Introduction
Prerequisites
· diagnose debug enable -- enable output on remote console
This document describes how to configure virtual domains in Transparent mode to provide AV/IPS protection in an 802.1q VLAN trunk environment.
In a typical 802.1q VLAN trunk environment, the ports that connect the switch and the router are configured in trunk mode. All VLAN traffic passes through one physical cable.
In the Network Diagram below, traffic between the PC and the server is in VLAN 1 while voice traffic is in VLAN 2. Each VLAN is a single layer 2 broadcast domain, and no traffic can be forwarded to another VLAN. However, each VLAN is able to reach the router via the switch and router's trunk interface. A FortiGate-300 firewall in Transparent mode
is inserted into the trunk to perform policy control and AV/IPS protection.
Products
Products
· Cisco Call Manager Express
· Cisco2611XM
· Cisco 7910SW IP phones
· Cisco Cat 3550 Switch with
voice VLAN feature
![](http://www.cublog.cn/u/18307/upfile/060429094605.jpg)
Prerequisites
The configuration is based on the following assumptions
·
Cisco Call Manager Express and the DHCP server are in one Cisco2611XM.
· The server and the PC are in Native VLAN 1.
· The Cisco IP phones are in Voice VLAN 2.
·
Cisco Cat 3550 Switch has the voice VLAN feature
Configurations
Configurations
Cisco Cat 3550 configuration
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/2
switchport voice VLAN 2
interface FastEthernet0/3
switchport voice VLAN 2
interface FastEthernet0/13
switchport voice VLAN 2
Cisco Router configuration
interface FastEthernet0/0
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.11.14.1 255.255.255.0
ip helper-address 10.202.1.15
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.11.15.1 255.255.255.0
ip helper-address 10.202.1.15
!
interface FastEthernet0/1
ip address 10.202.1.1 255.255.255.0
Firewall FortiGate-300 configuration
The FortiGate-300 is configured into two VDOMs: root and Voice. The internal and external interfaces are in the root VDOM. The vlan2-internal and vlan2-external interfaces are in the Voice VDOM. VDOM root is used for data traffic while VDOM Voice is used for voice traffic.
config system vdom
edit root
next
edit Voice
next
end
config system interface
edit internal
set stpforward enable
next
edit external
set stpforward enable
next
edit vlan2-internal
set vdom Voice
set interface internal
set vlanid 2
next
edit vlan2-external
set vdom Voice
set interface external
set vlanid 2
next
end
config firewall policy
edit 1
set srcintf internal
set dstintf external
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile scan
next
end
exec enter Voice
config firewall address
edit all
next
end
config firewall policy
edit 1
set srcintf vlan2-internal
set dstintf vlan2-external
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile scan
next
edit 2
set srcintf vlan2-external
set dstintf vlan2-internal
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set profil
Troubleshooting
· diagnose debug enable -- enable output on remote console
· diagnose sniffer packet -- display packets coming in and
out on interfaces
out on interfaces
· exec enter [vdom] -- change VDOM
· exec ping -- ping tool