Solved

Cisco Catalyst blocks traffic

Posted on 2013-05-25
33
596 Views
Last Modified: 2013-06-01
I have a Cisco 2960, IOS 15.0(2)SE2, between the fiber switch of the ISP and the Sonicwall firewall of the ISP. This works fine. I have connected a PC with Windows XP to the switch, and a Juniper SRX-240 cluster (for redundancy), to replace the Sonicwall. All devices have an external address in the subnet, exept the 2960, and are in the same vlan on the 2960. From the PC and the new SRX-240 cluster, I can't reach any of the other devices: arp requests are send, but the replies are blocked by the 2960. When I run Wireshark on the PC, I can see traffic from the SRX-240s and the 2960, but not from the fiber switch or the Sonicwall (I suspect they do send broadcasts). The ISP says that he sees on the Sonicwall broadcasts from the SRX-240s or the PC and the that replies are send. But they are blocked too on the 2960.
What can be the cause of this?

- Jac
0
Comment
Question by:JacBackus
  • 17
  • 15
33 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39196510
Please post a diagram showing the devices along with the config of the 2960.
0
 

Author Comment

by:JacBackus
ID: 39197572
Connected:

vlan1
interface GigabitEthernet0/1      FX switch ISP
interface GigabitEthernet0/2      Sonicwall ISP
interface GigabitEthernet0/3      SRX-240 cluster
interface GigabitEthernet0/4      SRX-240 cluster (active)
interface GigabitEthernet0/5  PC
vlan10
interface GigabitEthernet0/24 LAN (for management)

The Juniper SRX-240s are connected through a reth port with 2 physical ports, from each device one. the mac address list from the 2960 shows only a mac address for port GigabitEthernet0/4.

------------------ show running-config ------------------


Building configuration...

Current configuration : 3559 bytes
!
! Last configuration change at 23:35:41 CEST Fri May 24 2013
! NVRAM config last updated at 23:35:41 CEST Fri May 24 2013
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dv-wan-sw
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
username admin secret 5 <removed>
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
vtp domain dv-wan-sw
vtp mode transparent
!
!
!
!
crypto pki trustpoint TP-self-signed-204226432
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-204226432
 revocation-check none
 rsakeypair TP-self-signed-204226432
!
!
crypto pki certificate chain TP-self-signed-204226432
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303432 32363433 32301E17 0D393330 33303130 30303132
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3230 34323236
  34333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  D1ACA4EC 1FC727F7 5F9C5B7B C3183BD9 C77B4BC2 586DCF0D AACE0D86 C9D13408
  0120C797 97BAD564 CB80BC06 E1C95EEE F79C4287 086B3C9C C4894B7D 58D0E9F7
  7679763E EA8D8DE0 33A110D5 4B773022 72BC09B8 1B874232 CEA1D718 FAC64402
  445E3AA6 F88C8EF2 53EB6A4F AF3BB28B A10CF48D 2D65E367 D32DBDE7 E06A98A9
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014A6 7FE75C5E 4FA08B77 0CA5CF1C CD7795E9 B6046D30 1D060355
  1D0E0416 0414A67F E75C5E4F A08B770C A5CF1CCD 7795E9B6 046D300D 06092A86
  4886F70D 01010505 00038181 00826B05 3D17BC57 7F00C233 365B4035 96E7808C
  4EC9FB9D FD577AC2 8132E47D 5C006E39 BCE577DF FFD4AD1C 0807E26D 1F2A3F41
  82D7867D 9DA14167 5673069D AAD2C391 505D098D BC4CEDB5 5FE71705 71B9FBE3
  98AE9558 D5A7C601 7769B79B 60D73C6A 2D1F82D8 50F19488 B8B483B2 C5E695DF
  03B23FA0 A214F672 1579813B FB
        quit
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
!
vlan 10
 name Management
!
!
!
!
!
!
interface GigabitEthernet0/1
 duplex full
!
interface GigabitEthernet0/2
 duplex full
!
interface GigabitEthernet0/3
 speed 100
 duplex full
!
interface GigabitEthernet0/4
 speed 100
 duplex full
!
interface GigabitEthernet0/5
 speed 100
 duplex full
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
 switchport access vlan 10
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan10
 ip address 10.253.100.250 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.253.100.254
ip http server
ip http secure-server
snmp-server community <removed> RO
!
!
line con 0
line vty 0 4
 password <removed>
 login
line vty 5 15
 password <removed>
 login
!
ntp server 46.19.35.136
end

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197607
Based on the config you posted, the switch is not "blocking" anything. There are no ACLs, port security, etc. configured on the switch. All ports in question are on the same VLAN.

