Cisco SG-350 Switch and Fortigate Firewall Configuration
Network Engineering Asked by Santiago Hernández on September 30, 2021
I’m not what you would call a Network Engineer, but right now i have a (somewhat) complex network problem that i have to solve. I must configure a SG-35028p cisco switch and a fortigate 60f firewall to give internet access (kinda in a router on a stick fashion if you ask me).
Right now i haven’t been able to achieve the objectives that the attached image shows because i’m not really sure why my vlans do not have internet access, or how to correctly configure a vlan for that matter.
Things that i have tried:
- Call eigrp on Switch:Didn’t work. Command not recognized.
- Static routing on Switch: Didn’t work, maybe i did it wrong.
EDIT: I’ll add my current switch configuration to clarify the state of the setup:
-vlan database
-vlan 10,20,30,40,66,77
-exit
-ip dhcp server
-ip dhcp pool network EA_POOL
-address low 192.168.40.10 high 192.168.40.15 255.255.255.0
-exit
-ip dhcp pool network Main_Pool
-address low 192.168.1.10 high 192.168.1.19 255.255.255.0
-default-router 192.168.1.1
-dns-server 192.168.1.1
-exit
-ip dhcp pool network Testing_POOL
-address low 192.168.20.10 high 192.168.20.20 255.255.255.0
-exit
-ip dhcp pool network Production_POOL
-address low 192.168.30.10 high 192.168.30.20 255.255.255.0
-exit
-ip dhcp pool network Development_POOL
-address low 192.168.10.10 high 192.168.10.20 255.255.255.0
-exit
-ip dhcp information option
-bonjour interface range vlan 1
-qos advanced
-line console
-no autobaud
-exit
-ip name-server 192.168.2.99
-ip telnet server
-!
-interface vlan 1
-ip address 192.168.2.210 255.255.255.0
-no ip address dhcp
-!
-interface vlan 10
-name Development_VLAN
-ip address 192.168.10.10 255.255.255.0
-!
-interface vlan 20
-name Testing_VLAN
-ip address 192.168.20.10 255.255.255.0
-!
-interface vlan 30
-name Production_VLAN
-ip address 192.168.30.10 255.255.255.0
-!
-interface vlan 40
-name EA_VLAN
-ip address 192.168.40.10 255.255.255.0
-!
-interface vlan 66
-name unused-ports
-shutdown
-!
-interface vlan 77
-name OUTGOING
-!
-interface GigabitEthernet3
-switchport access vlan 10
-!
-interface GigabitEthernet4
-switchport access vlan 10
-!
-interface GigabitEthernet5
-switchport access vlan 10
-!
-interface GigabitEthernet6
-switchport access vlan 10
-!
-interface GigabitEthernet7
-switchport access vlan 10
-!
-interface GigabitEthernet8
-switchport access vlan 20
-!
-interface GigabitEthernet9
-switchport access vlan 20
-!
-interface GigabitEthernet10
-switchport access vlan 30
-!
-interface GigabitEthernet11
-switchport access vlan 30
-!
-interface GigabitEthernet12
-switchport access vlan 40
-!
-interface GigabitEthernet13
-switchport access vlan 66
-!
-interface GigabitEthernet14
-switchport access vlan 66
-!
-interface GigabitEthernet15
-switchport access vlan 66
-!
-interface GigabitEthernet16
-switchport access vlan 66
-!
-interface GigabitEthernet17
-switchport access vlan 66
-!
-interface GigabitEthernet18
-switchport access vlan 66
-!
-interface GigabitEthernet19
-switchport access vlan 66
-!
-interface GigabitEthernet20
-switchport access vlan 66
-!
-interface GigabitEthernet21
-switchport access vlan 66
-!
-interface GigabitEthernet22
-switchport access vlan 66
-!
-interface GigabitEthernet23
-switchport access vlan 66
-!
