cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2871
Views
1
Helpful
20
Replies

WAN Switch not passing DHCP for to firewall from modem

tdrake2406
Level 1
Level 1

Hey guys so I have setup a cisco for business switch and added 2 different vlans for an sdwan ha setup. The connection is going from a cox modem using a dynamic ip address and going into the cisco switch then out to the fortinet.  When I attach a fortinet switch this seems to work just fine.  Attached is the switch config and any help is greatly appreciated.  Thanks Tony

20 Replies 20

Hi

 Trying to understand the scenario. You have a modem offering DHCP and you want your firewall to get an DHCP ip address from the modem? And then you connect both to the switch in different vlans? 

So it kind of goes like this modem--->switch---> firewall a and firewall b for ha via VLAN 200.  I am doing the same thing via VLAN 100 for Centurylink and it works but that is a PPPoE connection.

I think I do not follow you yet. 

If you have firewall and modem on the same vlan, DHCP should be transparent. The switch should not interfere.

If you add a static IP on firewall, does it ping the modem?

 

Tony

We have some information but not enough to really understand the issue or to give good advice. I have looked at the switch config in the original post and read your very brief description of the topology. It is not clear to me where the firewalls are connected. I see some switch ports in vlan 100 and some in vlan 200 but no indication of what is connected to these ports. Can you provide clarification?

Based on this statement "I am doing the same thing via VLAN 100 for Centurylink" I am guessing that the firewalls are connected in ports of vlan 100. Is that correct?

HTH

Rick

Richard

 

Here is a diagram of how it is essentially setup.  If you need any further details please let me know

Tony

Thanks for the drawing. It shows cable modem, and both firewalls on ports 5, 6, and 7 in vlan 200. Where is the other ISP?

HTH

Rick

Hi Richard CenturyLink is plugged into cisco switch port 1 and going out to the firewall (wan 2) via port 2 and port 3

And all this interfaces belong to the same vlan ?  And the switch have no IP address (interface vlan) on this Vlan ?

If yes for both question, the communication should flow as we expect for a layer2 switch.  One thing you can try is enable, if not, DHCP snooping and add the  interface where the modem is connected as trusted interface.

conf t

ip dhcp snooping

ip dhcp snooping vlan X

int <modem's interface>

 ip dhcp snooping trust

@Flavio Miranda 

The original post included an attachment with the config of the switch. It shows clearly a vlan 1 with an SVI and an IP address, and some number of ports in that vlan. It also included vlan 100 with som ports (no SVI) and vlan 200 with some ports (no SVI).

Tony

This is what I believe I understand at this point:

You have already implemented part of this with Century Link in vlan 100 and it is working. Now you want to add a similar thing for vlan 200 with Cox.

There are a few things that I do not understand:

You mention that you want to establish ha. I am not clear whether the ha is between the 2 firewalls so that if one firewall fails the other firewall takes over, or is ha about the ISPs so that if one fails the other takes over?

ha for the firewalls makes sense and what you have configured should accomplish that. ha for the ISP is problematic. You have a pair of firewalls connecting to the first ISP, what would connect to the second ISP? Would the same firewalls connect to both ISP or is there another pair of firewalls?

I am also not clear about vlan 1 and network 10.200.58.0/24. Is this for your inside network? I would have expected the inside network to connect through the firewall.

I am not clear what is providing the layer 3 routing for your inside network? Is the firewall doing the laye 3 routing (and nat) for the inside network or is there something else doing routing logic for inside network? If firewall is doing routing logic for inside how will you coordinate that when there is second ISP?

HTH

Rick

HA is being used within the firewalls not the isps.  vlan 1 is my local (inside) network and it is just being used to access the switch only.  The inside network is being managed by firewall a.  I could technically take that ip and routing info out of the switch and just manage it via console.

friend If I am correct and I think other vendor FW is same as cisco FW in that 
FW HA not support DHCP client. i.e. the DHCP client config for OUTside interface of FW can not config or not work if the FW is HA.

I would think the same however when I take out the cisco switch and plug in the fortinet switch I have, this works.

Keep SW but change the mode of FW from HA to standalone'

This will make us sure that the issue from FW HA not from SW.

So I tried this and it still did not work