VLAN not passing through

We are having problems configuring VLANs on our networking switches. Clients on VLAN 50 and VLAN 60 can ping between each other but cannot go out to the internet.  Clients directly on root switch receive a DHCP address from the firewall and can go out to the internet. The clients on the far switches are not receiving a DHCP address. The switches we are using are Brocade FastIrons. Any help is greatly appreciated. I will attach a network diagram. VLAN-Issues.pdf
RAFF-Asked:
Who is Participating?
 
penguinjasCommented:
Ok so looking at your MDF config.

Why is this destination 10.50.0.1?  In the visio file you added the switch IP at the edge is 10.50.0.2?
ip route 10.50.0.0 255.255.248.0 10.50.0.1 - why not 10.50.0.0 255.255.248.0 10.50.0.2?

Why are you sending everything else to 192.168.6.1?  
ip route 0.0.0.0 0.0.0.0 192.168.6.1  

Why is this here?
ip route 10.21.0.0 255.255.252.0 192.168.6.1

Why is this here?
ip route 10.50.0.0 255.255.248.0 192.168.6.1

Why is this here?
ip route 10.60.0.0 255.255.248.0 192.168.6.1

What is at 10.25.0.99 and why route 10.25.0.0 traffic to it?
ip route 10.25.0.0 255.255.252.0 10.25.0.99

Again why is this here?
ip route 0.0.0.0 0.0.0.0 10.25.0.99

Why is this here?
ip route 10.60.0.0 255.255.252.0 10.25.0.99

Why is this here?
ip route 10.50.0.0 255.255.252.0 10.25.0.99

This route is correct assuming your firewall IP is 10.25.0.1
ip route 0.0.0.0 0.0.0.0 10.25.0.1

From what I can see these routes would fix the MDF switch to edge switch assuming the edge switches are also layer 3 switches.  If they aren't then this is a combination routing vlan problem, not just routing.  If you can answer some of the other questions about the routes above and why they exist I could offer more.

ip route 10.60.0.0 255.255.255.252 10.60.0.2
ip route 10.50.0.0 255.255.255.252 10.50.0.2
ip route 0.0.0.0 0.0.0.0 10.25.0.1

Sorry for the delay in response, busy weekend.

0
 
sshah254Commented:
Presuming that you have reset all the switchtes.

Can client B and C ping client A?  Can they ping the firewall 10.25.0.1?

If not, then the traffic is not going from VLANs to the firewall, and I would troubleshoot that.  Maybe removing the VLANs could help in troubleshooting.

If yes, then you have a weird problem.  I would remove the VLANs and see if the plain switches allow traffic to get to the firewall.

SS
0
 
willie959Commented:
client B and C can ping each gateway on the core switch  but not the firewall. Client C is an untagged port on the core switch, so it's not going to be able to ping any other client. The core switch (console) can ping the firewall and the internet. Clients untagged in the same vlan as the port that is connected to the firewall are able to go online okay, that's the same as removing the vlans. Removing the vlans probably would fix the issue, but it's not an option. Inter-VLAN routing is okay. Port to firewall is set as Dual (Native VLAN), Default network is set as 0.0.0.0 0.0.0.0 10.25.0.1/22.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
RootsManCommented:
Can you ping clients B and C from the firewall?
Can you do a tracert to the firewall from clients B and C to see how far they get?
0
 
adrianuta2004Commented:
link between firewall and main switch is in trunk mode ? vlans 50 and 60 are allowed on that trunk ?
0
 
penguinjasCommented:
What device is doing the routing on your network?  Is it a layer 3 switch or is the firewall expected to route traffic and are you using static routes?

If your core switch is a layer 3 switch and does routing I'm assuming you have a default route like 0.0.0.0 0.0.0.0 10.25.0.1 configured.

Look into the core switch setting under the vlans 50 and 60 and verify you have a dhcp helper address configured to allow the DHCP traffic from the firewall to reach the vlans.  If you want to post teh model of the core switch I could help you find the commands necessary.

On the firewall you would need a static route for vlan 50 and 60 basically something like 10.50.0.0/22 GW: (Core IP Addres) and 10.60.0.0/22 GW: (Core IP Address).

Again this is assuming your core is handling routing.
0
 
willie959Commented:
Link between firewall and main switch is tagged (which is the same as a Cisco trunk). 50 and 60 allowed.

Yes, core switch is layer 3 and does the routing. There are static routes. Yes a default route is defined 0.0.0.0 0.0.0.0 10.25.0.1.

No dhcp helper address needed. The switch the dhcp server to each network 50 and 60. DHCP works. When you connect to an access point or a hardware on an access layer switch (or anywhere), you get the correct DHCP address from that network.  The client can ping other networks and other clients on that network, but not the default g/w (10.25.0.1) or beyond (internet).

I'm going to check the routing on the firewall and get back. (Cisco ASA 5505).
0
 
penguinjasCommented:
I have a similar setup. Create static routes on the ASA.


static-route-asa.pdf
0
 
RAFF-Author Commented:
We have created static routs on the ASA and still cant get it to work. Attched are our config files for the ASA and L3 switch. ASA.txt MDF-L3-Switch.txt IDF.txt
0
 
penguinjasCommented:
With the addition of the routes at the firewall are you now able to ping from clients B or C to the firewall?

I don't understand this "Link between firewall and main switch is tagged (which is the same as a Cisco trunk). 50 and 60 allowed."  Since your core switch does routing, trunking multiple vlans to the firewall is unnecessary.  The core will forward the traffic to the firewall regardless since there is a route configured and with the return route in the firewall responses are returned to the core.

Also, I didn't see a NAT for traffic on the 10.50 or 10.60 networks in your firewall config.  
0
 
RAFF-Author Commented:
Penquinjas, I've added a static NAT for both 10.50.0.1 and 10.60.0.1 to the Inside interface. This is where we are at right now. Users with a 10.25.0.x address from the firewall are able to go out to the internet and ping clients on both 10.50.0.x and 10.60.0.x. Clients on 10.50.0.x and 10.60.0.x can ping each other but can not ping anything else nor go out to the internet. If I do a trace route from the switch to yahoo.com, it goes out successfully. Any ideas?
0
 
RAFF-Author Commented:
We have figured out our problem. The switch was used from a previous production environment and placed in this test lab with the configurations inherited. Once the switch was reloaded and reconfigured, we go the switch to do what we need it to do. We also found that the ASA5505 was not licensed for VLAN trunking and replaced it with a Juniper firewall. Thanks for all the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.