Please post the output of a "show int status".

When I run Wireshark on the PC, I can see traffic from the SRX-240s and the 2960
Based on your posted config, the management of the switch is in VLAN 10 and the PC is in VLAN1 so there's no way that you could see traffic "from the 2960"

Please post the output of a "show vlan brief".

From the PC and the new SRX-240 cluster, I can't reach any of the other devices:
Can these two devices communication with each other?

The ISP says that he sees on the Sonicwall broadcasts from the SRX-240s or the PC and the that replies are send. But they are blocked too on the 2960.
How is the ISP able to determine the replies are "blocked" by the 2960???
0
 

Author Comment

by:JacBackus
ID: 39197632
dv-wan-sw#sh interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        connected    1            full  a-100 10/100/1000BaseTX
Gi0/2                        connected    1            full  a-100 10/100/1000BaseTX
Gi0/3                        connected    1            full    100 10/100/1000BaseTX
Gi0/4                        connected    1            full    100 10/100/1000BaseTX
Gi0/5                        connected    1            full    100 10/100/1000BaseTX
Gi0/6                        notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/7                        notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/8                        notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/9                        notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/10                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/11                       notconnect   1            auto   auto 10/100/1000BaseTX

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/12                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/13                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/14                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/15                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/16                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/17                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/18                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/19                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/20                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/21                       notconnect   1            auto   auto Not Present
Gi0/22                       notconnect   1            auto   auto Not Present
Gi0/23                       notconnect   1            auto   auto Not Present
Gi0/24                       connected    10         a-full a-1000 10/100/1000BaseTX
dv-wan-sw#



dv-wan-sw#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23
10   Management                       active    Gi0/24
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Wireshark is on the PC on interface GigabitEthernet0/5 of the 2960.

I use "blocked" because I lack a better way of describing this. When I ping the Sonicwall firewall from the PC (Gi0/2) from the PC (Gi0/5), the ISP says the ARP broadcast for determinining the mac address of the Sonicwall reaches the Sonicwall and the Sonicwall sends a reply. But I don't see that the reply reaches the PC and it keeps send arp requests. The same happens when I try this from the Juniper firewall.
Both the PC (with Wireshark) and the Juniper (with tcpdump, it is FreeBSD based) don't see any traffic from the FX switch and the Sonicwall firewall from the ISP. The connection between the FX switch and the Sonicwall works fine. The problem is, that I don't have access to both the FX switch or the firewall. And the connection is operational  on a 24/7 basis, I can't try something which interrupts the ISP connection.
It is a complete mystery to me why this happens....

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197648
There's simply nothing in the switch that will block (or restrict) traffic between ports as it is currently configured.

What is the status of communications between the following?

FX switch ISP - Sonicwall ISP  = Success
FX switch ISP - SRX-240 cluster = ?
FX switch ISP - SRX-240 cluster (active) = ?
FX switch ISP - GigabitEthernet0/5  PC  = failure
Sonicwall ISP - SRX-240 cluster = ?
Sonicwall ISP - SRX-240 cluster (active) = ?
Sonicwall ISP - GigabitEthernet0/5  PC  = failure
SRX-240 cluster - SRX-240 cluster (active) = ?
SRX-240 cluster - GigabitEthernet0/5  PC  = ?
SRX-240 cluster (active) - GigabitEthernet0/5  PC  = ?
0
 

Author Comment

by:JacBackus
ID: 39197663
FX switch ISP - Sonicwall ISP  = Success
FX switch ISP - SRX-240 cluster = See (1)
FX switch ISP - SRX-240 cluster (active) = failure
FX switch ISP - GigabitEthernet0/5  PC  = failure
Sonicwall ISP - SRX-240 cluster = See (1)
Sonicwall ISP - SRX-240 cluster (active) = failure
Sonicwall ISP - GigabitEthernet0/5  PC  = failure
SRX-240 cluster - SRX-240 cluster (active) = See (1)
SRX-240 cluster - GigabitEthernet0/5  PC  = See (1)
SRX-240 cluster (active) - GigabitEthernet0/5  PC  = Success

(1) the other port  is not active. All traffic goes through the active port.
Juniper description:
Link aggregation groups (LAGs) can be established across nodes in a chassis cluster. Link aggregation allows a redundant Ethernet interface (known as a reth interface in CLI commands) to add multiple child interfaces from both nodes and thereby create a redundant Ethernet interface LAG.
Instead of one active/standby link, you can configure up to 8 links per node. Having multiple active redundant Ethernet interface links reduces the possibility of failover. For example, when an active link is out of service, all traffic on this link is distributed to other active redundant Ethernet interface links, instead of triggering a redundant Ethernet active/standby failover.
See: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-interfaces/understand-cc-reth-interface-lags-section.html

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197666
What does "See (1)" mean?
0
 

Author Comment

by:JacBackus
ID: 39197668
(1) the other port  is not active. All traffic goes through the active port.
Juniper description:
Link aggregation groups (LAGs) can be established across nodes in a chassis cluster. Link aggregation allows a redundant Ethernet interface (known as a reth interface in CLI commands) to add multiple child interfaces from both nodes and thereby create a redundant Ethernet interface LAG.
Instead of one active/standby link, you can configure up to 8 links per node. Having multiple active redundant Ethernet interface links reduces the possibility of failover. For example, when an active link is out of service, all traffic on this link is distributed to other active redundant Ethernet interface links, instead of triggering a redundant Ethernet active/standby failover.
See: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-interfaces/understand-cc-reth-interface-lags-section.html

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197671
Oh.  So the SRX-240 that's not "active" is a failover device? Meaning it's not communicating unless the active device fails?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197677
The only consistency issue I see (I'm not saying this is the issue) is that ports 1 and 2 are auto-negotiating the speed. Ports 3-5 are fixed at 100mpb/s. Although if that were the problem, the ports wouldn't be showing as up.

I still don't see the problem being caused by the switch though.

You could connect another PC (running wireshark) and SPAN the port from the Sonicwall to the wireshark PC. Then ping from the existing PC to the sonicwall to verify that the ARP and ARP response are occurring at the sonicwall.

Another possibility is that the fiber switch and sonicwall are set to 802.3 or SNAP frames where the PC and 240's are running Version II framing.
0
 

Author Comment

by:JacBackus
ID: 39197678
Yes. Although the link of the passive port is connected, it has no mac address.

Some tcpdump capture from the SRX-240:
21:13:27.980205  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:27.986462  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:28.752295  In 00:11:11:11:3f:84 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:13:28.752316  In 00:11:11:11:3f:84 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:13:30.037468  In 00:11:11:11:3f:83 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:13:30.037562  In 00:11:11:11:3f:83 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:13:33.480298  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:33.488572  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:36.212492 Out arp who-has 1.2.3.33 tell 1.2.3.41
21:13:38.980462  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:38.980725  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:44.480525  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:44.483024  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:49.716105 Out arp who-has 1.2.3.33 tell 1.2.3.41
21:13:49.980636  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:49.985203  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:55.480841  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:55.487292  In arp who-has 1.2.3.33 tell 1.2.3.44
21:13:58.762462  In 00:11:11:11:3f:84 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:13:58.762485  In 00:11:11:11:3f:84 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:14:00.042867  In 00:11:11:11:3f:83 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:14:00.042948  In 00:11:11:11:3f:83 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:14:00.981110  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:00.989580  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:06.480954  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:06.481592  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:07.754320 Out arp who-has 1.2.3.33 tell 1.2.3.41
21:14:11.981063  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:11.983835  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:17.481179  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:17.485807  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:22.981838  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:22.988127  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:26.397115 Out arp who-has 1.2.3.33 tell 1.2.3.41
21:14:28.481395  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:28.490195  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:28.762273  In 00:11:11:11:3f:84 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:14:28.762295  In 00:11:11:11:3f:84 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:14:30.049290  In 00:11:11:11:3f:83 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui,lags [Command], length 46
21:14:30.049375  In 00:11:11:11:3f:83 > 01:00:0c:00:00:00 SNAP Unnumbered, ui,lags [Command], length 60
21:14:33.981498  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:33.982041  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:39.481690  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:39.484003  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:41.411958 Out arp who-has 1.2.3.33 tell 1.2.3.41
21:14:44.981796  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:44.986399  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:50.481781  In arp who-has 1.2.3.33 tell 1.2.3.44
21:14:50.488523  In arp who-has 1.2.3.33 tell 1.2.3.44
^C

I am pinging from the PC (.44) to the FX switch (.33). .41 is the SRX-240 cluster. (Real addresses replaced, of course). You see, there is no traffic at all from the Sonicwall or the FX switch.

- Jac
0
 

Author Comment

by:JacBackus
ID: 39197687
You could connect another PC (running wireshark) and SPAN the port from the Sonicwall to the wireshark PC. Then ping from the existing PC to the sonicwall to verify that the ARP and ARP response are occurring at the sonicwall.
Would configuring SPAN interrupt traffic on the Sonicwall port?
Another possibility is that the fiber switch and sonicwall are set to 802.3 or SNAP frames where the PC and 240's are running Version II framing.
How could this be checked?

