cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
821
Views
0
Helpful
4
Replies

VLAN + HSRP + External FW

npereira
Level 1
Level 1

ok, here is ,y scenerio...

I have 2 6513's 12.2(18)SXF8 with SUP720's and MSFC3

Theses are interconnected via 10Gb trunks. This is working fine.

I also have 6 different VLANS witch are adentical on each switch, SW1's VLAN IP ends with .11 and SW2's IP ends with .12

I have setup HSRP between theses 2 switches for each VLAN. The setup for that looks like this (example of VLAN100)

SW1:

int vlan 100

ip address 192.168.2.11

standby 100 ip 192.168.2.1

standby 100 priority 200 preempt

standby 100 track tengig 13/1 50

SW2:

int vlan 100

ip address 192.168.2.12

standby 100 ip 192.168.2.1

standby 100 priority 100

So far this seems correct right? The puzzling issue I have is my firewall (fortigate) has 1 phusical interface for each VLAN.

The FW interface IP to the VLAN 100 is 192.168.2.3

Now... how do I send the traffic to the firewall so we can do the routing and ACL's on the firewall?

4 Replies 4

anandramapathy
Level 3
Level 3

Put a route MAP on the L3 interfaces on both Switches with the Next Hop pointing to the Firewall IP

can you explain how to do this exactly?

Why do you want to do routing on the Firewall ?

I prefer it this way. Put 1 static default route on the switch to point towards the Firewall IP.

Internal traffic goes via the L3 switch. INternet traffic goes through the PIX.

If you have a DMZ inside, then your point is valid, all traffic has to go throught the DMZ interface

Anyway - This is how it goes

access-list 111 permit ip 192.168.2.0 255.255.255.255 any

route-map to-firewall permit 10

match ip address 111

set ip default next-hop

int vlan 100

ip policy route-map to-firewall

ok, I will explain. The FW is a Fortinet box. Each VLAN is physicaly connected to the Fortinet. basicaly we have 6 VLANS, there is 6 cat5e going from the switch to the fortinet FW. This allows us to do ZONE ACL's on the Fortinet, for all VLANS instead of doing VACL's on the switch (basicaly easier to manage on the Fortinet). And also the fact that one of the vlan's is the DMZ like you mentioned.

ok, so I did this but in a litle different way...

route-map CORP permit 10

set next-hop 10.98.4.3

int vlan 104

ip policy route-map CORP

So I don't use ACL's.

What is the difference between :

"set ip default next-hop" and "set ip next-hop" ???

I want ALL traffic from the VLAN 104 going to the 10.98.4.3 without exceptions, unless it's destined to a host within VLAN 104...

Am I doing this correctly? If so, how can I visualy see the traffic going to the fortinet, then comming back ?