-interface GigabitEthernet24
-switchport access vlan 66
-!
-interface GigabitEthernet26
-no switchport
-switchport access vlan 77
-!
-exit
-ip default-gateway 192.168.2.99
3 Answers
The Fortigate requires routes to the networks behind the SG 350. (Make sure routing has been activated on the 350, but I think it's by default.)
Since the 350 doesn't seem to support any routing protocol you'll need to set up static routes on the Fortigate.
In the GUI, static routes are in Network -> Static Routes. If you're not using those addresses anywhere else but the Fortigate or the 350, a single entry 192.168.0.0/16 -> 192.168.2.210 on Internal should do, with a Distance of 50 e.g., so you could still route single subnets elsewhere (with a lower Distance).
Note that your setup doesn't use a router-on-a-stick since you route at the "core" 350 (at least looks like that).
If you used the 350 as L2 only and trunked all VLANs to the Fortigate, that would be considered a router-on-a-stick.
Correct answer by Zac67 on September 30, 2021
Please refer the link for configuration of subinterface or router on stick configuration on fortigate firewall
If your using fortigate firewall as core or perimeter devices and Cisco SG300 as distribution switch in your setup then you can accomplish this task by creating sub interface on fortigate firewall
Configure SG300 switch to Fortigate firewall with trunk link allowing all vlans
And configuration public ip of isp on outside interface of fortigate and configure default route in fortinet firewall pointing towards isp gateway
And now in SG300 switch create all vlans which were created in fortigate subinterface . Now create access ports in SG300 switch for desktops ,and server connetivity.
Then after create outbound policy in perimeter firewall for internet access
source interface : Lan destination interface : Outside facing interface source address : LAN POOL NETWORK Destination address : ANY servies: ports allowed as per your requirements action : ALLOWED Security profiles: ON
Then create inbound policy in firewall if your are having application hosted in your local lan and wants to access from internet
Creaat VIP object as Publi ip mapping with " Object name " WEB SERVER = Publicip mapped with application hosted private ip
inbound policy
source interface : outside interface destination interface : LAN SOURCE ADDRESS : any destination address : WEB SERVER /*As per vip created above */ services : as per application requirement mostly "https" security profiles : on action : allowed
*Create implicit deny policy at bottom this policy is used to deny non matching traffic and to monitoring unwanted traffic on firewall
Source interface : any destination interface :ANY Source address : any destination address : any services ports : any action : deny
Answered by Sagar Uragonda on September 30, 2021
If your using fortigate firewall as core or perimeter devices and Cisco SG300 as distribution switch in your setup then you can accomplish this task by creating sub interface on fortigate firewall
Configure SG300 switch to Fortigate firewall with trunk link allowing all vlans
And configuration public ip of isp on outside interface of fortigate and configure default route in fortinet firewall pointing towards isp gateway
And now in SG300 switch create all vlans which were created in fortigate subinterface . Now create access ports in SG300 switch for desktops ,and server connetivity.
Then after create outbound policy in perimeter firewall for internet access
source interface : Lan destination interface : Outside facing interface source address : LAN POOL NETWORK Destination address : ANY servies: ports allowed as per your requirements action : ALLOWED Security profiles: ON
Then create inbound policy in firewall if your are having application hosted in your local lan and wants to access from internet
Creaat VIP object as Publi ip mapping with " Object name " WEB SERVER = Publicip mapped with application hosted private ip
inbound policy
source interface : outside interface destination interface : LAN SOURCE ADDRESS : any destination address : WEB SERVER /*As per vip created above */ services : as per application requirement mostly "https" security profiles : on action : allowed
*Create implicit deny policy at bottom this policy is used to deny non matching traffic and to monitoring unwanted traffic on firewall
Source interface : any destination interface :ANY Source address : any destination address : any services ports : any action : deny
Setup diagram
Answered by Sagar Uragonda on September 30, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Jon Church on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Peter Machado on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?