I attempted to replace our ISR 4331 last night, but ran into some issues, and was hoping someone out there can help me out. I'll buy you reddit gold! Think of the possibilities ;)
We currently have:
ISR / Cisco Core Switch / Cisco Workstation Switch
Essentially, I want to replace the ISR4331, with a FortiGate 200E. Here is the information I can give you - let me know if you need more:
Port Config on Cisco ISR:
interface GigabitEthernet0/0/0 description Interface to Internet ip address xxx.xxx.xxx.xxx 255.255.255.248 ip nat outside ip nbar protocol-discovery zone-member security OUTSIDE negotiation auto ! interface GigabitEthernet0/0/1 description Po1 to Core Switch no ip address ip nbar protocol-discovery negotiation auto channel-group 1 mode active ! interface GigabitEthernet0/1/0 switchport mode access
Other config on Cisco ISR:
interface Vlan20 no ip address ip helper-address 192.168.2.20 ! ip access-list extended NAT_LIST deny ip any host 67.226.181.231 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip 192.168.5.0 0.0.0.255 any permit ip 192.168.8.0 0.0.0.127 any permit ip 192.168.9.0 0.0.0.255 any permit icmp any any echo permit icmp any any echo-reply ! interface Port-channel1 description Po0 to Core Switch Po4 no ip address no negotiation auto ! interface Port-channel1.20 description Production VLAN20 Subinterface encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.30 description DMZ VLAN30 Subinterface encapsulation dot1Q 30 ip address 192.168.3.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.50 description DTE VLAN 50 Subinterface encapsulation dot1Q 50 ip address 192.168.5.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.80 description Management 80 Subinterface encapsulation dot1Q 80 ip address 192.168.8.1 255.255.255.128 ip nat inside zone-member security INSIDE ! interface Port-channel1.90 description Storage 90 Subinterface encapsulation dot1Q 90 ip address 192.168.9.1 255.255.255.0 ip nat inside zone-member security INSIDE ---------------
Cisco Workstation Switch Config for port TO Cisco Core Switch:
interface GigabitEthernet0/48 description Uplink trunk to server switches switchport access vlan 20 switchport trunk native vlan 20 switchport trunk allowed vlan 20 switchport mode access spanning-tree portfast channel-group 1 mode passive ---------------
Port config on Cisco Core switch for the port FROM Cisco ISR (Future FortiGate200E):
interface GigabitEthernet1/0/10 description to Cisco4331 Gi0/0/1 (Po1) switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 4 mode active ---------------
Config on new Fortigate 200E (Replacing Cisco ISR)
Interfaces: port1 (Plugs into same port the Cisco ISR plugged into for the Cisco core switch) IP/Mask -> 192.168.2.1 255.255.255.0 (no way to assign the default VLAN ID as 20??) L___VLAN 30 Subnet 192.168.3.1 255.255.255.0 L___VLAN 50 Subnet 192.168.5.1 255.255.255.0 L___VLAN 80 Subnet 192.168.8.1 255.255.255.128 wan1 (Plugs into the same port the ISR plugged into for the internet) IP/Mask -> xxx.xxx.xxx.xxx 255.255.255.248 Static Routes: I don't believe static routes are required, as they are all on the same port (port1) on the Foritgate... but I have tried with them as well, with no luck. Policies: I've tried setting a policy where all traffic to and from 2.x, 3.x, 5.x, and 8.x are allowed-and I tried with and without NAT enabled. ---------------
Now, what happens when I plug in the 200E and turn off the ISR, is that internet works great.... traffic from within the 2.x (VLAN20) seems to work flawlessly.
Servers, computers, printers, anything on the 2.x (VLAN20) subnet seem to work just fine; VLAN 30,50, and 80 however, do not.
I have a feeling it's because the core switch configuration may be causing the issue here, however I don't know for sure.
Is there something I can do to make the Cisco Core & Workstation switch play friendly with the 200E? Could trunk encapsulation be causing this?
Perhaps that there is no 'default VLAN' set on the 200E? (I don't know where to set this for some reason.... only know how to add them, however I want the default IP to be 192.168.2.1, and the 200E won't let me set a VLAN 20 with 2.x, because the 'default' subnet is currently using that subnet.
Thanks in advance for your help!
No comments:
Post a Comment