.

If your core and firewall is speaking in layer2, the routing will not work.

balaji.bandi · ‎10-16-2024

As you mentioned suggest routing should work, subject to you have routing back from Firewall back to switch.

Also consider in the future one of the link fails, it should route to other Firewall also, Like using PBR/ IP SLA..so on

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎10-16-2024

Hello
You could try policy based routing with ipsla tracking from the core sw

Example:
ip sla 1
icmp-echo 192.168.1.111 source 192.168.1.2
threshold 1000
timeout 1000
fre 5
ip sla schedule 1 life forever start-time now

track 1 sla 1 reachability

route-map PBR
set ip next-hop verify-availability 192.168.1.111 1 track 1

int vlan 50
ip policy route-map PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Herald Sison · ‎10-23-2024

Hi All,

Tried this approach but still dont work.

192.168.20.0 255.255.255.0 192.168.1.1

192.168.50.0 255.255.255.0 192.168.1.111

even tried this routing approach alone but still not working.

192.0.0.0 255.0.0.0 192.168.1.1

i am confused on why my core switch does not recognizing any routing except the 0.0.0.0 .0.0.0.0 i think it only reads the wildcard route.

here is the actual config below:

SW-CORE#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 172.21.1.2 YES NVRAM up up

Vlan30 172.20.30.1 YES NVRAM up up

Vlan50 172.20.192.1 YES NVRAM up up

interface GigabitEthernet1/0/1
description TT-FORTIGATE-01_LAN
switchport mode access
!
interface GigabitEthernet1/0/2
description description TT-FORTIGATE-02_LAN
switchport mode access

interface GigabitEthernet1/0/9
description description USER VLAN30
switchport access vlan 30
switchport mode access

interface GigabitEthernet1/0/10
description description USER VLAN50
switchport access vlan 50
switchport mode access

interface Vlan1
description FW-SW
ip address 172.21.1.2 255.255.255.0

interface Vlan30
ip address 172.20.30.1 255.255.255.0
ip helper-address 172.20.1.100
ip helper-address 172.20.1.102

interface Vlan50
ip address 172.20.192.1 255.255.255.0
ip helper-address 172.20.1.100
ip helper-address 172.20.1.102

this route below is not working

ip route 172.20.1.30.0 255.255.255.0 172.21.1.1

ip route 172.20.1.192.0 255.255.255.0 172.21.1.111

this is the only route that works, as long as its 0.0.0.0 0.0.0.0 it works

ip route 0.0.0 0.0.0.0 172.21.1.1

or

ip route 0.0.0 0.0.0.0 172.21.1.111

shambhu.kumar · ‎10-23-2024

Hello Herald,

Please try this,

access-list 100 permit ip 172.20.30.0 0.0.0.255 any
access-list 101 permit ip 172.20.192.0 0.0.0.255 any

route-map test permit 10
match ip address 100
set ip next-hop 172.21.1.1

route-map test permit 20
match ip address 101
set ip next-hop 172.21.1.111

interface vlan 1
ip policy route-map test

access-list 100 permit ip 172.20.30.0 0.0.0.255 any
access-list 101 permit ip 172.20.192.0 0.0.0.255 any

route-map test permit 10
match ip address 100
set ip next-hop 172.21.1.1

route-map test permit 20
match ip address 101
set ip next-hop 172.21.1.111

interface vlan 1
ip policy route-map test

Regards

Herald Sison · ‎10-23-2024

will i just leave the current static route that is currently running well? 0.0.0.0 0.0.0.0 172.21.1.1?
ive watched this tutorial https://www.youtube.com/watch?v=KzwdIpvNSeI
from the video it shows an option that you can create 1 route-map config for the vlans you want to reroute and leave the other vlans to go to the default route.

so is it okay for me to not create this one below? And will leave this vlan to go to 0.0.0.0 0.0.0.0 172.21.1.1

access-list 100 permit ip 172.20.30.0 0.0.0.255 any

route-map test permit 10
match ip address 100
set ip next-hop 172.21.1.1

Richard Burts · ‎10-23-2024

In addition to this post you also added your question to an older post about PBR. I will repeat here what I said in the other post: it should be fine to use PBR for one of the addresses to forward and to use the default route for the other addresses. It is perhaps a more complete solution to configure PBR for both addresses, but configuring PBR for one should be sufficient.

