Solved

Cisco Switch Query

Posted on 2007-03-20
8
897 Views
Last Modified: 2008-01-09
Heres the config from a Cat Switch - theres a firewall plugged into FE01 - and the two vlans represent two DMZ's
The firewall is "multi homed" on the other end of FE01 and has an IP address in each VLAN

Is the reason the firewall can speak to both DMZ's/VLANS these lines?
switchport trunk encapsulation dot1q
 switchport mode trunk

Also If I plug a latop into FE02 why cant it ping the IP address of the Firewall thats plugged into FE01? If I plug the latop into the correct VLAN it can ping the firewall - but surely FE02 and FE03 should be able to ping the firewall?

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxxxxxxxxxxxxxx
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
 switchport access vlan 2
!
interface FastEthernet0/6
 switchport access vlan 2
!
interface FastEthernet0/7
 switchport access vlan 2
!
interface FastEthernet0/8
 switchport access vlan 2
!
interface FastEthernet0/9
 switchport access vlan 2
!
interface FastEthernet0/10
 switchport access vlan 2
!
interface FastEthernet0/11
 switchport access vlan 2
!
interface FastEthernet0/12
 switchport access vlan 2
!
interface FastEthernet0/13
 switchport access vlan 2
!
interface FastEthernet0/14
 switchport access vlan 2
!
interface FastEthernet0/15
 switchport access vlan 3
!
interface FastEthernet0/16
 switchport access vlan 3
!
interface FastEthernet0/17
switchport access vlan 3
!
interface FastEthernet0/18
 switchport access vlan 3
!
interface FastEthernet0/19
 switchport access vlan 3
!
interface FastEthernet0/20
 switchport access vlan 3
!
interface FastEthernet0/21
 switchport access vlan 3
!
interface FastEthernet0/22
 switchport access vlan 3
!
interface FastEthernet0/23
 switchport access vlan 3
!
interface FastEthernet0/24
 switchport access vlan 3
!
interface VLAN1
 ip address 172.31.3.4 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 172.31.3.1
snmp-server engineID local 0000000902000002FD85D500
snmp-server community private RW
snmp-server community public RO
snmp-server location Computer Room dmz for web sites
snmp-server contact rupert jefferies
snmp-server chassis-id 0x0E
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password xxxxxxxxxxx
 login
line vty 5 15
 password xxxxxxxxxxx
 login
!
ntp broadcastdelay 5
end

dmz_switch#
0
Comment
Question by:Pete Long
  • 3
  • 3
  • 2
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18758411
Can you post output of "show int fast0/1"
Resend email, too. Got lost in shuffle.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18758484
my assumption here is that since you have the mgmt int on VLAN1, that the native vlan is still 1 and the firewall is only configured for vlan 2 and 3.  since there is no "switchport access vlan #" for port 2, 3, or 4 devices connected to those ports should by default be in VLAN 1 thus not able to communicate to the firewall if the firewall doesn't have an interface tagged for vlan 1 traffic.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 20 total points
ID: 18758682
Cyclops-  for reference, here's the firewall config and the issues we're trying to deal with.
Any insight from your expertise will be greatly appreciated.
http://www.experts-exchange.com/Security/Misc/Q_22453678.html
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18758945
I have to look at the firewall one a bit closer, but my assumption is correct from what I can tell then for the switch configuration problem

by the way
ip address 172.31.3.4 255.255.255.0
for the vlan int is an IP on your inside network yet this swtich is connected to the dmz interface

do this

enable
config t
int vlan1
shutdown
int vlan2
ip address <give it an IP on dmz1 network> 255.255.255.0
no shutdown
int fe0/2
switchport access vlan 2
int fe0/3
switchport access vlan 2
int fe0/4
switchport access vlan 2
exit
ip default-gateway 172.31.5.1

That should get your mgmt int on vlan 2 and dump your ports 2,3,4 into vlan 2 and put in the correct gateway address
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Author Comment

by:Pete Long
ID: 18760282
>>ip address 172.31.3.4 255.255.255.0
for the vlan int is an IP on your inside network yet this swtich is connected to the dmz interface

Yeah I spotted that - that was from when the switch was first built on the LAN
0
 
LVL 57

Author Comment

by:Pete Long
ID: 18762501
lrmoore

>>Can you post output of "show int fast0/1"
 I will ask the guys on site to send me this info - not sure how long it will take to get it.

>>Resend email, too. Got lost in shuffle.
No Probs


Cyclops3590

Thanks for your input :)
Ref: http://Q_22461120.html#a18758484

Ah I'm with you, the default Management VLAN (VLAN1) was only ever used when the switch was built (on the LAN) and as its tagged to VLAN 1 ports 2,3 and 4 could not ping the Firewall on either 172.31.5.1 or 172.31.4.1 (see other Q for where these IP addresses come from)
And the only reason that the Firewall can see BOTH VLAN's is because its a trunk port - is that correct?

Ref: http://Q_22461120.html#a18758945

OK - I see what you are doing changing the management VLAN IP to 172.31.5.x (1 is in use on the firewall)
Assigning a 172.31.5.x IP address to VLAN2, dropping ports 2-4 into VLAN 2, so that these ports can ping 172.31.5.x

 - Some more background -
I was trying to remove the VLANS from the equation - when testing the SQL problem hence the reason for this Q. I cant see anything actually "Wrong" with this switch config - do you both concur?

In light of my other problems is it worth trying to update the IOS on the switch? - bearing I'm mind the firewall and switch are the only constants in the equation.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 480 total points
ID: 18763251
>>And the only reason that the Firewall can see BOTH VLAN's is because its a trunk port - is that correct?
Vlan 2 and 3 yes

Vlan 1 is not in use on the eth2 interface though.  there is no ip associated with that int.  And besides that, the Vlan tagging it uses is 802.1q.  This means the eth2 int default native vlan is 1.  So it can see traffic on vlan 1.  However, by default the dot1q protocol doesn't explicitly tag the packet for its native vlan.  This sometimes causes issues. Not often though, but can.

no the switch config looks exactly how it should barring the need for non-console port mgmt.

I don't believe it would be worth while upgrading the IOS.  I have a 2912XL switch in my home lab with an IOS just as old as yours. There may be bugs there, but not in the features you are using.

However,  since what you describe is that the connection just goes slow, but does actually occur, right?  If it does complete,just slow, I have a hard time believing its your hardware configs.  I'd sniff the traffic and see if you can find anything there.   Also, I would setup a syslog server.  If you do a google search for Kiwi syslog, you'll find a free version of that you can use to get started.  This way you can config the switch and the firewall to dump its logs to that server.  It may help giving more clues as to what is going on.
0
 
LVL 57

Author Comment

by:Pete Long
ID: 18763271
>>but does actually occur, right?  If it does complete,just slow

Spot on, it does occur but its very slow.

Cyclops3590 - your help has been outstanding thanks for your time, its appreciated - hope I get the chance to return the favour sometime. :)

Regard

Pete
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now