Solved

Catalyst 6500 configuration

Posted on 2011-03-18
12
810 Views
Last Modified: 2012-05-11
I am trying to setup a Catalyst 6509-E.  Currently there are 2 chassis.  SwitchA has 2 48 port switches, the FWSM, and the Supervisor 720 10G module.   SwitchB has 2 48 port switches and a Supervisor 720 10G module.   Their is a trunk connecting SwitchA and SwitchB.

First off, since there is no redundant FWSM in the SwitchB chassis, I don't know if that complicates the setup of everything.
 
So anyhow my problem is that on the SwitchA chassis, I have configured the FWSM for VLAN 4, but it is shutdown and I can’t bring it up no matter what I try.  I created the vlan, added the interface VLAN 4 with IP address, and set an interface as switchport access vlan 4 but no luck.

First off, I’m a little confused as to how this is supposed to function with all the modules.   Is the FWSM supposed to do the routing or are the switches?  I basically have it setup so that the switches and FWSM each have their own VLAN interface (each in VLAN 4 and the same subnet).  The switches pass the traffic up to the FWSM which does the routing.  Is there anything wrong with doing it this way?    
 
FWSM#sh run
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.1 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 172.16.18.1 255.255.255.0
!
interface Vlan4
description PROBLEM_VLAN
nameif PROBLEM_VLAN
security-level 0
ip address 172.18.151.1 255.255.255.248
 
FWSM# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Vlan2                     192.168.100.1   YES CONFIG up                    up
Vlan3                     172.16.18.1     YES CONFIG up                    up
Vlan4                    172.18.151.1    YES manual up                    up
 
 
 
SwitchA#sh run
firewall module 4 vlan-group 2
firewall vlan-group 2  2-4
vtp mode transparent
!
vlan 2
name outside
!
vlan 3
name INSIDE
!
vlan 4
name PROBLEM_VLAN
 
!
interface GigabitEthernet1/48
switchport
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet2/45
switchport
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/48
switchport
switchport access vlan 3
switchport mode access
!
interface TenGigabitEthernet5/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan3
description Interface to FWSM
ip address 172.16.18.2 255.255.255.0
!
interface Vlan4
ip address 172.18.151.3 255.255.255.248
shutdown
 
SwitchB#sh run
vtp mode transparent
 
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
main-cpu
  auto-sync running-config
mode sso
 
vlan 2
name outside
!
vlan 3
name INSIDE
 
vlan 4
name PROBLEM_VLAN
 
interface TenGigabitEthernet5/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet7/48
switchport
switchport access vlan 2
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan3
description Interface to FWSM
ip address 172.16.18.3 255.255.255.0
!
interface Vlan4
ip address 172.18.151.2 255.255.255.248

0
Comment
Question by:B1izzard
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 5

Assisted Solution

by:shubhanshu_jaiswal
shubhanshu_jaiswal earned 125 total points
Comment Utility
Have you connected any cable in the any of the interface in Vlan4...
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
Kindly show us the topology...
0
 

Author Comment

by:B1izzard
Comment Utility
Yes I did plug in a cable to g2/45 VLAN4 on SwitchA, and I was able to ping from a laptop (using 172.18.151.5) to the SwitchB VLAN4 IP of 172.18.151.2, but not SwitchA at 172.18.151.3 since the VLAN 4 interface will not come up.  So it is strange to me that I can ping through SwitchA because it is trunked, but not to SwitchB which I am directly connected because it won't come up.
0
 

Author Comment

by:B1izzard
Comment Utility
There really isn't much to the topology since it is just being setup.  Basically there are the 3 VLAN interfaces on the FWSM, inside, outside, and PROBLEM_VLAN.  The 2 6500 switches are trunked, and I have a laptop plugged in for testing.  Each switch has it's own VLAN 4 IP interface.  Just want to be able to find out why I can't bring up the interface, and also if I'm setting this up correctly.
0
 
LVL 9

Expert Comment

by:predragpetrovic
Comment Utility
Hi,

give me output of "show firewall", "show license" and "show version".
0
 
LVL 21

Assisted Solution

by:eeRoot
eeRoot earned 125 total points
Comment Utility
Try giving a physical interface an IP address on vlan 4, newly created vlans can appear as shutdown if there is nothing using them
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Expert Comment

by:yawbe
Comment Utility
Make sure you have a port assigned to vlan 4 and plug a device into that port. Come back to the switch and enable the vlan again. This is normal. Untill you have a device connected to a vlan, it will remain down. E.g.

interface GigabitEthernet2/48
switchport
switchport access vlan 4
switchport mode access
no shut

interface vlan 4
no shut
 
This will resolve your issue. Let me know.
0
 
LVL 3

Expert Comment

by:yawbe
Comment Utility
Change the gig3/48 to gig3/45 and follow the same method above. If that does not work, remove the vlan and recreate it while you still have the device connected into gig3/45. I have seen this issue before. E.g.
no vlan4
no interface vlan 4
!
Recreate vlan 4 and the SVI for vlan 4 again.

vlan 4
name <firewall interface>
!
interface Vlan4
ip address 172.18.151.3 255.255.255.248
no shutdown
0
 
LVL 3

Accepted Solution

by:
yawbe earned 250 total points
Comment Utility
Let's come to the basics for the FW module. You have to make sure that you see it in the switch with "show module" Then, you have to initialize it. Make sure the IOS you are using for the swith is 12.1(13)E or higher and the IOS for the firewall module is 7.5 (1) or higher. Also, how are you using the FW module? Routed or transparent mode? You need to configure inside vlan and outside vlans for routing. This is not different from any firewall. Let me know if you have these done already.

To initialize the firewall module, you have to assign IP address, broadcast and gateway address to it.
E.G.
ip address X.X.X.X 255.255.255.X  ---------------ip address for the FW module
ip gateway X.X.X.X     ------------------------------gateway for your network, router, etc,etc
ip broadcast X.X.X.X 255.255.255.X        ----------bradcast for the IP subnet using

Please do the above and post back if you need more info. The FW module is supposed to route.
0
 

Author Comment

by:B1izzard
Comment Utility
Question regarding the following in the FWSM basic setup guide.  I'm confused regarding the difference between the 'switch' and the 'MSFC'.  Step e makes sense, but step f makes me wonder as I was assuming that the switch and MSFC were one unit.  If I have console access to the switch and the FWSM to add VLANs, how would I 'assign them to the MSFC'?

e. If you do not add the VLANs to the switch before you assign them to the FWSM, the
VLANs are stored in the supervisor engine database and are sent to the FWSM as
soon as they are added to the switch.
f. Assign VLANs to the FWSM before you assign them to the MSFC.

Perhaps it's the MSFC that you assign VLANs to if the switch is configured for routing mode and if it's not then it's the switch you assign VLANs to in switching mode?
0
 
LVL 3

Expert Comment

by:yawbe
Comment Utility
You should use Slots 7 or 8 for Supervisor Engine 720. Also See the link below to resolve your issue. The switch is the whole chassis, The firewall module is single component inside the switch. If you have MSFC, that is the Layer 3 module in the switch that does all the routing. In your case, the SUP 720 is your supervisor engine (MSFC) You will configure the Vlans on this card, but you have to assign the vlans to the firewall module so that the FW card associates itself with these vlans. See link below:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/switch.html

0
 

Author Closing Comment

by:B1izzard
Comment Utility
After spending a fair amount of time tweaking things it is working now.  It's was just mostly getting my brain wrapped around the FW/Router/Switch integration.  Everything is working good now, though I am not sure exactly what I did to resolve the problem as I made many changes.  Thanks for your help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now