Solved

Simple Cisco 3524XL VLAN problem

Posted on 2007-03-31
26
1,536 Views
Last Modified: 2008-01-09
Hi Experts,

OK this is so simple and yet it doesn't work. It's driving me nuts!

I have a Cisco 3524XL switch which I am configuring with two VLANs which are then being trunked to a PIX 506. I have created the two VLANs on the switch, configured the virtual interfaces on the PIX, and the "LAN" VLAN (VLAN 3) at least is working correctly. The DMZ VLAN (VLAN 2) however refuses point blank to come up, despite having ports assigned to it, Ethernet devices connected to it, and me repeatedly issuing "no shutdown" commands at it. Also I have verified that the physical ports that are in VLAN 2 are coming up correctly by doing "show int"s on them.

Here's an abridged copy of the config on the switch:

ip subnet-zero
!
interface FastEthernet0/1
 switchport access vlan 2
!
interface FastEthernet0/2
 switchport access vlan 2
!
! << More interfaces here >>
!
interface FastEthernet0/11
 switchport access vlan 2
!
interface FastEthernet0/12
 switchport access vlan 2
!
interface FastEthernet0/13
 switchport access vlan 3
!
interface FastEthernet0/14
 switchport access vlan 3
!
! << More interfaces here >>
!
interface FastEthernet0/23
 switchport access vlan 3
!
interface FastEthernet0/24
 description Trunk port to PIX 506e
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
 no ip address
 no ip directed-broadcast
 no ip route-cache
 shutdown
!
interface VLAN2
 no ip directed-broadcast
 no ip route-cache
 shutdown
!
interface VLAN3
 ip address 10.0.0.1 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 10.0.0.254


Help please!!
0
Comment
Question by:georgemason
  • 14
  • 5
  • 4
  • +2
26 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18829962
Not sure if this is the cause, but I noticed that the VLAN 2 interface doesn't have an IP address...is this intentional?
0
 
LVL 1

Author Comment

by:georgemason
ID: 18830792
I was under the impression that an IP address could only be assigned to one VLAN for management purposes, and it was therefore not possible to assign an IP to multiple VLANs. However having not tried to add one to VLAN2, I'll give it a go and let you know!

Thanks.
0
 
LVL 4

Expert Comment

by:red_nectar
ID: 18831656
Switch config OK (assuming the PIX is plugged into fa0/24) - show us the PIX config
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18831658
PIX config should look something like.


interface Ethernet2
 no nameif
 no security-level
 no ip address
!
interface Ethernet2.2
 vlan 2
 nameif dmz1
 security-level 50
 ip address 172.31.5.1 255.255.255.0
!
interface Ethernet2.3
 vlan 3
 nameif dmz2
 security-level 55
 ip address 172.31.4.1 255.255.255.0

Obviously change the names, security levels and IP addresses accordingly.
0
 
LVL 1

Author Comment

by:georgemason
ID: 18831663
red_netar - Will do, but why would the PIX config be upsetting things? I have a physical Ethernet device connected to VLAN 2, and the VLAN doesn't come up. The PIX is connected to fa0/24 btw.

PeteLong - that's a PIX 7.0 config isn't it? Mine's running 6.3(5). But I will post in a sec anyway.
0
 
LVL 1

Author Comment

by:georgemason
ID: 18831666
Pertinent bits from PIX config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan3 physical
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
0
 
LVL 1

Author Comment

by:georgemason
ID: 18831708
Here's some more info, show int for VLAN2 and fa0/1 (which is where the first device for VLAN2 is connected).

Switch# sh int vlan 2
VLAN2 is administratively down, line protocol is down
  Hardware is CPU Interface, address is 0008.e36f.f2c0 (bia 0008.e36f.f2c0)
  Internet address is 192.168.101.1/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA
  ARP type: ARPA, ARP Timeout 04:00:00

Switch#sh int fa0/1
FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0008.e36f.f2c1 (bia 0008.e36f.f2c1)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Auto-duplex (Full), Auto Speed (100), 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     73 packets input, 8941 bytes
     Received 51 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast
     0 input packets with dribble condition detected
     83961 packets output, 3132168 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18831932
>>that's a PIX 7.0 config

Yup - sorry :(
0
 
LVL 1

Author Comment

by:georgemason
ID: 18832566
No worries, reads better than 6.3, makes much more sense!! Still no nearer to working this out though..... Hmph.....
0
 
LVL 4

Expert Comment

by:red_nectar
ID: 18832928
When you do show vlan on the switch, do you see vlan 2 listed?  If not, create vlan 2 on the switch.  (It is possible to have ports assigned to vlans that don't exist on the switch)
To create vlan 2:
switch#vlan database
switch(vlan)#vlan 2
---some output from the switch ---
switch(vlan)#apply
switch(vlan)#exit

0
 
LVL 1

Author Comment

by:georgemason
ID: 18833004
The VLAN is in the DB already:

Switch#sh vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2
2    DMZ_vlan                active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
3    LAN_vlan                active    Fa0/13, Fa0/14, Fa0/15, Fa0/16,
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20,
                                                Fa0/21, Fa0/22, Fa0/23
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0
3    enet  100003     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0
0
 
LVL 3

Expert Comment

by:Bobby_Thekkekandam
ID: 18845852
Hi GeorgeMason,

Your second post was very much on the right track. You can only have one Layer 3 Switched Virtual Interface (SVI or VLAN interface) up and with an IP address for management purposes only.

