Header Only - DO NOT REMOVE - Extreme Networks
Question

Connect Extreme Summit Stack to Cisco FTD2110 HA Firewall Pair via L2


Tried doing a cutover last night to new the Cisco FTD2110 HA firewall pair ether channeled to an EXOS stack. Channel came up and vlan interfaces on Extreme Stack could ping the firewall IPs. The only caveat was vlan 1 on EXOS Switch. I couldn't get it to pass traffic if I added it to the etherchannel trunk as tagged, only untagged. Unfortunately this makes it a native vlanand FTD doesn't accept native vlans.

Our goal is to make the entire network L2 and use the firewall as the gateway, so all vlan IP's and routes on extreme core will be removed (minus our mgmt vlan). AS soon as we removed the IP from the core's interface vlan 1 and changed DHCP gateways to use the firewall, traffic was dead in the water.

Another hiccup in this network is the fact they have 2 subnets assigned to vlan 1 and we want to break those apart and move them onto new vlans 101 and 102. Attempted that as well and traffic would not pass up to firewall.

2 replies

EXOS Config:

# sh configuration

configure slot 1 module X460-24x
configure sys-recovery-level slot 1 reset
configure slot 2 module X460-24t
configure sys-recovery-level slot 2 reset
configure slot 3 module X460-24x
configure sys-recovery-level slot 3 reset
configure slot 4 module X460-24t
configure sys-recovery-level slot 4 reset
-----------------------------------------------------------------------------------------
#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1:1-34, 2:1-34, 3:1-34, 4:1-34
configure vr VR-Default add ports 1:1-30, 2:1-30, 3:1-34, 4:1-34
configure ip dad on
configure vlan default delete ports 1:22, 1:29, 2:1, 2:4, 2:17, 2:21, 2:24-25, 2:27-34, 4:3-5, 4:9

configure vlan Staff tag 101
create vlan "servers"
configure vlan servers tag 102
create vlan "store"
configure vlan store tag 1020
create vlan "DMZ"
configure vlan DMZ tag 1030
create vlan "lab"
configure vlan lab tag 1040
create vlan "Mgnt"
configure vlan Mgnt tag 1090
create vlan "Staff"

enable sharing 4:3 grouping 4:3-5, 4:9 algorithm address-based L2 lacp
enable sharing 2:21 grouping 1:22, 2:17, 2:21, 2:24 algorithm address-based L2 lacp

configure vlan Default add ports 1:29, 2:21, 2:27-28, 4:3 tagged
configure vlan Default add ports 1:1-21, 1:23-28, 1:30-34, 2:2-3, 2:5-16, 2:18-20, 2:22-23, 2:26, 3:1-34, 4:1-2, 4:6-8, 4:10-34 untagged

configure vlan Staff add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20, 2:27, 3:21, 4:19 tagged
configure vlan servers add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:26-29, 2:2-6, 2:11, 2:20-21, 2:27, 3:21, 4:3, 4:19 tagged
configure vlan store add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
configure vlan DMZ add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
configure vlan lab add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27-29, 2:2-6, 2:11, 2:27, 3:21, 4:19 tagged
configure vlan Mgnt add ports 1:1-5, 1:9-11, 1:13-15, 1:20-21, 1:27, 1:29, 2:2-3, 2:5-6, 2:11, 2:21, 2:27, 3:21, 4:3, 4:19 tagged

configure vlan Default ipaddress 10.1.1.254 255.255.0.0
enable ipforwarding vlan Default
configure vlan Default add secondary-ipaddress 10.2.1.254 255.255.0.0

configure vlan Mgnt ipaddress 10.19.1.254 255.255.0.0
-----------------------------------------------------------------------------------------------------------------
#
# Module rtmgr configuration.
#
configure iproute add default 10.2.1.252 -->{Morenet via WARHOL2}
configure iproute add 10.25.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
configure iproute add 10.255.255.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
configure iproute add 172.16.1.0 255.255.255.0 10.2.1.236 --> {Consolidated/Surewest via SonicWall}
-------------------------------------------------------------------------------------------------------------------
# Module acl configuration.
#
configure access-list vlan-acl-precedence shared
create access-list IP-Core " source-address 10.2.0.0/16 ;" " permit ;" application "Cli"
create access-list irv-rule-1 " destination-address 10.2.1.230/0 ;" " deny ;" application "Cli"
create access-list irv-rule-2 " destination-address 10.2.9.12/0 ;" " deny ;" application "Cli"
create access-list irv-rule-3 " destination-address 10.2.1.231/0 ;" " deny ;" application "Cli"
create access-list irv-rule-4 " destination-address 10.2.251.251/0 ;" " deny ;" application "Cli"
create access-list irv-rule-5 " destination-address 10.1.251.251/0 ;" " deny ;" application "Cli"
create access-list irv-rule-6 " destination-address 10.2.2.203/0 ;" " deny ;" application "Cli"
create access-list rule-2 " destination-address 10.2.1.250/0 ;" " permit ;" application "Cli"
create access-list rule-3 " destination-address 10.1.1.250/0 ;" " permit ;" application "Cli"
Userlevel 7
I wanted to follow up on this topic since it seems to have been unanswered. Were you able to get this working as desired?

Reply