HTH

Rick

Herald Sison · ‎10-24-2024

Thank you sir for the response.

Now i finally tried this config below: my vlan 30 works and routed now to 172.21.1.111 but cannot get a DNS and cannot ping my internal DNS server.

take note my DNS servers are 172.20.1.100, 172.20.1.102

access-list 100 permit ip 172.20.30.0 0.0.0.255 any

route-map PBR permit 10
match ip address 100
set ip next-hop 172.21.1.111

interface vlan 30
ip helper-address 172.20.1.100
ip helper-address 172.20.1.102
ip policy route-map PBR

ip route 0.0.0.0 0.0.0.0 172.21.1.1

should i assign the command ip policy route-map PBR to int vlan 30 or int vlan 1, sorry got confused here.

Thank you

Richard Burts · ‎10-24-2024

You are welcome for the response. If I had a better understanding of your environment or a more complete copy of your config, I might have better answers. But here are my thoughts based on what I see here:

- Let's start with the easy one. You ask "should i assign the command ip policy route-map PBR to int vlan 30 or int vlan 1" Since acl 100 specifies any packet with source address in 172.20.30.x and since 172.20.30.0 seems to be assigned to vlan 30 then that is where ip policy would be applied.

- Then a less easy one "cannot get a DNS and cannot ping my internal DNS server" My best guess at this point is that since any packet originating from the subnet in vlan 30 is forwarded to 172.21.1.111, would that device then forward DNS traffic to the appropriate next hop?

- My other comment is about these lines in the config

ip helper-address 172.20.1.100
ip helper-address 172.20.1.102

The helper address command identifies where to forward DHCP requests. You say that those IP addresses are your DNS servers. Are they also your DHCP servers?

HTH

Rick

Herald Sison · ‎10-25-2024

Thank you sir. Here are some bits and pieces of my config

My Firewall device are connected to these interfaces below both Fortigates.

interface GigabitEthernet1/0/1
description TT-FORTIGATE-01_LAN
switchport mode access
!
interface GigabitEthernet1/0/2
description description TT-FORTIGATE-02_LAN
switchport mode access

My network devices are connected to this vlan (VLAN1)

interface Vlan1
description FW-SW
ip address 172.21.1.2 255.255.255.0

My firewall 1 IP addresss is 172.21.1.1 and my firewall 2 ip address is 172.21.1.111 and my core switch is 172.21.1.2 (as what was assigned in my vlan 1)

my internal network do have 3 more other vlans + the vlan 1.

vlan 1 - my network devices including firewall and coreswitch

vlan 30 - my wifi users

vlan 50 - my lan users

vlan 100 - my dhcp and dns servers with these IP 172.20.1.100 and 172.20.1.102

Default route as of the moment:

ip route 0.0.0.0 0.0.0.0 172.21.1.1 (this is going to my firewall 1)

shambhu.kumar · ‎10-24-2024

vlan 1 is assigned 172.21.1.2 and 172.21.1.1 and 172.21.1.111 are assigned to FW. So PBR should be configured in VLAN1. Not clear, how your DNS are connected.

Regards

Richard Burts · ‎10-24-2024

You suggest a valid point that the FWs are in the subnet associated with vlan 1. How does that lead you to suggest that PBR should be in vlan 1?

As I pointed out in a previous post the PBR config deals with addresses that originate in subnet 172.20.30.0. And that subnet is on vlan 30. So vlan 30 is where PBR should be configured.

HTH

Rick