So this is why VLAN 3 is up and no other VLAN interface is up. The 3500XL switches are Layer 2 only.

Hope that Helps,

Bobby

0
 
LVL 1

Author Comment

by:georgemason
ID: 18847218
Hi Bobby,

Thought so! But I still don't understand. VLANs are layer 2 constructs, so whilst I understand that I can't have the switch routing between the VLANs, why can't I configure the two VLANs to act independently and have something connected to a trunk port (in this case a PIX) which is controlling traffic between the two? I mean, what's the point of the switch supporting VLANs at all in that case?

(sorry if I'm missing something blindingly obvious!)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Expert Comment

by:Bobby_Thekkekandam
ID: 18848041
Hi GeorgeMason,

I the confusion lies in the distinction between the VLAN itself and the SVI associated with the VLAN. You can define many VLANs (in the case of the 3500XL, up to 64) by defining them in the VLAN database. This creates the existence of the VLAN at layer 2.

Creating an SVI (VLAN interface) creates a logical layer 3 interface that is a member of the VLAN defined by it's number. This is not a required component at all for the VLAN to function.

The only need for a Layer 3 VLAN interface is as a management interface for telnet/SNMP, etc. use.

So, going back to the issue at hand, here's a basic checklist

- Create a management interface and assign an IP address to it. (check)
- Create the need VLANs in the VLAN database (check)
- Create a trunk link and make sure the VLANs that need to traverse the trunk are active on the trunk. (almost check - the trunk is configured, but can you post a "show interface trunk" to verify that the switch is trunking properly?)

thanks,

Bobby
0
 
LVL 1

Author Comment

by:georgemason
ID: 18852836
Very well explained, I get it completely now. Thanks for that.

So, I tried to run a show interface trunk, and the switch didn't like it. Seems it's not a command on this version of switch IOS. The port that the PIX is connected to is configured as a trunk, with the commands that I mentioned above:

interface FastEthernet0/24
 description Trunk port to PIX 506e
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk

I can ping the PIX and access resources through it from the LAN, so that much works. However devices connected to VLAN 2 (and I've tried more than one to make sure it wasn't something like a duff NIC) cannot ping the virtual interface of the PIX, connected to fa0/24. After some testing today it turns out that they can ping each other though, so it's definitely an issue with the configuration of trunking and the connection to the PIX. Something to do with native VLANs perhaps? Getting to the point that I'm going to connect a packet sniffer and work out what's happening!
0
 
LVL 3

Expert Comment

by:Bobby_Thekkekandam
ID: 18852947
Hi George,

"show int trunk" doesn't work on a 3500xl. These pesky things sometimes are totally different than other IOS switches. I confirmed that the trunking information can be displayed with "show interface fa0/24 switchport"

Now, based on your config for fa0/24, the native vlan will be the default of VLAN 1. Make sure the PIX side is the same. If you could also post the portion of the PIX config for the connected interface, that will help as well.

Thanks,

Bobby
0
 
LVL 1

Author Comment

by:georgemason
ID: 18853132
Hi Bobby,

Right you are, once again!

Here's the PIX config for the relevant interfaces:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan3 physical
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50

... and here's the switch at the moment (i've been messing about with it but to no avail)

interface FastEthernet0/24
 description Trunk port to PIX 506e
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk

So, I have no native VLAN set up on the switch, so the way I understand it the PIX should be sending packets for BOTH vlans tagged - so the switch should be able to untag them and send them on their merry way. Sadly this doesn't seem to be the case.... Although I'm not specifically configuring the native VLAN on the PIX, the implication of the config is that it's not either VLAN 2 or 3 therefore no other packets should be sent down the trunk (I'm guessing a bit here!)
0
 
LVL 1

Author Comment

by:georgemason
ID: 18853154
Sorry, here's the output from the show int fa0/24 switchport:

Switch#show interface fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1-3,100
Pruning VLANs Enabled: 2-1001

Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
0
 
LVL 3

Expert Comment

by:Bobby_Thekkekandam
ID: 18853453
I'm not too familiar with the PIX firewalls, but it appears that you'll need to have a layer 3 interface associated with each VLAN. I didn't see the IP information in your output, so I'm not sure if you had that set up correctly or not. But for your reference, here's the config guide for setting up a trunk on PIX 6.3 releases.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

HTH,

Bobby
0
 
LVL 1

Author Comment

by:georgemason
ID: 18853889
Thanks Bobby. Interestingly the config from the document is almost the same as mine, although on their PIX they configure the VLANs on ethernet 0 (more secure I guess, no danger of vlan jumping attack onto the safe network).

