Forti - Persiapan Migrasi Firewall area SF
Lab ini sambungan dari Forti - Firewall ServerFarm on Nexus - VRF Mode , dimana bagian ini belum dimigrasi.
Persiapan Migrasi: Bagian ini sdh dikonfig di swith SW-FS-01 dan SW-FS-01 sebelum migrasi, jadi konfigurasinya sdh ada di switch SF dan tidak memempengerahui konfig operasi switch.
===========================
SW-FS-01
--------------------------
vlan 256
name Inside_Forti_Firewall_T3
exit
vlan 257
name Outside_Forti_Firewall_T3
exit
interface ethernet 1/4
description INSIDE_FORTI_P1
switchport
switchport access vlan 256
channel-group 6 mode active
exi
interface ethernet 1/5
description INSIDE_FORTI_P2
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi
interface ethernet 1/6
description INSIDE_FORTI_P3
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi
interface ethernet 1/7
description INSIDE_FORTI_P4
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi
interface vlan 256
description INSIDE_FORTI_FW_T3
no shu
ip address 10.90.254.58/29
ip router ospf 1 area 0.0.0.0
hsrp 1
preempt
priority 110
ip 10.90.254.57
exi
exit
interface vlan 257
description OUTSIDE_FORTI_FW_T3
no shu
ip address 10.90.254.50/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
priority 110
ip 10.90.254.49
exi
exit
interface port-channel 5
description OUTSIDE_FORTI
no shutdown
switchport
switchport access vlan 257
switchport mode access
exi
interface port-channel 6
description INSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 256
exit
-------------------------------------------
SW-FS-02
vlan 256
name Inside_Forti_Firewall_T3
exit
vlan 257
name Outside_Forti_Firewall_T3
exit
interface ethernet 1/4
description INSIDE_FORTI_P1
no shut
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi
interface ethernet 1/5
description INSIDE_FORTI_P2
no shut
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi
interface ethernet 1/6
description OUTSIDE_FORTI_P3
no shut
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi
interface ethernet 1/7
description OUTSIDE_FORTI_P4
no shut
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi
interface vlan 256
description INSIDE_FORTI_FW_T3
no sh
ip address 10.90.254.59/29
ip router ospf 1 area 0.0.0.0
hsrp 1
preempt
ip 10.90.254.57
exi
exit
interface vlan 257
description OUTSIDE_FORTI_FW_T3
no sh
ip address 10.90.254.51/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
ip 10.90.254.49
exi
exit
interface port-channel 5
description OUTSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 257
exi
interface port-channel 6
description INSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 256
exit
FIREWALL-SF-FORTI. Lalu
dibagian firewall pastikan sdh dikonfig (interface inisde/outisde,
routing defaul & statik, policy rule dan HA) pastikan semua sdh
done). Pastikan p2p antar port inside/outside ke swith SF sdh reachable
(ping sdh reply). Berikut Capturenya.
Interface IP
PING dari forti ke swith-SF / reply,Ok. jd sebelum migrasi bagian harus dimakesure bahwa p2p antar firewall dengan switch sdh reply, setelh reply, portnya bisa disable lg, menunggu hari H migrasi di enable lg.
