How are Cisco switch ports to be configured in this scenario?
I am in the process of introducing an additional FortiNet FortiGate 200E firewall to create an Active-Passive configuration. There is currently a single 200E that has a fiber handoff for internet.
To facilitate the additional firewall, I am putting a Cisco Catalyst switch in front of the firewalls as depicted in the attached diagram. I am clear on how to make the FortiGates talk to each other, but need a sanity check on the Cisco networking going into the FortiGates.
I would move the fiber handoff to a port on the Catalyst switch (TenGigabitEthernet1/1/2) and connect port GigabitEthernet1/0/47 to port 14 the primary firewall (A) and port GigabitEthernet1/0/48 to port 14 on the secondary firewall (B).
This is what I was thinking.
Related Cisco Config:
interface Vlan100
description Internet
ip address 10.0.100.128 255.255.255.248 (using private IP just for demo purposes)
interface TenGigabitEthernet1/1/2
description Internet
switchport access vlan 100
switchport mode access
interface GigabitEthernet1/0/47
switchport access vlan 100
switchport mode access
interface GigabitEthernet1/0/48
switchport access vlan 100
switchport mode access
Related FortiGate Config:
Set up port 14 on both firewalls with VLAN 100
Is this correct? If not, what would I need to do differently?
ASKER
Thank you for the response, atlas_shuddered. My last step to this would be to assign the interfaces on the FortiGates to the same vLAN to complete the path for connectivity.
I am basically trying to ensure that assigning the internet-facing IP on the port is the correct approach and that I wasn't supposed to something different like assign the internet IP on the FortiGate ports and do something different on all the switch ports going up to the FortiGates. Sounds like I am on the right track?
I am basically trying to ensure that assigning the internet-facing IP on the port is the correct approach and that I wasn't supposed to something different like assign the internet IP on the FortiGate ports and do something different on all the switch ports going up to the FortiGates. Sounds like I am on the right track?
Before I answer to the above, I am assuming that your physical path LAN > INT looks as below:
INTERNET
\/
ISP Connection/Internet Router
\/
Firewall
\/
LAN Switch
Is that correct? No diagram attached
INTERNET
\/
ISP Connection/Internet Router
\/
Firewall
\/
LAN Switch
Is that correct? No diagram attached
ASKER
My apologies. The diagram has been attached.
Okay, so the answer to your question above is correct. On the Internet side of your firewalls you would do the following:
A. On the switch:
1. Configure all interfaces where firewalls and ISP connection will connect to appropriate VLAN
2. If desired, configured SVI in Internet VLAN with appropriate IP address for in-band managment of switch
3. Make all physical connections and ensure all used ports are in no shut state
B. On the firewall
1. Note the Internet facing IP address of the current firewall
2. Configure new firewall internet interface with VRRP. Configure VIP with IP currently in use on first firewall
3. Shutdown new firewall internet interface and physically connect to switch
4. Shutdown primary firewall internet interface, enable new firewall internet interface
5. Configure primary firewall internet interface into VRRP group with new firewall
6. Enable primary firewall internet interface
7. 1 - 6 will need to completed for your LAN side interfaces as well
Confirm all connected switch interfaces are up/up and you are able to see MAC addresses for firewall and ISP interfaces on the switchports as appropriate.
Before you do anything! Get in touch with your ISP and confirm that they are statically routing your traffic to the Internet facing IP on your current firewall. If they aren't you will need to have them do so, otherwise your traffic will potentially blackhole in and outbound.
All of that make sense?
A. On the switch:
1. Configure all interfaces where firewalls and ISP connection will connect to appropriate VLAN
2. If desired, configured SVI in Internet VLAN with appropriate IP address for in-band managment of switch
3. Make all physical connections and ensure all used ports are in no shut state
B. On the firewall
1. Note the Internet facing IP address of the current firewall
2. Configure new firewall internet interface with VRRP. Configure VIP with IP currently in use on first firewall
3. Shutdown new firewall internet interface and physically connect to switch
4. Shutdown primary firewall internet interface, enable new firewall internet interface
5. Configure primary firewall internet interface into VRRP group with new firewall
6. Enable primary firewall internet interface
7. 1 - 6 will need to completed for your LAN side interfaces as well
Confirm all connected switch interfaces are up/up and you are able to see MAC addresses for firewall and ISP interfaces on the switchports as appropriate.
Before you do anything! Get in touch with your ISP and confirm that they are statically routing your traffic to the Internet facing IP on your current firewall. If they aren't you will need to have them do so, otherwise your traffic will potentially blackhole in and outbound.
All of that make sense?
ASKER
This is fantastic. I will be setting this up over the weekend. I will report back if I have any other questions. Thank you so much!
No worries. Like I said, check with the ISP first and make sure the static pathing is in place. If it isn't, none of the rest of it matters.
Good luck.
Good luck.
