Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2

  • 0
  • 1
  • Problem
  • Updated 4 months ago
  • Not a Problem
Tried doing a cutover last night to new the Cisco FTD2110 HA firewall pair ether channeled to an EXOS stack. Channel came up and vlan interfaces on Extreme Stack could ping the firewall IPs. The only caveat was vlan 1 on EXOS Switch. I couldn't get it to pass traffic if I added it to the etherchannel trunk as tagged, only untagged. Unfortunately this makes it a native vlanand FTD doesn't accept native vlans.

Our goal is to make the entire network L2 and use the firewall as the gateway, so all vlan IP's and routes on extreme core will be removed (minus our mgmt vlan). AS soon as we removed the IP from the core's interface vlan 1 and changed DHCP gateways to use the firewall, traffic was dead in the water.

Another hiccup in this network is the fact they have 2 subnets assigned to vlan 1 and we want to break those apart and move them onto new vlans 101 and 102. Attempted that as well and traffic would not pass up to firewall.
Photo of meconomou

meconomou

  • 80 Points 75 badge 2x thumb
  • super frustrated

Posted 7 months ago

  • 0
  • 1
Photo of meconomou

meconomou

  • 80 Points 75 badge 2x thumb
EXOS Config:

# sh configuration 

configure slot 1 module X460-24x
configure sys-recovery-level slot 1 reset
configure slot 2 module X460-24t
configure sys-recovery-level slot 2 reset
configure slot 3 module X460-24x
configure sys-recovery-level slot 3 reset
configure slot 4 module X460-24t
configure sys-recovery-level slot 4 reset
-----------------------------------------------------------------------------------------
#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1:1-34, 2:1-34, 3:1-34, 4:1-34
configure vr VR-Default add ports 1:1-30, 2:1-30, 3:1-34, 4:1-34
configure ip dad on
configure vlan default delete ports 1:22, 1:29, 2:1, 2:4, 2:17, 2:21, 2:24-25, 2:27-34, 4:3-5, 4:9

configure vlan Staff tag 101
create vlan "servers"
configure vlan servers tag 102
create vlan "store"
configure vlan store tag 1020
create vlan "DMZ"
configure vlan DMZ tag 1030
create vlan "lab"
configure vlan lab tag 1040
create vlan "Mgnt"
configure vlan Mgnt tag 1090
create vlan "Staff"

enable sharing 4:3 grouping 4:3-5, 4:9 algorithm address-based L2 lacp
enable sharing 2:21 grouping 1:22, 2:17, 2:21, 2:24 algorithm address-based L2 lacp

configure vlan Default add ports 1:29, 2:21, 2:27-28, 4:3 tagged  
configure vlan Default add ports 1:1-21, 1:23-28, 1:30-34, 2:2-3, 2:5-16, 2:18-20, 2:22-23, 2:26, 3:1-34, 4:1-2, 4:6-8, 4:10-34 untagged  

configure vlan Staff add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20, 2:27, 3:21, 4:19 tagged  
configure vlan servers add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20-21, 2:27, 3:21, 4:3, 4:19 tagged  
configure vlan store add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged  
configure vlan DMZ add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged  
configure vlan lab add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged  
configure vlan Mgnt add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27, 1:29, 2:2-3, 2:5-6, 2:11, 2:21, 2:27, 3:21, 4:3, 4:19 tagged  

configure vlan Default ipaddress 10.1.1.254 255.255.0.0
enable ipforwarding vlan Default
configure vlan Default add secondary-ipaddress 10.2.1.254 255.255.0.0

configure vlan Mgnt ipaddress 10.19.1.254 255.255.0.0
-----------------------------------------------------------------------------------------------------------------
#
# Module rtmgr configuration.
#
configure iproute add default 10.2.1.252 -->{Morenet via WARHOL2}
configure iproute add 10.25.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
configure iproute add 10.255.255.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
configure iproute add 172.16.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
-------------------------------------------------------------------------------------------------------------------
# Module acl configuration.
#
configure access-list vlan-acl-precedence shared
create access-list IP-Core " source-address 10.2.0.0/16 ;" " permit  ;" application "Cli"
create access-list irv-rule-1 " destination-address 10.2.1.230/0 ;" " deny  ;" application "Cli"
create access-list irv-rule-2 " destination-address 10.2.9.12/0 ;" " deny  ;" application "Cli"
create access-list irv-rule-3 " destination-address 10.2.1.231/0 ;" " deny  ;" application "Cli"
create access-list irv-rule-4 " destination-address 10.2.251.251/0 ;" " deny  ;" application "Cli"
create access-list irv-rule-5 " destination-address 10.1.251.251/0 ;" " deny  ;" application "Cli"
create access-list irv-rule-6 " destination-address 10.2.2.203/0 ;" " deny  ;" application "Cli"
create access-list rule-2 " destination-address 10.2.1.250/0 ;" " permit  ;" application "Cli"
create access-list rule-3 " destination-address 10.1.1.250/0 ;" " permit  ;" application "Cli"
Photo of Drew C.

Drew C., Community Manager

  • 40,250 Points 20k badge 2x thumb
I wanted to follow up on this topic since it seems to have been unanswered. Were you able to get this working as desired?