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197721
Would configuring SPAN interrupt traffic on the Sonicwall port?
No
How could this be checked?
You could look at the confuguration of the Fiber switch or Sonicwall. Also, the SPANning the traffic to an analyzer would show this as you would see the native frames the Sonicwall is sending.

Another possibilitiy would be to assign an IP address to the VLAN1 interface of the  switch and see if you could communicate with the PC, 240, fiber switch and sonicwall.
0
 

Author Comment

by:JacBackus
ID: 39197807
Thanks, Donjohnston!
SNAP shows all the traffic. And it is all Ethernet II frames.
Wireshark filtering on .41 (SRX-240) or .44 (PC) only shows arp request for .33 (FX switch) from the SRX-240, but no replies, and some NB name queries from the PC (being Windows XP).

Could it be that the Sonicwall replies to all addresses (except .33, of course)? But there is also no reply from .33, the FX switch (although it can be pinged from the lan and the internet).

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197888
Since you're seeing the ARP requests and name queries from the PC, that verifies that the traffic is getting to the SPANned port from the SRX-240 and the PC.

Could it be that the Sonicwall replies to all addresses (except .33, of course)?
Possible. But I don't know why it would respond to an ARP request for another local host.

But there is also no reply from .33, the FX switch (although it can be pinged from the lan and the internet).
Are you saying the Fiber Switch is ARPing the Sonicwall?  And what "can be pinged from the LAN and the internet"?
0
 

Author Comment

by:JacBackus
ID: 39197913
I mean: the fiber switch does also not reply to arp requests, although the address, .33, will certainly not be used on the Sonicwall. I got a list from ISP with the addresses used on the Sonicwall and the addresses I use, .41 and .44, are not used on the Sonicwall according to them.
The SRX-240 sends arp requests to the fiber switch, because I configured it as default gwateway on the SRX-240.

Could it be, that the list with addresses I got is not correct and this happens because .41 and .44 are used on the Sonicwall? I think I can see this, if I give vlan1 on the 2960 an address?

- Jac
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 39197918
the fiber switch does also not reply to arp requests, although the address, .33, will certainly not be used on the Sonicwall.
Are you able to generate traffic (a ping) from the Sonicwall to the .33 address?

The Sonicwall is your firewall, correct? If so, I'm assuming it's running in transparent mode. Is there only the one connection from the Sonicwall?

Are these addresses (.33, .41, and .44) the actual last octet of the IP addresses? If so, what is the mask?
0
 

Author Comment

by:JacBackus
ID: 39197951
No, not from the Sonicwall, because I have no access. But I can do it from the lan. Strangely enough, when I SPAN to the fiber switch (.33), I should see icmp traffic, I suppose. But I don't see it.

The Sonicwall is the current firewall. One of the reasons we should like to replace it with the SRX-240 cluster, is because we have no control over it. It is not in transparent mode, because it does NAT, lan routing en is endpoint for VPNs.

Yes, they are the real addresses. The mask is 255.255.255.240 (/28).

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39198015
If the Sonicwall is doing NAT, then it would have two interfaces (outside and inside). Yet it only appears to have one interface.
0
 

Author Comment

by:JacBackus
ID: 39198039
I have kept this out of the description. The Sonicwall has 3 inside lans, on different interfaces. Traffic between these lans and traffic from and to the internet is routed by the Sonicwall. Traffic from the outside is NATted.
Does this make a difference?

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39198046
Sigh...  Yes. It makes a HUGE difference.

This is why a topology diagram was requested in the very first response. It never occurred to me that I needed to specify a COMPLETE topology diagram.

If you're not going to provide the information that was asked for, I suggest you request this question be deleted. Because I'm not going to try a troubleshoot a problem if I can't get the basic information needed to help you with it.
0
 

Author Comment

by:JacBackus
ID: 39198054
I am sorry! Never meant to give incomplete information.
It is is not easy to get a real diagram of the situation I have in a text windows like this.
And my intention was to let the switch only do store and forward. It should be a layer 2 switch with only access ports.
I shall make a diagram.