ASKER
Thank you! I have attached an updated diagram outlining all of the port configuration including VRRP on the firewalls (VRRP source: https://indeni.com/fortinet-fortigate-ha-high-availability-solutions/). I'm doing this tomorrow, so I will report back with results.
djhath -
Good luck. Just one other note. If I didn't call it out earlier, be sure to place an ACL on the switch VTY connections limiting access to it from trusted sources only otherwise you risk it being compromised from the Internet side.
Good luck. Just one other note. If I didn't call it out earlier, be sure to place an ACL on the switch VTY connections limiting access to it from trusted sources only otherwise you risk it being compromised from the Internet side.
ASKER
To provide an update, I wasn't successful this past weekend. I didn't make it past the switch as I'm now questioning whether I have the right SFP to go into the 3750. Since the handoff is single mode fiber, I used a SFP-10G-LR. I used this link to identify the correct transceiver: https://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/GE_Tx_Matrix.html#_Toc511680902
Looking back, I'm not sure how I determined the SFP-10G-LR...
This is the output from the switch with a show ver
Model number: WS-C3750X-48P-S
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 05:11 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02400000
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE1, RELEASE SOFTW ARE (fc1)
Switch uptime is 40 weeks, 5 days, 9 hours, 35 minutes
System returned to ROM by power-on
System restarted at 11:53:37 UTC Thu Jul 13 2017
System image file is "flash:/c3750e-universalk9
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1430Z1WN
Last reset from power-on
7 Virtual Ethernet interfaces
1 FastEthernet interface
104 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : F8:66:F2:AB:C6:80
Motherboard assembly number : 73-12553-04
Motherboard serial number :
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-S
Daughterboard assembly number : 800-32727-01
Daughterboard serial number :
System serial number :
Top Assembly Part Number : 800-31324-01
Top Assembly Revision Number : A0
Version ID : V01
CLEI Code Number :
Hardware Board Revision Number : 0x02
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 54 WS-C3750X-48P 12.2(53)SE2 C3750E-UNIVERSALK9-M
* 2 54 WS-C3750X-48P 12.2(53)SE2 C3750E-UNIVERSALK9-M
Switch 01
---------
Switch Uptime : 24 weeks, 3 days, 6 hours, 25 minutes
Base ethernet MAC Address : F8:66:F2:B7:F9:00
Motherboard assembly number : 73-12553-04
Motherboard serial number : FDO14310EBL
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-S
Daughterboard assembly number : 800-32727-01
Daughterboard serial number :
System serial number :
Top assembly part number : 800-31324-01
Top assembly revision number : A0
Version ID : V01
CLEI Code Number :
License Level : ipbase
License Type : Permanent
Next reboot licensing Level : ipbase
Using the same link, it looks like I need this: GLC-LH-SM
Any chance you would let me know what you think?
Looking back, I'm not sure how I determined the SFP-10G-LR...
This is the output from the switch with a show ver
Model number: WS-C3750X-48P-S
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 05:11 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02400000
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE1, RELEASE SOFTW ARE (fc1)
Switch uptime is 40 weeks, 5 days, 9 hours, 35 minutes
System returned to ROM by power-on
System restarted at 11:53:37 UTC Thu Jul 13 2017
System image file is "flash:/c3750e-universalk9
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1430Z1WN
Last reset from power-on
7 Virtual Ethernet interfaces
1 FastEthernet interface
104 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : F8:66:F2:AB:C6:80
Motherboard assembly number : 73-12553-04
Motherboard serial number :
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-S
Daughterboard assembly number : 800-32727-01
Daughterboard serial number :
System serial number :
Top Assembly Part Number : 800-31324-01
Top Assembly Revision Number : A0
Version ID : V01
CLEI Code Number :
Hardware Board Revision Number : 0x02
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 54 WS-C3750X-48P 12.2(53)SE2 C3750E-UNIVERSALK9-M
* 2 54 WS-C3750X-48P 12.2(53)SE2 C3750E-UNIVERSALK9-M
Switch 01
---------
Switch Uptime : 24 weeks, 3 days, 6 hours, 25 minutes
Base ethernet MAC Address : F8:66:F2:B7:F9:00
Motherboard assembly number : 73-12553-04
Motherboard serial number : FDO14310EBL
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-S
Daughterboard assembly number : 800-32727-01
Daughterboard serial number :
System serial number :
Top assembly part number : 800-31324-01
Top assembly revision number : A0
Version ID : V01
CLEI Code Number :
License Level : ipbase
License Type : Permanent
Next reboot licensing Level : ipbase
Using the same link, it looks like I need this: GLC-LH-SM
Any chance you would let me know what you think?
I'd have to post a question back in response. Has your ISP told you what type of hand off they are dropping to you? If so, could you share that? If not, could you contact them to gain that information?
ASKER
It's single mode fiber.
Got that bit. Did they tell you LX, LH? If you are getting and LH handoff then the GLC-LH-SM will work. Just need to confirm the type (both physical and signal) of handoff.
ASKER
They told me it is LC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Solution provided.
Open in new window
to all physical interfaces connected to the firewalls and any interior equipment to insure rapid port return in the event of connectivity drop.