However if I join the dots and show you my pix config, or at least the bits relating to interfaces, you'll see it's the same as theirs with the above exception:

Top bit:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan3 physical
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50

Interface address bit:

ip address outside 192.168.x.1 255.255.255.0
ip address inside 192.168.y.254 255.255.255.0
ip address dmz 192.168.z.254 255.255.255.0

As I read that config, it's exactly as they specify; packets destined for <inside> should be tagged with 802.1q vlan 3 and those for <dmz> with vlan 2.
0
 
LVL 3

Expert Comment

by:Bobby_Thekkekandam
ID: 18864148
Yes, the config looks right, so I'm a bit at a loss here.

I'm going to try to set this up in my lab and see if I can make this work.
0
 
LVL 4

Expert Comment

by:red_nectar
ID: 18866824
Haven't had a chance to follow this for a while - but I think it's been established that the 3524XL vlan 2 interface isn't going to be shown as "up" unless you "shutdown" interface vlan 3 first.

So what now is the problem?  What test are you doing that is failing? What devices can't communicate?  What proof do you have that the switch ISN'T sending tagged frames on VLAN 2 & 3?  Remember, this is a firewall you are configuring - its purpose in life is to STOP traffic, which it may well be doing very well!
0
 
LVL 1

Author Comment

by:georgemason
ID: 18872687
Hi red,

OK it's like this:

I have confirmed that devices in VLAN 2 can communicate with each other. What is not happening is that these devices cannot see the logical PIX interface in the VLAN. The PIX is connected to port fa0/24 on the switch, which from the configs you can find above is set up as a trunk port with access to both VLANs 2 and 3.

I have tried setting the PIX to only tag packets for one VLAN, then setting the other as the native VLAN of the trunk, thereby making the switch expect untagged packets for one VLAN and not the other, but this did not solve the problem. The result was the same, once both devices had been configured, the PIX routed packets from VLAN 3 to the Internet, but the VLAN 2 interface was totally inaccessible - i.e. could not see it from within VLAN 2, nothing to do with the PIX blocking packets as it wasn't even responding to ARP requests!

I hope this clarifies, let me know if you want more info. I agree that VLAN 2 will not be shown as "up", as VLAN interfaces on the 3524XL are layer 3 constructs, etc. etc. so I have stopped worrying about that. Now what I'm aiming for is a ping response from the PIX logical interface from devices on VLAN 2.
0
 
LVL 4

Accepted Solution

by:
red_nectar earned 125 total points
ID: 18873272
So: (Deducing from your last reply)
You CAN get traffic to go: (#.# represents 192.168)
#.#.y.PC-->Switch-->(Tagged as VLAN3)-->PIX[Eth1-Inside--Outside-Eth0]-->Untagged-->#.#x.PC
and in reverse
#.#.x.PC-->Untagged-->PIX[Eth0-Outside--Inside-Eth1]-->(Tagged as VLAN3)-->Switch-->#.#.y.PC
BUT NOT
#.#.z.PC-->Switch-->(Tagged as VLAN2)-->PIX[Eth1-DMZ*****
as proved by #.#.z. PC showing no arp entries for 192.168.z.254 after pinging 192.168.z.254

I find it curious that VLAN3 traffic is tagged and works, but not VLAN2 (no doubt you do too)
I have to say that I don't have much more to add - but I know I'm going to have to do this exact config in May, so I will be watching with interest.  I think by this stage we could be dubugging Cisco code rather than your config.  So next I would try:
1. Make VLAN3 logical and VLAN 2 physical - see what that gives
2. Try putting the DMZ on Eth0 rather than Eth1
0
 
LVL 1

Author Comment

by:georgemason
ID: 19136377
I had forgotten about this one, but I'll try and have a go at it in the next week or so.
0
 
LVL 1

Author Comment

by:georgemason
ID: 20121712
Just to qualify the reason that I gave the points on this one to red_nectar, and to say thanks to all who commented - in desperation, I tried the second of the two suggestions in that last post, and for some reason (that I still don't understand!) the VLAN config worked perfectly.

So, in summary, configuring the DMZ VLAN on the outside Ethernet (eth0) interface of the PIX worked as expected, although it is still unclear why this didn't work on the inside (eth1) interface. Having said that, it's theoretically more secure to have the DMZ on the outside interface, so I'm happy with this solution.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now