- Jac
0
 

Author Comment

by:JacBackus
ID: 39198158
                                               +----------+
                                               |   1      |
                             +---------------->|          <------------------+
                             |                 +----^-----+                  |
                             |                      |                     ^  |  ^
                             |                      |                     |  |  |
                        +----+-----+           +----+-----+            +--+--+--+-+
                        |     8    |           |     9    |            |          |
                        |          |           |          |            |     2    |
                        +----^-----+           +----^-----+            +-------<+-+
                             |                      |                           |
                             |                      |                           |
                        +----+-----+           +----+-----+                     |
                        |     6    |           |     7    |                     |
                        |          |           |          |                     |
                        +------^---+           +--------^-+                     |
                               |                        |                       |
                               |                        |                       |
                               +---------------------+  |                       |
                                                +----+--+--+                    |
                                                |     3    |                    |
                                        +------->          +--------------------+
                                        |       +----^-----+
                                        |            |
                                        |            |
                                        |       +----+-----+
                             +----+-----|       |    4     |
                             |     5    +       |          |
                             |          |       +----------+
                             +----------+
							 
							 
1 Lan layer 2 switch  for 10.253.100.0/24 net
2 Sonicwall firewall, connected to 10.253.100.0/24 subnet and two other subnets, has address 1.2.3.34 in wan
3 Cisco 2960 switch in wan subnet, no ip adress in wan, is also connected through vlan10 to 1 (for management, not drawn in)
4 fiber switch, has address 1.2.3.33 
5 PC, has 1.2.3.44 in wan. Is also connected with other nic to 1 (not drawn in). Is not configured as a router.
6 SRX-240-1 has a virtual interface reth1 together with SRX-240-2 with address 1.2.3.41 on the wan side.
7 SRX-240-2
8 EX-3300-1 connect through subnet to 6, 
9 EX-3300-2 connect through subnet to 8

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39198191
From the PC (which supposedly has a public IP address), can you ping any internet address (8.8.8.8)?
From the active SRX-240, can you can any internet address?
0
 

Author Comment

by:JacBackus
ID: 39198710
I can't reach anything on the internet with both.
Was my drawing helpful?
I forgot to mention that the SRX-240s also does NAT. The network between the SRX-240 and the EX-3300 is also a private net (192.168.211.0/24)

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39199109
Is the fiber switch a true layer-2 switch, or is it actually a router? If it's a layer-2 switch, then you'll need the IP address of the ISP PE router to act as the gateway. Without that, there's no way to reach the internet.

It's my guess that the "fiber switch" is actually routing and that the .33 address would be your default gateway.

Which means that the PC would need to use that as it's default-gateway to access the internet.

If you make that change and the PC still can't get to the internet, then I would SPAN the 2960 port 0/1 and use wireshark to see if the fiber switch is responded to the ARP request.  If it's not then I think it's a certainty that the fiber switch it not responding to "unknown" devices.
0
 

Author Comment

by:JacBackus
ID: 39199800
That is a good question. I don't how both the fiber switch and the Sonicwall are connected. And the provider does not tell a lot until now.

But ' mac address-table dynamic' on the 2960 gives 4 addresses for vlan1. This should be alright, then it should be: there are the fiber switch, Sonicwall, active SRX-240 and PC. I checked the mac addresses for vendors and those of the PC and the SRX-240 are alright. But those who had to be from the fiber switch and the Sonicwall, because of the ports, are Cisco mac addresses.

I have have SPANned port 0/1 and it does not respond to ARP requests.

- Jac
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
ID: 39199808
Then that pretty much expains it. The ARP requests are making it to the fiber switch and it's not responding.  Which means that the fiber switch (and probably even the Sonicwall) are configured not to respond to anything but each other.

I think it's time to escalate this with your provider.
0
 

Author Comment

by:JacBackus
ID: 39199813
Yes, I think you are right.
They have done this on a mac address basis, you think?

- Jac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39199823
Sounds like it. Cable internet providers used to do this type of thing all the time.
0
 

Author Comment

by:JacBackus
ID: 39199832
I wil try to get some answers tomorrow.
I will keep you posted.

- Jac
0
 

Accepted Solution

by:
JacBackus earned 0 total points
ID: 39207220
Hi Donjohnston,
It is solved, but not in the way we expected. The setup is on a remote location and there is someone, who does IT management. It appears, there is a Cisco router between the LightningEdge fiber switch and the Sonicwall firewall. And the IT person did not know this. I have for the setup to rely on the information I get from the site. The 2960 is connected on the wrong side of the router (the fiber switch side, instead of the Sonicwall side). And this explains the problem: there is a different subnet between the fiber switch and the Cisco router. The ISP only told me this after several previous conversations, in which I discribed what was done at the location. They never mention the router until yesterday! This explains the Cisco mac address on the switch too. So this is solved, and I should like to reward the points to you for your help. Thanks a lot!

- Jac
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now