05-04-2023 10:54 AM
Hey guys so I have setup a cisco for business switch and added 2 different vlans for an sdwan ha setup. The connection is going from a cox modem using a dynamic ip address and going into the cisco switch then out to the fortinet. When I attach a fortinet switch this seems to work just fine. Attached is the switch config and any help is greatly appreciated. Thanks Tony
05-04-2023 11:11 AM
Hi
Trying to understand the scenario. You have a modem offering DHCP and you want your firewall to get an DHCP ip address from the modem? And then you connect both to the switch in different vlans?
05-04-2023 01:35 PM
So it kind of goes like this modem--->switch---> firewall a and firewall b for ha via VLAN 200. I am doing the same thing via VLAN 100 for Centurylink and it works but that is a PPPoE connection.
05-04-2023 01:43 PM
I think I do not follow you yet.
If you have firewall and modem on the same vlan, DHCP should be transparent. The switch should not interfere.
If you add a static IP on firewall, does it ping the modem?
05-04-2023 02:21 PM
Tony
We have some information but not enough to really understand the issue or to give good advice. I have looked at the switch config in the original post and read your very brief description of the topology. It is not clear to me where the firewalls are connected. I see some switch ports in vlan 100 and some in vlan 200 but no indication of what is connected to these ports. Can you provide clarification?
Based on this statement "I am doing the same thing via VLAN 100 for Centurylink" I am guessing that the firewalls are connected in ports of vlan 100. Is that correct?
05-04-2023 06:24 PM
05-04-2023 07:24 PM - edited 05-04-2023 07:25 PM
Tony
Thanks for the drawing. It shows cable modem, and both firewalls on ports 5, 6, and 7 in vlan 200. Where is the other ISP?
05-05-2023 06:45 AM
Hi Richard CenturyLink is plugged into cisco switch port 1 and going out to the firewall (wan 2) via port 2 and port 3
05-05-2023 08:03 AM
And all this interfaces belong to the same vlan ? And the switch have no IP address (interface vlan) on this Vlan ?
If yes for both question, the communication should flow as we expect for a layer2 switch. One thing you can try is enable, if not, DHCP snooping and add the interface where the modem is connected as trusted interface.
conf t
ip dhcp snooping
ip dhcp snooping vlan X
int <modem's interface>
ip dhcp snooping trust
05-05-2023 09:20 AM
The original post included an attachment with the config of the switch. It shows clearly a vlan 1 with an SVI and an IP address, and some number of ports in that vlan. It also included vlan 100 with som ports (no SVI) and vlan 200 with some ports (no SVI).
Tony
This is what I believe I understand at this point:
You have already implemented part of this with Century Link in vlan 100 and it is working. Now you want to add a similar thing for vlan 200 with Cox.
There are a few things that I do not understand:
You mention that you want to establish ha. I am not clear whether the ha is between the 2 firewalls so that if one firewall fails the other firewall takes over, or is ha about the ISPs so that if one fails the other takes over?
ha for the firewalls makes sense and what you have configured should accomplish that. ha for the ISP is problematic. You have a pair of firewalls connecting to the first ISP, what would connect to the second ISP? Would the same firewalls connect to both ISP or is there another pair of firewalls?
I am also not clear about vlan 1 and network 10.200.58.0/24. Is this for your inside network? I would have expected the inside network to connect through the firewall.
I am not clear what is providing the layer 3 routing for your inside network? Is the firewall doing the laye 3 routing (and nat) for the inside network or is there something else doing routing logic for inside network? If firewall is doing routing logic for inside how will you coordinate that when there is second ISP?
05-05-2023 09:52 AM
HA is being used within the firewalls not the isps. vlan 1 is my local (inside) network and it is just being used to access the switch only. The inside network is being managed by firewall a. I could technically take that ip and routing info out of the switch and just manage it via console.
05-05-2023 08:14 AM
friend If I am correct and I think other vendor FW is same as cisco FW in that
FW HA not support DHCP client. i.e. the DHCP client config for OUTside interface of FW can not config or not work if the FW is HA.
05-05-2023 09:39 AM
I would think the same however when I take out the cisco switch and plug in the fortinet switch I have, this works.
05-05-2023 09:54 AM
Keep SW but change the mode of FW from HA to standalone'
This will make us sure that the issue from FW HA not from SW.
05-05-2023 01:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide