Network Architecture & Design

Expand all | Collapse all

Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2

  • 1.  Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2

    Posted 03-09-2018 16:31
    Tried doing a cutover last night to new the Cisco FTD2110 HA firewall pair ether channeled to an EXOS stack. Channel came up and vlan interfaces on Extreme Stack could ping the firewall IPs. The only caveat was vlan 1 on EXOS Switch. I couldn't get it to pass traffic if I added it to the etherchannel trunk as tagged, only untagged. Unfortunately this makes it a native vlanand FTD doesn't accept native vlans.

    Our goal is to make the entire network L2 and use the firewall as the gateway, so all vlan IP's and routes on extreme core will be removed (minus our mgmt vlan). AS soon as we removed the IP from the core's interface vlan 1 and changed DHCP gateways to use the firewall, traffic was dead in the water.

    Another hiccup in this network is the fact they have 2 subnets assigned to vlan 1 and we want to break those apart and move them onto new vlans 101 and 102. Attempted that as well and traffic would not pass up to firewall.


  • 2.  RE: Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2

    Posted 03-09-2018 17:10
    EXOS Config:

    # sh configuration

    configure slot 1 module X460-24x
    configure sys-recovery-level slot 1 reset
    configure slot 2 module X460-24t
    configure sys-recovery-level slot 2 reset
    configure slot 3 module X460-24x
    configure sys-recovery-level slot 3 reset
    configure slot 4 module X460-24t
    configure sys-recovery-level slot 4 reset
    -----------------------------------------------------------------------------------------
    #
    # Module vlan configuration.
    #
    configure vlan default delete ports all
    configure vr VR-Default delete ports 1:1-34, 2:1-34, 3:1-34, 4:1-34
    configure vr VR-Default add ports 1:1-30, 2:1-30, 3:1-34, 4:1-34
    configure ip dad on
    configure vlan default delete ports 1:22, 1:29, 2:1, 2:4, 2:17, 2:21, 2:24-25, 2:27-34, 4:3-5, 4:9

    configure vlan Staff tag 101
    create vlan "servers"
    configure vlan servers tag 102
    create vlan "store"
    configure vlan store tag 1020
    create vlan "DMZ"
    configure vlan DMZ tag 1030
    create vlan "lab"
    configure vlan lab tag 1040
    create vlan "Mgnt"
    configure vlan Mgnt tag 1090
    create vlan "Staff"

    enable sharing 4:3 grouping 4:3-5, 4:9 algorithm address-based L2 lacp
    enable sharing 2:21 grouping 1:22, 2:17, 2:21, 2:24 algorithm address-based L2 lacp

    configure vlan Default add ports 1:29, 2:21, 2:27-28, 4:3 tagged
    configure vlan Default add ports 1:1-21, 1:23-28, 1:30-34, 2:2-3, 2:5-16, 2:18-20, 2:22-23, 2:26, 3:1-34, 4:1-2, 4:6-8, 4:10-34 untagged

    configure vlan Staff add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20, 2:27, 3:21, 4:19 tagged
    configure vlan servers add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20-21, 2:27, 3:21, 4:3, 4:19 tagged
    configure vlan store add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
    configure vlan DMZ add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
    configure vlan lab add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
    configure vlan Mgnt add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27, 1:29, 2:2-3, 2:5-6, 2:11, 2:21, 2:27, 3:21, 4:3, 4:19 tagged

    configure vlan Default ipaddress 10.1.1.254 255.255.0.0
    enable ipforwarding vlan Default
    configure vlan Default add secondary-ipaddress 10.2.1.254 255.255.0.0

    configure vlan Mgnt ipaddress 10.19.1.254 255.255.0.0
    -----------------------------------------------------------------------------------------------------------------
    #
    # Module rtmgr configuration.
    #
    configure iproute add default 10.2.1.252 -->{Morenet via WARHOL2}
    configure iproute add 10.25.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
    configure iproute add 10.255.255.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
    configure iproute add 172.16.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
    -------------------------------------------------------------------------------------------------------------------
    # Module acl configuration.
    #
    configure access-list vlan-acl-precedence shared
    create access-list IP-Core " source-address 10.2.0.0/16 ;" " permit ;" application "Cli"
    create access-list irv-rule-1 " destination-address 10.2.1.230/0 ;" " deny ;" application "Cli"
    create access-list irv-rule-2 " destination-address 10.2.9.12/0 ;" " deny ;" application "Cli"
    create access-list irv-rule-3 " destination-address 10.2.1.231/0 ;" " deny ;" application "Cli"
    create access-list irv-rule-4 " destination-address 10.2.251.251/0 ;" " deny ;" application "Cli"
    create access-list irv-rule-5 " destination-address 10.1.251.251/0 ;" " deny ;" application "Cli"
    create access-list irv-rule-6 " destination-address 10.2.2.203/0 ;" " deny ;" application "Cli"
    create access-list rule-2 " destination-address 10.2.1.250/0 ;" " permit ;" application "Cli"
    create access-list rule-3 " destination-address 10.1.1.250/0 ;" " permit ;" application "Cli"



  • 3.  RE: Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2

    Posted 06-13-2018 17:34
    I wanted to follow up on this topic since it seems to have been unanswered. Were you able to get this working as desired?