Solved

Calling Cisco experts - Need help with Cisco 3750 Routers

Posted on 2014-01-23
31
470 Views
Last Modified: 2014-02-13
Hello,

There are  two firewall (hardware) appliances, configured as High Availability (HA) in active passive mode.

In the current configuration, all routing is handled by the firewall appliances.

The idea is to move the routing to two Cisco 3750 (layer three) switches. Two Cisco switches have been selected as another point of failure is being introduced.  This way there can be redundancy with the two Cisco switches; If the main Cisco switch fails, the second Cisco switch is available and will still allow network traffic to be routed / transmitted as it should.

I have had a "Cisco" expert come in and propose a solution using the Cisco switches.

He proposed "stacking" the Cisco switches (Master / member). In his proposal, each  firewall will have two cables connected to the Cisco switches - 1 connection to the Master (firewall port 3), 1 connection to the member (firewall port 4).

Because the firewalls are configured for HA, the configuration  of each unit is a mirror of each other (i.e. identical). That means that each firewall is pointing to the same gateway addresses (for routing) although the routes in the secondary firewall are not active while the primary firewall is function.

Will this configuration work? Is "stacking" the Cisco switches the right way to go?

Any information / suggestion would be greatly appreciated.

Thanks in advance.

Mark
0
Comment
Question by:mbudman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
  • 9
  • +1
31 Comments
 
LVL 17

Expert Comment

by:James H
ID: 39804557
Switch stacking is the way to go. You can duplicate the port settings on each member of the stack and have port redundancy to match your firewalls.
0
 
LVL 17

Expert Comment

by:James H
ID: 39804569
To add, you can lose one member of your stack and still maintain network access. Switch stacking has been around for a while and does work quite well when setup properly. Depending on your switch type, you can even stack power for greater redundancy in case of power supply failure. I have a stack of 8 3750x's stacked for switch and power.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804601
Yes.. That is the way to do it.  With the 2 switches in the stack, they look like one big switch.  The failover will occur almost instantly on a an outage.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:mbudman
ID: 39804701
Okay - let me bring this one step further.

The consultant completed the implementation.

He stacked the two Cisco 3750 switches.

He configured it as pasted at the end of this post.

He defined port 23 and 24 on the master as 192.168.100.1; 192.168.100.129
He defined port 23 and 24 on the slave as 192.168.101.1; 192.168.100.129

Primary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.253 and 192.168.101.253


Secondary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.254 and 192.168.101.254

The secondary routes are not active; however the management ip's are active and are unique for each firewall appliance.

There is no communication between the firewall appliances on any data that routes through the two  Cisco  switches.

For instance, if I am connected to the primary firewall appliance, I should be able to reach the management ip address of the secondary firewall. I am unable to do so.

Prior to implementing the Cisco switches, I was able to communicated to the management ports that were routed through the private network switches.

Can someone help point me in the right direction to resolve this problem? I believe the issue to be related to the Cisco switch configuration and not the firewall.

In the current configuration, if I connect port 24 on the master Cisco switch to port 3 on the secondary firewall, there is not network traffic passed through the CISCO stack. If I unplug it, traffic passes through to internet and between private network through the Cisco stack.

Help!!!!!!!!!

Any advice would be greatly appreciated.

---------------------------------------------------------------------------------------

Cisco stack configuration: (I have removed "unnecessary" lines from the config that are not required for resolving the  problem)
*******************************************************
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hno aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface GigabitEthernet1/0/1
 description Switch_Dev
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description Switch_Admin
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 description Switch_EsignLive
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
 description Switch_Firewall_1
 no switchport
 ip address 192.168.100.1 255.255.255.128
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/24
 description Switch_Firewall_2
 no switchport
 ip address 192.168.100.129 255.255.255.128
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/1
 description Switch_Dev_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/2
 description Switch_Admin_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/3
 description Switch_EsignLive_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
 description Switch_Firewall_1
 no switchport
 ip address 192.168.101.1 255.255.255.128
!
interface GigabitEthernet2/0/24
 description Switch_Firewall_2
 no switchport
 ip address 192.168.101.129 255.255.255.128
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.7.254 255.255.248.0
!
interface Vlan20
 ip address 10.0.15.254 255.255.248.0
!
interface Vlan30
 ip address 10.0.23.254 255.255.248.0
!
interface Vlan100
 ip address 192.168.0.100 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.2
ip route 0.0.0.0 0.0.0.0 192.168.101.2 150
ip http server
ip http secure-server
!
!
!
!
end

********************************************************************
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804778
first of all, is this typo?

