Watchguard VLANs with Cisco SG300
Hello Experts
need help with resolving some network performance issues.
we have Watch guard XTM 505 firewall which currently set-up to do almost everything e.g. internal Subnets as separate physical networks on different ports on watch guard. so its routing traffic between internal networks like servers/desktops/printers etc.
and much more like spam filtering /VPN etc.
and its always in RED Bars for Traffic and Load status. and we want to ease it off by using a Layer 3 switch to do all internal traffic routing between internal networks
i have following subnets
172.16.12.0/24 servers (DHCP server 172.16.12.12) (DELL Switch)
172.16.13.0/24 desktops (Dell Switch)
172.16.14.0/24 remote office (netgear switch)
172.16.15.0/24 Citrix VDI desktops. (directly plugged into watchguard and NIC on VDI server)
i have a new Cisco SG300 10 ports Layer3 switch.
what i want is to configure ports on this switch and connect all my network/subnet switch to this.
and uplink this to Watchguard for internet traffic.
am very new to this VLAN setup , could someone please guide me on this what exactly i need to do on Cisco switch and on Watchguard
so that traffic from internal networks can talk to each other without going via watchguard and all outbound to internet can go via watchguard.
also DHCP relay needs to be sent to DHCP server in server's network with IP 172.16.12.12
Many Thanks in advance
Regards
Harry
need help with resolving some network performance issues.
we have Watch guard XTM 505 firewall which currently set-up to do almost everything e.g. internal Subnets as separate physical networks on different ports on watch guard. so its routing traffic between internal networks like servers/desktops/printers etc.
and much more like spam filtering /VPN etc.
and its always in RED Bars for Traffic and Load status. and we want to ease it off by using a Layer 3 switch to do all internal traffic routing between internal networks
i have following subnets
172.16.12.0/24 servers (DHCP server 172.16.12.12) (DELL Switch)
172.16.13.0/24 desktops (Dell Switch)
172.16.14.0/24 remote office (netgear switch)
172.16.15.0/24 Citrix VDI desktops. (directly plugged into watchguard and NIC on VDI server)
i have a new Cisco SG300 10 ports Layer3 switch.
what i want is to configure ports on this switch and connect all my network/subnet switch to this.
and uplink this to Watchguard for internet traffic.
am very new to this VLAN setup , could someone please guide me on this what exactly i need to do on Cisco switch and on Watchguard
so that traffic from internal networks can talk to each other without going via watchguard and all outbound to internet can go via watchguard.
also DHCP relay needs to be sent to DHCP server in server's network with IP 172.16.12.12
Many Thanks in advance
Regards
Harry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for detailed response.
i will go ahead with suggested config.
bit worried about watchguard side as i got XTM 505 and i need to filter traffic going out as we allow restricted internet access based on username/IPs etc .
on watchguard interface I can tick allow Tagged traffic from all VLANs or selected as many as I want but for untagged vlan traffic it wont let me select more than Vlan for one interface.
i want to connect Port 10 of cisco switch to Watchguard interface.
rest may be 2,3,4,5 ports one each for each seperate network .
i will try this and will update here .
thanks
i will go ahead with suggested config.
bit worried about watchguard side as i got XTM 505 and i need to filter traffic going out as we allow restricted internet access based on username/IPs etc .
on watchguard interface I can tick allow Tagged traffic from all VLANs or selected as many as I want but for untagged vlan traffic it wont let me select more than Vlan for one interface.
i want to connect Port 10 of cisco switch to Watchguard interface.
rest may be 2,3,4,5 ports one each for each seperate network .
i will try this and will update here .
thanks
Anything marked as a specific vlan on the switch will be tagged as it goes out the interface to the watchguard. Anything that you haven't specified in a specific vlan will go out untagged. Cisco uses vlan 1 for untagged (native) traffic.
For security purposes, it is a best practice to specify all traffic in some vlan so that nothing is untagged.
For security purposes, it is a best practice to specify all traffic in some vlan so that nothing is untagged.
ASKER
HI RK
i have managed to get this all working now. only one issue I got is that internet access speed is very slow. speedtest.net gives me 10mb down and 1mb up.
where with directly network connected to watchguard we gets 50mb up/down as we have fibre leased line with 50mb.
looks like something needs to setup regarding speeds on ports on SG 300
also need to add DHCP server relay, am looking for command as ip helper says invalid command.
below is config on switch now.
switch4d070d#show run
config-file-header
switch4d070d
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch4d070d
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 10
name Net1
ip address 172.16.20.1 255.255.255.0
!
interface vlan 20
name Net2
ip address 172.16.21.1 255.255.255.0
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport mode access
switchport access vlan 20
!
interface gigabitethernet10
switchport trunk allowed vlan add 10,20
!
exit
ip default-gateway 172.16.20.254
ip default-gateway 172.16.21.254
ip route 172.16.20.0 /24 172.16.20.254
ip route 172.16.21.0 /24 172.16.21.254
switch4d070d#
i have managed to get this all working now. only one issue I got is that internet access speed is very slow. speedtest.net gives me 10mb down and 1mb up.
