Hot!Integrate Cisco Switch Layer 3 3750 with fortigate

Author
Silver
Gold Member
  • Total Posts : 269
  • Scores: -1
  • Reward points: 0
  • Joined: 2013/02/25 00:43:47
  • Status: offline
2013/04/19 06:10:03 (permalink)
0

Integrate Cisco Switch Layer 3 3750 with fortigate

Dear All,

Can someone help me about this issue plz.

- On my network i am using vlan. i have a core cisco switch layer 3 and all the access layer switch connected to the core.

- intervlan routing is been done on the core Layer 3 switch.

My target is not to do again intervlan routing on fortigate i just want to place my fortigate as gateway for internet etc and the core switch connected to fortigate internal port.

please note that a default route configure on the core layer 3 switch pointing to fortigate firewall internal ip address.

can you help me how to make this work

thanks in advance

Attached Image(s)

#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5537
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2013/04/19 09:35:33 (permalink)
    0
    1st nice layout diagram , a picture says a thousand words

    What I would do and have done this in the setup you provided, enable ospf on all layer3 interfaces of the 3750


    config t
    router ospf 10
    network 0.0.0.0 255.255.255.255 area 0
    passive default
    no passive " interface connected to FGT 802.1Q tag SVI or gi x/x/x "
    end




    Keep your static route on the cisco pointing to the firewall

    Put this connection as a layer3 or layer2 switchport with a SVI and connect the FGT to a port for the layer3 uplink. You could or could not enable 802.1q on that connection if you want.

    if you don' t see your network growing in the future, than just configured this connection as layer3 point and with no tagging and make it a /30 between FGT+Cisco

    No on the FGT, you will learn any and all subnets within the vlans for local access networks.

    Apply your fwpolicies for traffic in/out Done

    :)


    note: if that' s not clear, I could draw it out with the cisco and fgt config details

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Silver
    Gold Member
    • Total Posts : 269
    • Scores: -1
    • Reward points: 0
    • Joined: 2013/02/25 00:43:47
    • Status: offline
    RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2013/04/21 09:33:44 (permalink)
    0
    Dear Friend,

    Thanks you very much for you reply.

    look right now i am doing the test in LAB before implement this to live system.

    i have try first configure intervlan routing on the fortigate itself and not to the core layer 3 switch its working even internet connection and vlan are able to communicate.

    when i done intervlan routing on the core layer 3 then nothing is working on vlan communication passing via the switch and no internet access nothing.

    before i come to ask help on the forum i have tried some test still nothing work.

    the following configuration i done and tested still no solution.

    - i have configure vlan on the core switch.

    - i have configure a default route on the layer 3 switch pointing to firewall interface.

    - i configure a vlan 1 assigned and ip address example 192.168.1.1/24 and configured ip address on fortigate internal interface 192.168.1.2/24 and the interface connected to fortigate as trunk still not working

    - from switch i can ping fortigate ip address 192.168.1.2

    on the fortigate i have even configure static route for all the vlan subnet and next hope switch ip 192.168.1.1 still nothing work.

    i would really appreciate if you can provide me the full config for both switch and fortigate.

    i do not understand why i would need ospf plz

    thanks
    awaiting you reply
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8466
    • Scores: 201
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2013/04/21 10:22:24 (permalink)
    0
    Basically, there are 2 ways to get this done:

    1) Set up the routing on the Cisco, use OSPF to have all the devices get the routes, and use a transit LAN between the Cisco and FGT. Only the Internet bound traffic will pass down to the FGT, easing congestion.

    2) Set up a trunk port between the L3 switch and the FGT, pass all the VLANs across it, and set up the routing and policies on the FGT. This one is less desirable (to me at least) because traffic that doesn' t need to touch the FGT passes up and down the trunk just to stay on the inside.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    emnoc
    Expert Member
    • Total Posts : 5537
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2013/04/22 07:34:47 (permalink)
    0
    OSPF would make life easier and since the FGT would need to know about the routes internally.