He defined port 23 and 24 on the slave as 192.168.101.1; 192.168.100.129


Port 24 on the slave should be 192.168.101.129
0
 
LVL 1

Author Comment

by:mbudman
ID: 39804791
sorry - typo; The slave is 192.168.101.129 and not 192.168.100.129
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804804
deleted the comment...

I'm trying to figure out your set up...hold on...
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804848
Can you describe how your firewall is connected to which ports on the switch?

Also where is the firewall management ports are connected to?
0
 
LVL 1

Author Comment

by:mbudman
ID: 39804857
Just an FYI - I  was not the person who wired and put together this configuration. I am just trying to clean up and find a solution to the horrible (and mismanaged) problem that I am now facing.

The firewall is also in HA mode (Active / Passive) with the secondary firewall in passive mode.

Port 23 on the master firewall is connected to port 23 on the master switch;

Why do you say port 3 on the slave firewall should connect to port 23 on the slave switch?

The ip addresses between slave firewall port 3 and slave cisco switch are not  configured as the same subnet
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804866
So here is the deal.. Since the ASAs are active/standby  - then port 3 on each ASA needs to be on the same vlan.  So the switch ports should not be layer 3, they should be layer 2 in a vlan.  Port 3 on ASA #1 needs to be able to communicate with Port 3 on ASA #2.  Likewise for all of the other ports.  So they will need to be connected to a layer 2 vlan for this to work.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804870
Also... my preference ... I never use the management port on an ASA.  Its too much of a pain in the but and I see no value in it.  I always manage the ASA with the inside interface.  just my preference.
0
 
LVL 1

Author Comment

by:mbudman
ID: 39804872
The firewall management ports match the same port for the the subnet is defined for the routing:

For instance, firewall port 3 (master) uses subnet 192.168.100 / 24, therefore the management ip address is this port (192.168.100.253);

Same thing for firewall port 4 (master):

Firewall port 4 (master) uses subnet 192.168.101 / 24, therefore the management ip address is this port (192.168.101.253);
0
 
LVL 1

Author Comment

by:mbudman
ID: 39804875
Please excuse this question, but what does ASA stand for?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804884
Adaptive Security Appliance
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804888
Its Cisco's name for their firewall
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804897
Yeah that's why I deleted the comment because I misunderstood.

Just to clear up, can you provide the following information?

Master Firewall port 3 ----------------------> which port on the switch?
Master Firewall port 4----------------------> which port on the switch?
Master Firewall mgmt ---------------------->which port on the switch?

Same goes for the slave firewall.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804910
I do agree with ken, they shouldn't configure it as layer 3 routed port.

It will be much easier to create a VLAN and let the switch do the routing.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804913
Let me re-iterate this so it wasn't missed:

So here is the deal.. Since the ASAs are active/standby  - then port 3 on each ASA needs to be on the same vlan.  So the switch ports should not be layer 3, they should be layer 2 in a vlan.  Port 3 on ASA #1 needs to be able to communicate with Port 3 on ASA #2.  Likewise for all of the other ports.  So they will need to be connected to a layer 2 vlan for this to work.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39804917
Sorry infamous... I posted at the same time... ;)
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804932
Happens to me too all the time :)
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39804957
Also, this is confusing.....

The gateway for the firewall is the interface of the switch???