where with directly network connected to watchguard we gets 50mb up/down as we have fibre leased line with 50mb.
looks like something needs to setup regarding speeds on ports on SG 300
also need to add DHCP server relay, am looking for command as ip helper says invalid command.
below is config on switch now.
switch4d070d#show run
config-file-header
switch4d070d
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch4d070d
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 10
name Net1
ip address 172.16.20.1 255.255.255.0
!
interface vlan 20
name Net2
ip address 172.16.21.1 255.255.255.0
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport mode access
switchport access vlan 20
!
interface gigabitethernet10
switchport trunk allowed vlan add 10,20
!
exit
ip default-gateway 172.16.20.254
ip default-gateway 172.16.21.254
ip route 172.16.20.0 /24 172.16.20.254
ip route 172.16.21.0 /24 172.16.21.254
switch4d070d#
ASKER
sorry my mistake it was my watchguard interface speed was limited to 10MB up.
i have changed that now and all looks good.
thanks for you help. i am going to put this switch in production network shortly.
will update again on this.
i have changed that now and all looks good.
thanks for you help. i am going to put this switch in production network shortly.
will update again on this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
aah you saved hassle man.
dhcp was not working but i added above it only takes per vlan
ip dhcp relay enable.
and server relay IP is global.
so all good so far.
its live in production and am monitoring things.
thanks for your help
dhcp was not working but i added above it only takes per vlan
ip dhcp relay enable.
and server relay IP is global.
so all good so far.
its live in production and am monitoring things.
thanks for your help
ASKER
unfortunately i had to take this switch out of production network as we had serious troubles with packet loss.
ping between subnets to servers was dropping alot. not sure what caused this.
i am bit confused about default gateways. in my current config i dont see any routes.
ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254
also not sure how to define default gateway individually for each VLAN
or we need only one pointing all VLANs to one watchguard IP, on watchguard i got 4 VLAN IPs.
ping between subnets to servers was dropping alot. not sure what caused this.
i am bit confused about default gateways. in my current config i dont see any routes.
ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254
also not sure how to define default gateway individually for each VLAN
or we need only one pointing all VLANs to one watchguard IP, on watchguard i got 4 VLAN IPs.
ASKER
Hi
i need bit advise about setting default Gateway towards Watch guard and Ip routes. what you think of below 8 lines, is this what i need or something simple.
ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254
ip route 172.16.12.0 /24 172.16.12.254
ip route 172.16.13.0 /24 172.16.13.254
ip route 172.16.14.0 /24 172.16.14.254
ip route 172.16.15.0 /24 172.16.15.254
below is current config on switch and internal routing is working.
--------------------------
DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 12-15
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 12
name DBSServers
ip address 172.16.12.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 13
name DBSDesktops
ip address 172.16.13.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 14
name DBSHDesktops
ip address 172.16.14.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 15
name DBSVDINET
ip address 172.16.15.1 255.255.255.0
ip dhcp relay enable
!
interface gigabitethernet1
switchport mode access
switchport access vlan 12
!
interface gigabitethernet2
switchport mode access
switchport access vlan 13
!
interface gigabitethernet3
switchport mode access
switchport access vlan 14
!
interface gigabitethernet4
switchport mode access
switchport access vlan 15
!
interface gigabitethernet10
switchport trunk allowed vlan add 12-15
!
exit
DBS-SG300#
i need bit advise about setting default Gateway towards Watch guard and Ip routes. what you think of below 8 lines, is this what i need or something simple.
ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254
ip route 172.16.12.0 /24 172.16.12.254
ip route 172.16.13.0 /24 172.16.13.254
ip route 172.16.14.0 /24 172.16.14.254
ip route 172.16.15.0 /24 172.16.15.254
below is current config on switch and internal routing is working.
--------------------------
DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 12-15
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 12
name DBSServers
ip address 172.16.12.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 13
name DBSDesktops
ip address 172.16.13.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 14
name DBSHDesktops
ip address 172.16.14.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 15
name DBSVDINET
ip address 172.16.15.1 255.255.255.0
ip dhcp relay enable
!
interface gigabitethernet1
switchport mode access
switchport access vlan 12
!
interface gigabitethernet2
switchport mode access
switchport access vlan 13
!
interface gigabitethernet3
switchport mode access
switchport access vlan 14
!
interface gigabitethernet4
switchport mode access
switchport access vlan 15
!
interface gigabitethernet10
switchport trunk allowed vlan add 12-15
!
exit
DBS-SG300#
Sorry it took so long to get back to you. I just got a new job and this week has been pretty busy.
So, back to your problem. You don’t need all those “ip default-gateway” commands. Only one will be needed and pointing to the watchguard. That way, any traffic heading to a network that the switch doesn’t know about heads to the watchguard.