===================================================
STEP-2.TAHAP LIVE MIGRASI
Step
ini adalah bagian dari proses live migrasi firewall di area SF(selama
proses migrasi , berikut langkah2 ini yg perlu dilakukan)
SW_FS-01
--------------
Step-1
NOTED:
Aktifkan port ISNIDE / OUTSIDE di FORTI-FW, status interface-nya mash disable:
- Staus interface Vlan256 dan Vlan257 di swith SF sdh enable/up, tdk perlu no shut lagi
- Aktifkan port phisical INSIDE dan OUtSIDE (port1 - 4), karena staus interface-nya msh disable/down
- Aktifkan port Chanbel-5 dan Channel-6 , akrena interface port-ch5 dan port-ch6 (shutdown)
Step-2
Create vrf context OUTSIDE_FW_T3 di swith SW-SF-01
vrf context OUTSIDE_FW_T3
Step-3: Create spesisifk statik-route (segmen vlan SF) to Forti via interface Outside
vrf context OUTSIDE_FW_T3
ip route 10.0.1.0/24 10.90.254.52 name VLan_10
ip route 10.0.2.0/24 10.90.254.52 name VLan_20
ip route 10.0.3.0/24 10.90.254.52 name VLan_30
ip route 10.0.4.0/24 10.90.254.52 name VLan_40
exit
Step-4 : Cretae VRF context OUTSIDE_FW_T3
router ospf 2
vrf OUTSIDE_FW_T3
exit
Step-5 :Create default-route
ip route 0.0.0.0 0.0.0.0 10.90.254.60 name internet
Step-6 : Create ip-prefix-list
ip prefix-list static-to-ospf-outside-fw permit 10.0.1.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.2.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.3.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.4.0/24
dan
route-map STATIC-TO-OSPF-OUT permit 10
match ip address prefix-list static-to-ospf-outside-fw
exit
Step-7 : Create New OSPF Proses (ospf 2)
router ospf 2
vrf OUTSIDE_FW_T3
redistribute static route-map STATIC-TO-OSPF-OUT
exit
exit
Step-8 : Create vrf SW-SF-01
interface Ethernet1/1
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-01
no switchport
ip address 10.90.252.6/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit
interface Ethernet1/2
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-02
no switchport
ip address 10.90.252.21/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit
interface Vlan257
description OUTSIDE_FORTI_FW_T3
vrf member OUTSIDE_FW_T3
no shutdown
ip address 10.90.254.50/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
priority 110
ip 10.90.254.49
-----------------------------------------
SW_FS-02
Step-1
Actifkan port ISNIDE/OUTSIDE di FORTI-FW, staus interface interface-nya mash disable,
staus interface VLan256 dan VLan257 di swith SF sdh enable/up
Actifkans port Phisicla INSIDE dan INSIDE (port1 - 4), karena staus interface-nya msh disable/down
Actifkans port Chanbel-5 dan Channel-6 , akrena interface port-ch5 dan port-ch6 (shutdown)
Step-2: Create vrf context OUTSIDE_FW_T3 di swith SW-SF-01
vrf context OUTSIDE_FW_T3
Step-3: Create spesisifk statik-route (segmen vlan SF) to Forti via interface Outside
vrf context OUTSIDE_FW_T3
ip route 10.0.1.0/24 10.90.254.52 name VLan_10
ip route 10.0.2.0/24 10.90.254.52 name VLan_20
ip route 10.0.3.0/24 10.90.254.52 name VLan_30
ip route 10.0.4.0/24 10.90.254.52 name VLan_40
exit
Step-4 : Cretae VRF context OUTSIDE_FW_T3
router ospf 2
vrf OUTSIDE_FW_T3
exit
Step-5 :create default-route
ip route 0.0.0.0 0.0.0.0 10.90.254.60 name Internet
Step-6 : create ip-prefix-list
ip prefix-list static-to-ospf-outside-fw permit 10.0.1.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.2.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.3.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.4.0/24
dan
route-map STATIC-TO-OSPF-OUT permit 10
match ip address prefix-list static-to-ospf-outside-fw
exit
Step-7 : create New OSPF Proses (ospf 2)
router ospf 2
vrf OUTSIDE_FW_T3
redistribute static route-map STATIC-TO-OSPF-OUT
exit
exit
Step-8 : Create vrf SW-SF-02
interface Ethernet1/1
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-01
ip address 10.90.252.18/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit
interface Ethernet1/2
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-02
ip address 10.90.252.10/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit
interface Vlan257
description OUTSIDE_FORTI_FW_T3
vrf member OUTSIDE_FW_T3
no shutdown
ip address 10.90.254.51/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
ip 10.90.254.49
exit
VERIFIKASI
Ping dan trace dari SF ke internet dan ke LAN-disti
ping/trace dari area LAN-disit ke internet serverfarm
Log Trafic Firewall
Jika Firewall SF-01 down (firewall primary) maka otomatis firewall SF-02 (secundary) auto up.
Done...! Success..
Posting Komentar untuk "Forti - Persiapan Migrasi Firewall area SF"