asked on
Layer 3 switch routing problem
I have 2 servers which sits in the dmz switch. Some users can connect to it and some timeout.
The ftp server (192.168.11.150) sits in vlan 1 - interface from the firewall is dmz4 fa0/4
The http server (192.168.180.23) sits in vlan 80 - interface from firewall is dmz4 virtual fa0/13,14,20,21 User on Corporate Lan makes a request to view the ftp page or the http page on either of the 2 servers.
Traffic goes from the lan into the firewall. Then from the firewall straight into sw-marlbdmz01 (the switch on dmz). Packets are getting through to both servers on this switch. These servers have a default gateway of the layer 3 switch (sw-MarldmzL301 - 192.168.11.254) which routes the packets back to the firewall.
This is where the problem is because the layer 3 switch is tagging the traffic coming back from the servers with either vlan1 or vlan80. The packet should stay on the vlan it came back from.
How can i get the Layer 3 switch (the servers gateway) to keep the packets on the correct vlan and NOT send them back to the firewall on an incorrect vlan.
On the Firewall-ASA i have checked the settings for both interfaces:
dmz4 -security level 50, duplex auto, speed auto, type interface
dmz4virtual - security level 60, vlan ID 80, sub ID 80, type subinterface
regards, K
Sw-MARLDMZ-L301.txt
sw-marlbdmz01.txt
The ftp server (192.168.11.150) sits in vlan 1 - interface from the firewall is dmz4 fa0/4
The http server (192.168.180.23) sits in vlan 80 - interface from firewall is dmz4 virtual fa0/13,14,20,21 User on Corporate Lan makes a request to view the ftp page or the http page on either of the 2 servers.
Traffic goes from the lan into the firewall. Then from the firewall straight into sw-marlbdmz01 (the switch on dmz). Packets are getting through to both servers on this switch. These servers have a default gateway of the layer 3 switch (sw-MarldmzL301 - 192.168.11.254) which routes the packets back to the firewall.
This is where the problem is because the layer 3 switch is tagging the traffic coming back from the servers with either vlan1 or vlan80. The packet should stay on the vlan it came back from.
How can i get the Layer 3 switch (the servers gateway) to keep the packets on the correct vlan and NOT send them back to the firewall on an incorrect vlan.
On the Firewall-ASA i have checked the settings for both interfaces:
dmz4 -security level 50, duplex auto, speed auto, type interface
dmz4virtual - security level 60, vlan ID 80, sub ID 80, type subinterface
regards, K
Sw-MARLDMZ-L301.txt
sw-marlbdmz01.txt
Routers
Last Comment
ohareka
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
What you say is helpful and makes sense. I was talking to someone here and they said i should take a look at policy based routing, with acces lists. I.e. i should put an acl for both servers on the layer 3 switch - q what do you think? This concept is new to me.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I am going to try a few of the solutions next week. I found this on the web as well for policy based routing.
int Ethernet0
ip address 10.1.1.1 255.255.255.0
ip policy-map new-gateway
route-map new-gateway permit 10
match ip address 10
set ip default next-hop x.x.x.x
access-list 10 permit 10.1.1.0 0.0.0.255
I think i'll give both all 3 methods a try and see which one suits the problem best but i am very happy with your answer. Thanks, K
int Ethernet0
ip address 10.1.1.1 255.255.255.0
ip policy-map new-gateway
route-map new-gateway permit 10
match ip address 10
set ip default next-hop x.x.x.x
access-list 10 permit 10.1.1.0 0.0.0.255
I think i'll give both all 3 methods a try and see which one suits the problem best but i am very happy with your answer. Thanks, K