You also shouldn’t need any routes on the switch. That, in fact, might be causing your packet loss. The “ip route” command is used to tell the switch where to send traffic that is bound for networks it wouldn’t know about through other means. What you are doing with the “ip route” commands you’ve typed in is telling the switch to send all traffic for vlans 12-15 to the watchguard instead of routing it like it should. If you have the SG300 routing, then it will already know where to send traffic for each vlan and it will use the default gateway when it doesn’t know.
After rereading your posts, it occurs to me that you are doing all your routing on the SG300 switch and not the watchguard. In that case, you shouldn’t need to have an address for each vlan on your watchguard. What I would do is make another vlan that the switch and watchguard will use to communicate. The switch should only have that vlan on the interface that is attached to the watchguard, and then you would have to add routes on the watchgaurd for each vlan pointing to the switch.
So, back to your problem. You don’t need all those “ip default-gateway” commands. Only one will be needed and pointing to the watchguard. That way, any traffic heading to a network that the switch doesn’t know about heads to the watchguard.
You also shouldn’t need any routes on the switch. That, in fact, might be causing your packet loss. The “ip route” command is used to tell the switch where to send traffic that is bound for networks it wouldn’t know about through other means. What you are doing with the “ip route” commands you’ve typed in is telling the switch to send all traffic for vlans 12-15 to the watchguard instead of routing it like it should. If you have the SG300 routing, then it will already know where to send traffic for each vlan and it will use the default gateway when it doesn’t know.
After rereading your posts, it occurs to me that you are doing all your routing on the SG300 switch and not the watchguard. In that case, you shouldn’t need to have an address for each vlan on your watchguard. What I would do is make another vlan that the switch and watchguard will use to communicate. The switch should only have that vlan on the interface that is attached to the watchguard, and then you would have to add routes on the watchgaurd for each vlan pointing to the switch.
ASKER
Hi RK
yea i managed to get things working. on watchguard i just configured one LAN interface with 172.16.10.10 and put some static route for my internal subnets to send to switch. and on switch got WG as default route.
looks like everything works ok but occasionally I gets troubles like ping delays or timeout . but not very often so something is still there causing some troubles.
below is current config. not sure if SG300 is not good enough to handle all traffic between servers and 3 desktops subnets. or something else.
DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 12-15,999
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
system router resources ip-entries 320
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 12
name DBSServers
ip address 172.16.12.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 13
name DBSDesktops
ip address 172.16.13.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 14
name DBSHDesktops
ip address 172.16.14.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 15
name DBSVDINET
ip address 172.16.15.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 999
name WG
ip address 172.16.10.1 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 12
!
interface gigabitethernet2
switchport mode access
switchport access vlan 13
!
interface gigabitethernet3
switchport mode access
switchport access vlan 14
!
interface gigabitethernet4
switchport mode access
switchport access vlan 15
!
interface gigabitethernet8
switchport mode access
switchport access vlan 13
!
interface gigabitethernet9
switchport mode access
switchport access vlan 13
!
interface gigabitethernet10
switchport mode access
switchport access vlan 999
!
exit
ip default-gateway 172.16.10.10
DBS-SG300#
yea i managed to get things working. on watchguard i just configured one LAN interface with 172.16.10.10 and put some static route for my internal subnets to send to switch. and on switch got WG as default route.
looks like everything works ok but occasionally I gets troubles like ping delays or timeout . but not very often so something is still there causing some troubles.
below is current config. not sure if SG300 is not good enough to handle all traffic between servers and 3 desktops subnets. or something else.
DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 12-15,999
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
system router resources ip-entries 320
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f
!
interface vlan 12
name DBSServers
ip address 172.16.12.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 13
name DBSDesktops
ip address 172.16.13.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 14
name DBSHDesktops
ip address 172.16.14.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 15
name DBSVDINET
ip address 172.16.15.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 999
name WG
ip address 172.16.10.1 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 12
!
interface gigabitethernet2
switchport mode access
switchport access vlan 13
!
interface gigabitethernet3
switchport mode access
switchport access vlan 14
!
interface gigabitethernet4
switchport mode access
switchport access vlan 15
!
interface gigabitethernet8
switchport mode access
switchport access vlan 13
!
interface gigabitethernet9
switchport mode access
switchport access vlan 13
!
interface gigabitethernet10
switchport mode access
switchport access vlan 999
!
exit
ip default-gateway 172.16.10.10
DBS-SG300#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
resolved with external cisco expert's help
Using the system manager GUI for the firebox, you need to click on the policy manager (the icon with a man in front of a brick wall).
In the policy manager, from the network dropdown menu, select configuration. Select the VLAN tab. Click on add, and fill in the information. You will need to add a vlan on the watchguard for each of the vlans you want routable.
http://kb.funcshun.com/how-to-create-vlans-in-watchguard-xtmv-small-office/
You will also need to make sure that there are firewall rules for each vlan so that traffic is allowed.