    So instead of adding static routes, picking them up with a dynamic-routing protocol protocols would be smarter and easier. If your networks are consecutive and contigous , you might be able to summarize and just pass a summary to the upstream FGT.

    Here' s a snippet of what I would do;



    config sys interface

    edit " intf-3750p1"
    set vdom " root"
    set ip 10.18.0.2 255.255.255.252
    set allowaccess ping https ssh
    set alias " 2cisco "
    set interface " port2"
    set vlanid 100
    next



    and routing


    config router ospf
    config area
    edit 0.0.0.0
    set authentication md5
    next
    end

    config ospf-interface
    edit " outside-interface-ospf"
    set authentication md5
    set cost 10
    set interface " intf-3750p1"
    set md5-key 1 " ospfkey123dmd5"
    next
    end

    set router-id 10.18.0.2



    end


    and for the cisco using a L2-SVI port ( switchport ) + trunking


    config t
    !
    interface GigabitEthernet 1/0/1
    switchport trunk encap dot1q
    switchport mode trunk
    switchport trunk allow vlan 100
    no ip address
    snmp trap link-status
    load 30
    no cdp
    !
    !
    !
    interface Vlan100
    description /2-FGT port2 /ospf area 0 neighbor / static router to next-hop /
    ip address 10.18.0.1 255.255.255.252
    ip ospf message-digest-key 1 md5 ospfkey123dmd5
    !
    router ospf 10
    router-id 10.18.0.1
    network 0.0.0.0 255.255.255.255 area 0
    pass default
    no passive vlan 100
    area 0 authentication message-digest
    !
    !
    !
    ip route 0.0.0.0 0.0.0.0 10.18.0.2 name 2fgt-appliance
    !
    end



    and if you want to do it non-802.1q ( not recommended )




    config t

    int gi 1/0/1
    no switchport
    ip address 10.18.0.1 255.255.255.252
    snmp trap link-status
    load 30
    no cdp

    router ospf 10
    router-id 10.18.0.1
    network 0.0.0.0 255.255.255.255 area 0
    pass default
    no passive gi 1/0/1
    !
    end



    and on the FGT you tied the port#2 to be


    edit " port2"
    set vdom " root"
    set ip 10.18.0.2 255.255.255.252
    set allowaccess ping https ssh
    set alias " 2cisco"
    next



    With the 3750 and stacking options, you could built some what of a redundant core with LACP between the ( FGTs) to the 2x stacked-switches. I' ve built hundreds of these setups using FGT/ASA and cisco 3750G or Es in a redundant stack and then we tied the access floors and idfs to the stack with lacp bundles for redundant connections.

    With 2 FGT and 2 stacked-swicthes, you have a redundant core

    And then on the 3750s for inter-vlans on the switch ( core )


    int vlan 101
    description floor #1
    ip address 10.101.0.1 255.255.254.0
    int vlan 102
    description floor #2
    ip address 10.102.0.1 255.255.254.0
    int vlan 103
    description floor #1
    ip address 10.103.0.1 255.255.254.0



    and so on for example. Intervlan traffic stays local to the cisco and traffic to external destination goes out thru firewall.




    < Message edited by emnoc -- 4/22/2013 7:38:23 AM >

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Silver
    Gold Member
    • Total Posts : 269
    • Scores: -1
    • Reward points: 0
    • Joined: 2013/02/25 00:43:47
    • Status: offline
    RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2013/04/22 08:19:10 (permalink)
    0
    Thanks a lot for your reply. but in morning i make it work my friend. but i did not use ospf. only static route
    #6
    Dom5
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/26 15:44:51
    • Status: offline
    Re: RE: Integrate Cisco Switch Layer 3 3750 with fortigate 2020/02/26 15:50:52 (permalink)
    0
    Hello Silver,
     
    I am configuring one like you but I cannot make it work as well. 
     
    what is the Foritgate mode (interface or switch mode)? What is the port configuration on the core which connect to Fortigate? 
     
    For example - I have a core switch port is G0/1. Do I need to change this port to layer 3 port on the core switch?
     
     
    thanks. 
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5