Cisco Firepower with L3 Unifi Switches

Sparks19 · November 28, 2023, 1:52am

I have a lab that was using a full Unifi Stack.

We had to move towards a Cisco Firepower to connect into a corporate data center. So out went the UDMP for a Cisco Firepower.

Issues:

we can intra-VLAN from within tagged VLANs but cannot reach the internet

untagged VLAN (default unifi adoption subnet) is being supplied DHCP via the Firepower and can reach the internet but no VLANs

We know this creates a pretty flat network, we just want to keep broadcast traffic segregated.

We properly set up the 4040 VLAN on the Cisco Firepower, along with the static routes pointing back to the 10.255.253.2 VLAN 4040 1st Unifi L3 Switch for each tagged VLAN.

Tagged VLANs:
10.x.10.1/24 ID 2
10.x.11.1/24 ID 3
10.x.1.1/24 ID 4

Not sure what is missing here as we’ve followed all the guidance via Ubiquity.

Controller is local UCK 2+, USW PRO, XG Enterprise, UAP, Access/Protect for Access control.

LTS_Tom · November 28, 2023, 11:12am

Make sure you have all the VLAN and traffic restrictions setup properly on the UniFi switches

Sparks19 · November 28, 2023, 12:28pm

Thanks. We are currently passing all VLANs with on the core links.

secondary switch —-> (all) ——> primary——> (all)——-> firepower

This is really odd. Again intra VLAN works, but no internet access (wonder if the firewall is not allowing traffic out). Traceroute does out, I would expect the 4040 path to respond. These VLANs are being controlled by the USW Pro but routed by the Firepower.

The flip side issue of the MGMT untagged VLAN (where all the UniFI devices control live) can reach the internet, but none of the VLANs. This network is being served out to the L3s by the Firepower. We had a lot of issues with keeping devices adopted with static IPs on a UniFI managed untagged VLAN.