asked on

Cisco Switch Query

Heres the config from a Cat Switch - theres a firewall plugged into FE01 - and the two vlans represent two DMZ's
The firewall is "multi homed" on the other end of FE01 and has an IP address in each VLAN

Is the reason the firewall can speak to both DMZ's/VLANS these lines?
switchport trunk encapsulation dot1q
switchport mode trunk

Also If I plug a latop into FE02 why cant it ping the IP address of the Firewall thats plugged into FE01? If I plug the latop into the correct VLAN it can ping the firewall - but surely FE02 and FE03 should be able to ping the firewall?

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxxxxxxxxxxxxxx
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport access vlan 2
!
interface FastEthernet0/6
switchport access vlan 2
!
interface FastEthernet0/7
switchport access vlan 2
!
interface FastEthernet0/8
switchport access vlan 2
!
interface FastEthernet0/9
switchport access vlan 2
!
interface FastEthernet0/10
switchport access vlan 2
!
interface FastEthernet0/11
switchport access vlan 2
!
interface FastEthernet0/12
switchport access vlan 2
!
interface FastEthernet0/13
switchport access vlan 2
!
interface FastEthernet0/14
switchport access vlan 2
!
interface FastEthernet0/15
switchport access vlan 3
!
interface FastEthernet0/16
switchport access vlan 3
!
interface FastEthernet0/17
switchport access vlan 3
!
interface FastEthernet0/18
switchport access vlan 3
!
interface FastEthernet0/19
switchport access vlan 3
!
interface FastEthernet0/20
switchport access vlan 3
!
interface FastEthernet0/21
switchport access vlan 3
!
interface FastEthernet0/22
switchport access vlan 3
!
interface FastEthernet0/23
switchport access vlan 3
!
interface FastEthernet0/24
switchport access vlan 3
!
interface VLAN1
ip address 172.31.3.4 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 172.31.3.1
snmp-server engineID local 0000000902000002FD85D500
snmp-server community private RW
snmp-server community public RO
snmp-server location Computer Room dmz for web sites
snmp-server contact rupert jefferies
snmp-server chassis-id 0x0E
!
line con 0
transport input none
stopbits 1
line vty 0 4
password xxxxxxxxxxx
login
line vty 5 15
password xxxxxxxxxxx
login
!
ntp broadcastdelay 5
end

dmz_switch#

Les Moore

Can you post output of "show int fast0/1"
Resend email, too. Got lost in shuffle.

Cyclops3590

my assumption here is that since you have the mgmt int on VLAN1, that the native vlan is still 1 and the firewall is only configured for vlan 2 and 3. since there is no "switchport access vlan #" for port 2, 3, or 4 devices connected to those ports should by default be in VLAN 1 thus not able to communicate to the firewall if the firewall doesn't have an interface tagged for vlan 1 traffic.

SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Cyclops3590

I have to look at the firewall one a bit closer, but my assumption is correct from what I can tell then for the switch configuration problem

by the way
ip address 172.31.3.4 255.255.255.0
for the vlan int is an IP on your inside network yet this swtich is connected to the dmz interface

do this

enable
config t
int vlan1
shutdown
int vlan2
ip address <give it an IP on dmz1 network> 255.255.255.0
no shutdown
int fe0/2
switchport access vlan 2
int fe0/3
switchport access vlan 2
int fe0/4
switchport access vlan 2
exit
ip default-gateway 172.31.5.1

That should get your mgmt int on vlan 2 and dump your ports 2,3,4 into vlan 2 and put in the correct gateway address

Pete Long

ASKER

>>ip address 172.31.3.4 255.255.255.0
for the vlan int is an IP on your inside network yet this swtich is connected to the dmz interface

Yeah I spotted that - that was from when the switch was first built on the LAN

Pete Long

ASKER

lrmoore

>>Can you post output of "show int fast0/1"
I will ask the guys on site to send me this info - not sure how long it will take to get it.

>>Resend email, too. Got lost in shuffle.
No Probs

Cyclops3590

Thanks for your input :)
Ref: http://Q_22461120.html#a18758484

Ah I'm with you, the default Management VLAN (VLAN1) was only ever used when the switch was built (on the LAN) and as its tagged to VLAN 1 ports 2,3 and 4 could not ping the Firewall on either 172.31.5.1 or 172.31.4.1 (see other Q for where these IP addresses come from)
And the only reason that the Firewall can see BOTH VLAN's is because its a trunk port - is that correct?

Ref: http://Q_22461120.html#a18758945

OK - I see what you are doing changing the management VLAN IP to 172.31.5.x (1 is in use on the firewall)
Assigning a 172.31.5.x IP address to VLAN2, dropping ports 2-4 into VLAN 2, so that these ports can ping 172.31.5.x

- Some more background -
I was trying to remove the VLANS from the equation - when testing the SQL problem hence the reason for this Q. I cant see anything actually "Wrong" with this switch config - do you both concur?

In light of my other problems is it worth trying to update the IOS on the switch? - bearing I'm mind the firewall and switch are the only constants in the equation.

ASKER CERTIFIED SOLUTION

Cyclops3590

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Pete Long

ASKER

>>but does actually occur, right? If it does complete,just slow

Spot on, it does occur but its very slow.

Cyclops3590 - your help has been outstanding thanks for your time, its appreciated - hope I get the chance to return the favour sometime. :)

Regard

Pete