Solved

Watchguard VLANs with Cisco SG300

Posted on 2013-11-30
14
2,410 Views
Last Modified: 2016-11-23
Hello Experts

need help with resolving some network performance issues.

we have Watch guard XTM 505 firewall which currently set-up to do almost everything e.g. internal Subnets as separate physical networks on different ports on watch guard. so its routing traffic between internal networks like servers/desktops/printers etc.
and much more like spam filtering /VPN etc.

and its always in RED Bars for Traffic and Load status.  and we want to ease it off by using a Layer 3 switch to do all internal traffic routing between internal networks

i have following subnets
172.16.12.0/24 servers (DHCP server 172.16.12.12) (DELL Switch)
172.16.13.0/24 desktops (Dell Switch)
172.16.14.0/24 remote office (netgear switch)
172.16.15.0/24 Citrix VDI desktops. (directly plugged into watchguard and NIC on VDI server)

i have a new Cisco SG300 10 ports Layer3 switch.
what i want is to configure ports on this switch and connect all my network/subnet switch to this.

and uplink this to Watchguard for internet traffic.

am very new to this VLAN setup , could someone please guide me on this what exactly i need to do on Cisco switch and on Watchguard
so that traffic from internal networks can talk to each other without going via watchguard and all outbound to internet can go via watchguard.
also DHCP relay needs to be sent to DHCP server in server's network with  IP 172.16.12.12

Many Thanks in advance

Regards
Harry
0
Comment
Question by:H-Singh
  • 9
  • 5
14 Comments
 
LVL 3

Accepted Solution

by:
RKnebel512 earned 500 total points
Comment Utility
On the switch, you put each interface into the vlan you want it in and set up trunk ports between the switches and router.

! First you need to create your vlans on the switch.
! You do this in the global configure mode
! The prompt should start with "switch(config) #"
! Do the following for each vlan you will use.

   vlan 12
    name Servers Network

! You will then need to make a vlan interface for each vlan
! This is where your watchguard will send traffic

   interface vlan 12
    ip address 172.16.12.2 255.255.255.0
    ip helper-address 172.16.12.12
    exit

! You then need to put each Ethernet interface on its vlan
! This is the configuration for the ports headed to client PCs

   interface fastEthernet 0/3
    switchport mode access
    switchport access vlan 12
    no shutdown
    exit

! Turn off the VLAN trunking protocol unless you are using it

   vtp mode transparent

! These will be the commands for the interfaces that connect the switches to each other   and to the router

   interface fastEthernet 0/1
    switchport mode trunk
    switchport encapsulation dot1q
    no shutdown
    exit
0
 
LVL 3

Expert Comment

by:RKnebel512
Comment Utility
On the watchguard, the goal is to get it to send out packets that are packaged to look like a vlan packet to the switch.  

Using the system manager GUI for the firebox, you need to click on the policy manager (the icon with a man in front of a brick wall).

In the policy manager, from the network dropdown menu, select configuration.  Select the VLAN tab.  Click on add, and fill in the information.  You will need to add a vlan on the watchguard for each of the vlans you want routable.

http://kb.funcshun.com/how-to-create-vlans-in-watchguard-xtmv-small-office/

You will also need to make sure that there are firewall rules for each vlan so that traffic is allowed.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
thanks for detailed response.

i will go ahead with suggested config.
bit worried about watchguard side as i got XTM 505 and i need to filter traffic going out as we allow restricted internet access based on username/IPs etc .

on watchguard interface I can tick allow Tagged traffic from all VLANs or selected as many as I want but for untagged vlan traffic it wont let me select more than Vlan for one interface.

i want to connect Port 10 of cisco switch to Watchguard interface.

rest may be 2,3,4,5  ports one each for each seperate network .

i will try this and will update here .
thanks
0
 
LVL 3

Expert Comment

by:RKnebel512
Comment Utility
Anything marked as a specific vlan on the switch will be tagged as it goes out the interface to the watchguard.  Anything that you haven't specified in a specific vlan will go out untagged.  Cisco uses vlan 1 for untagged (native) traffic.

For security purposes, it is a best practice to specify all traffic in some vlan so that nothing is untagged.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
HI RK
i have managed to get this all working now.  only one issue I got is that internet access speed is very slow. speedtest.net gives me 10mb down and 1mb up.
where with directly network connected to watchguard we gets 50mb up/down as we have fibre leased line with 50mb.

looks like something needs to setup regarding speeds on ports on SG 300
also need to add DHCP server relay, am looking for command as ip helper says invalid command.

below is config on switch now.


switch4d070d#show run
config-file-header
switch4d070d
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch4d070d
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f479a10c0112738 privilege 15
!
interface vlan 10
 name Net1
 ip address 172.16.20.1 255.255.255.0
!
interface vlan 20
 name Net2
 ip address 172.16.21.1 255.255.255.0
!
interface gigabitethernet7
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet8
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet10
 switchport trunk allowed vlan add 10,20
!
exit
ip default-gateway 172.16.20.254
ip default-gateway 172.16.21.254
ip route 172.16.20.0 /24 172.16.20.254
ip route 172.16.21.0 /24 172.16.21.254
switch4d070d#
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
sorry my mistake it was my watchguard interface speed was limited to 10MB up.
i have changed that now and all looks good.

thanks for you help. i am going to put this switch in production network shortly.
will update again on this.
0
 
LVL 3

Assisted Solution

by:RKnebel512
RKnebel512 earned 500 total points
Comment Utility
Okay, great.  And it looks like the dhcp relay command changed a bit depending on your ios version.  I think the right one for your switch is:

interface vlan 10
 ip dhcp relay enable
 ip dhcp relay server 172.16.12.12
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Author Comment

by:H-Singh
Comment Utility
aah you saved hassle man.

dhcp was not working but i added above it only takes per vlan
ip dhcp relay enable.

and server relay IP is global.

so all good so far.

its live in production and am monitoring things.

thanks for your help
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
unfortunately i had to take this switch out of production network as we had serious troubles with packet loss.
ping between subnets to servers was dropping alot. not sure what caused this.

i am bit confused about default gateways. in my current config i dont see any routes.


ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254

also not sure how to define default gateway individually for each VLAN

or we need only one pointing all VLANs to one watchguard IP,  on watchguard i got 4 VLAN IPs.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
Hi

i need bit advise about setting default Gateway towards Watch guard and Ip routes. what you think of below 8 lines, is this what i need or something simple.

ip default-gateway 172.16.12.254
ip default-gateway 172.16.13.254
ip default-gateway 172.16.14.254
ip default-gateway 172.16.15.254
ip route 172.16.12.0 /24    172.16.12.254
ip route 172.16.13.0 /24    172.16.13.254
ip route 172.16.14.0 /24    172.16.14.254
ip route 172.16.15.0 /24    172.16.15.254






below is current config on switch and internal routing is working.
--------------------------

DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 12-15
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f479a10c0112738 privilege 15
!
interface vlan 12
 name DBSServers
 ip address 172.16.12.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 13
 name DBSDesktops
 ip address 172.16.13.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 14
 name DBSHDesktops
 ip address 172.16.14.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 15
 name DBSVDINET
 ip address 172.16.15.1 255.255.255.0
 ip dhcp relay enable
!
interface gigabitethernet1
 switchport mode access
 switchport access vlan 12
!
interface gigabitethernet2
 switchport mode access
 switchport access vlan 13
!
interface gigabitethernet3
 switchport mode access
 switchport access vlan 14
!
interface gigabitethernet4
 switchport mode access
 switchport access vlan 15
!
interface gigabitethernet10
 switchport trunk allowed vlan add 12-15
!
exit
DBS-SG300#
0
 
LVL 3

Expert Comment

by:RKnebel512
Comment Utility
Sorry it took so long to get back to you.  I just got a new job and this week has been pretty busy.  

So, back to your problem.  You don’t need all those “ip default-gateway” commands.  Only one will be needed and pointing to the watchguard.  That way, any traffic heading to a network that the switch doesn’t know about heads to the watchguard.

You also shouldn’t need any routes on the switch.  That, in fact, might be causing your packet loss.  The “ip route” command is used to tell the switch where to send traffic that is bound for networks it wouldn’t know about through other means.  What you are doing with the “ip route” commands you’ve typed in is telling the switch to send all traffic for vlans 12-15 to the watchguard instead of routing it like it should.  If you have the SG300 routing, then it will already know where to send traffic for each vlan and it will use the default gateway when it doesn’t know.

After rereading your posts, it occurs to me that you are doing all your routing on the SG300 switch and not the watchguard.  In that case, you shouldn’t need to have an address for each vlan on your watchguard.  What I would do is make another vlan that the switch and watchguard will use to communicate.  The switch should only have that vlan on the interface that is attached to the watchguard, and then you would have to add routes on the watchgaurd for each vlan pointing to the switch.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
Hi RK

yea i managed to get things working. on watchguard i just configured one LAN interface with 172.16.10.10 and put some static route for my internal subnets to send to switch. and on switch got WG as default route.

looks like everything works ok but occasionally I gets troubles like ping delays or timeout . but not very often so something is still there causing some troubles.

below is current config. not sure if SG300 is not good enough to handle all traffic between servers and 3 desktops subnets. or something else.



DBS-SG300#show run
config-file-header
DBS-SG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 12-15,999
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
system router resources ip-entries 320
ip dhcp relay address 172.16.12.12
ip dhcp relay enable
bonjour interface range vlan 1
hostname DBS-SG300
username cisco password encrypted c4a0f1fb6b196bac8e3719fb9f479a10c0112738 privilege 15
!
interface vlan 12
 name DBSServers
 ip address 172.16.12.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 13
 name DBSDesktops
 ip address 172.16.13.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 14
 name DBSHDesktops
 ip address 172.16.14.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 15
 name DBSVDINET
 ip address 172.16.15.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 999
 name WG
 ip address 172.16.10.1 255.255.255.0
!
interface gigabitethernet1
 switchport mode access
 switchport access vlan 12
!
interface gigabitethernet2
 switchport mode access
 switchport access vlan 13
!
interface gigabitethernet3
 switchport mode access
 switchport access vlan 14
!
interface gigabitethernet4
 switchport mode access
 switchport access vlan 15
!
interface gigabitethernet8
 switchport mode access
 switchport access vlan 13
!
interface gigabitethernet9
 switchport mode access
 switchport access vlan 13
!
interface gigabitethernet10
 switchport mode access
 switchport access vlan 999
!
exit
ip default-gateway 172.16.10.10
DBS-SG300#
0
 
LVL 3

Assisted Solution

by:H-Singh
H-Singh earned 0 total points
Comment Utility
sorry about delays on this.
my problem of packets loss or complete ping loss was due to cisco SG-300 switch was not capable enough to handle our traffic. so we ended up replacing it with Cisco WS C3750x series switch, and all works fine now.
thanks for your directions on config so we are using similar config as sg-300
0
 
LVL 3

Author Closing Comment

by:H-Singh
Comment Utility
resolved with external cisco expert's help
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLAN question 7 42
NEXUS3524 - SFP validation failed 3 28
Need a cheap RFID setup 10 38
cisco switch stacking 6 29
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now