Primary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.253 and 192.168.101.253


Secondary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1
0
 
LVL 1

Author Comment

by:mbudman
ID: 39804988
Master Firewall port 3 ----------------------> Master Cisco switch port 23
Master Firewall port 4----------------------> Slave Cisco switch port 23

2 management ip's defined:

Master Firewall mgmt ---------------------->192.168.100.253 (port 3 Master firewall)
Master Firewall mgmt ---------------------->192.168.101.253 (port 4 Master firewall)


Slave Firewall port 3 ----------------------> Master Cisco switch port 24
Slave Firewall port 4----------------------> Slave Cisco switch port 24
Slave Firewall mgmt ---------------------->192.168.100.254 (port 3 Master firewall)

2 management ip's defined:

Slave Firewall mgmt ---------------------->192.168.100.254 (port 3 slave firewall)
slave Firewall mgmt ---------------------->192.168.101.254 (port 4 slave firewall)
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39805110
Ok, let's back up a little and look at the configuration for now.

Master Firewall port 3 ----------------------> Master Cisco switch port 23
192.168.100.2                                            192.168.100.1
Master Firewall port 4----------------------> Slave Cisco switch port 23
192.168.101.2                                            192.168.101.1

Slave Firewall port 3 ----------------------> Master Cisco switch port 24
192.168.100.2                                           192.168.100.129
Slave Firewall port 4----------------------> Slave Cisco switch port 24
192.168.101.2                                           192.168.101.129

And the routing is..
ip route 0.0.0.0 0.0.0.0 192.168.100.2
ip route 0.0.0.0 0.0.0.0 192.168.101.2 150

So if port3 on the firewall fails then it will route to port4 of the firewall?

Since the firewalls are redundant, and have same virtual IP of 192.168.100.2, the default route should only be 0.0.0.0 0.0.0.0 192.168.100.2 assuming port 3 is the LAN interface of the firewall.  Also is port4 "heartbeat" between the firewalls?

And the last question is that the management IP is configured on port 3 and port 4 on the firewall?  Which means port3 and port4 has two IP's configured on each port?

What is port3 and port4 of the firewall?
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
ID: 39805134
I would just create two vlans configured as follows:

interface vlan 101
ip address 192.168.100.1 255.255.255.248 (or you can use the whole /24 if the firewall is configured as /24)
Description Firewall port3

vlan 102 (assuming this is the heartbeat)
name Firewall port4_Heartbeat

interface range gi1/0/23, gi2/0/23
no ip address
switchport mode access
switchport access vlan 101


interface range gi1/0/24, gi2/0/24
no ip address
switchport mode access
switchport access vlan 102

And connect the firewall as follows;

Master Firewall port 3 ----------------------> Master Cisco switch port 23
192.168.100.2                                            
Master Firewall port 4----------------------> Master Cisco switch port 24
192.168.101.2                                            

Slave Firewall port 3 ----------------------> Slave Cisco switch port 23
192.168.100.2                                          
Slave Firewall port 4----------------------> Slave Cisco switch port 24
192.168.101.2
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39805211
infamous is on target
0
 
LVL 1

Author Comment

by:mbudman
ID: 39805246
Based on what has been suggested, I have come up with the following soltion:

Bridge port 3 and port 4 on the firewall (same config gor both); assign ip 192.168.100.2, gateway 192.168.100.1;

Make a single VLAN on the Cisco switch with ports 1/0/23, 1/0/24, 2/0/23,2/0/24; assign ip 192.168.100.1, gateway 192.168.100.2

Subnet mask is 255.255.255.0

What do you think?

Thanks for all your help. It is much appreciated.

Mark
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39805306
You don't need to assign gateway on the VLAN interface.

I'm not sure how the bridge works on your firewall but if it has some kind of routing between the two, it should work.

Thanks.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39805419
You know I made an "assumption" that you were using a cisco firewall based on your description of the HA and the active/passive reference you made... however it dawned on my that you might be using some other firewall.  So what firewalls do you have?
0
 
LVL 1

Author Comment

by:mbudman
ID: 39805435
I am using a Barracuda NG F300 aapliance. I am quite satisfied with it.

I want to thank you for your guidance as I understand in prinicpal what should be done. The funny thing is that I understand the problem as well as what the solution should better than the "experts" I hired.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39805439
I guess I should have asked that first.  I am not familiar with how that firewall operates and I was giving directions as if it was an ASA.
0
 
LVL 1

Author Closing Comment

by:mbudman
ID: 39855880
Thank you for your assistance. The information was excellent.

Cheers,

Mark
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question