Solved

Calling Cisco experts - Need help with Cisco 3750 Routers

Posted on 2014-01-23
31
459 Views
Last Modified: 2014-02-13
Hello,

There are  two firewall (hardware) appliances, configured as High Availability (HA) in active passive mode.

In the current configuration, all routing is handled by the firewall appliances.

The idea is to move the routing to two Cisco 3750 (layer three) switches. Two Cisco switches have been selected as another point of failure is being introduced.  This way there can be redundancy with the two Cisco switches; If the main Cisco switch fails, the second Cisco switch is available and will still allow network traffic to be routed / transmitted as it should.

I have had a "Cisco" expert come in and propose a solution using the Cisco switches.

He proposed "stacking" the Cisco switches (Master / member). In his proposal, each  firewall will have two cables connected to the Cisco switches - 1 connection to the Master (firewall port 3), 1 connection to the member (firewall port 4).

Because the firewalls are configured for HA, the configuration  of each unit is a mirror of each other (i.e. identical). That means that each firewall is pointing to the same gateway addresses (for routing) although the routes in the secondary firewall are not active while the primary firewall is function.

Will this configuration work? Is "stacking" the Cisco switches the right way to go?

Any information / suggestion would be greatly appreciated.

Thanks in advance.

Mark
0
Comment
Question by:mbudman
  • 10
  • 10
  • 9
  • +1
31 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
Switch stacking is the way to go. You can duplicate the port settings on each member of the stack and have port redundancy to match your firewalls.
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
To add, you can lose one member of your stack and still maintain network access. Switch stacking has been around for a while and does work quite well when setup properly. Depending on your switch type, you can even stack power for greater redundancy in case of power supply failure. I have a stack of 8 3750x's stacked for switch and power.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Yes.. That is the way to do it.  With the 2 switches in the stack, they look like one big switch.  The failover will occur almost instantly on a an outage.
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Okay - let me bring this one step further.

The consultant completed the implementation.

He stacked the two Cisco 3750 switches.

He configured it as pasted at the end of this post.

He defined port 23 and 24 on the master as 192.168.100.1; 192.168.100.129
He defined port 23 and 24 on the slave as 192.168.101.1; 192.168.100.129

Primary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.253 and 192.168.101.253


Secondary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.254 and 192.168.101.254

The secondary routes are not active; however the management ip's are active and are unique for each firewall appliance.

There is no communication between the firewall appliances on any data that routes through the two  Cisco  switches.

For instance, if I am connected to the primary firewall appliance, I should be able to reach the management ip address of the secondary firewall. I am unable to do so.

Prior to implementing the Cisco switches, I was able to communicated to the management ports that were routed through the private network switches.

Can someone help point me in the right direction to resolve this problem? I believe the issue to be related to the Cisco switch configuration and not the firewall.

In the current configuration, if I connect port 24 on the master Cisco switch to port 3 on the secondary firewall, there is not network traffic passed through the CISCO stack. If I unplug it, traffic passes through to internet and between private network through the Cisco stack.

Help!!!!!!!!!

Any advice would be greatly appreciated.

---------------------------------------------------------------------------------------

Cisco stack configuration: (I have removed "unnecessary" lines from the config that are not required for resolving the  problem)
*******************************************************
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hno aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface GigabitEthernet1/0/1
 description Switch_Dev
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description Switch_Admin
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 description Switch_EsignLive
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
 description Switch_Firewall_1
 no switchport
 ip address 192.168.100.1 255.255.255.128
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/24
 description Switch_Firewall_2
 no switchport
 ip address 192.168.100.129 255.255.255.128
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/1
 description Switch_Dev_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/2
 description Switch_Admin_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/3
 description Switch_EsignLive_1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,100
 switchport mode trunk
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
 description Switch_Firewall_1
 no switchport
 ip address 192.168.101.1 255.255.255.128
!
interface GigabitEthernet2/0/24
 description Switch_Firewall_2
 no switchport
 ip address 192.168.101.129 255.255.255.128
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.7.254 255.255.248.0
!
interface Vlan20
 ip address 10.0.15.254 255.255.248.0
!
interface Vlan30
 ip address 10.0.23.254 255.255.248.0
!
interface Vlan100
 ip address 192.168.0.100 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.2
ip route 0.0.0.0 0.0.0.0 192.168.101.2 150
ip http server
ip http secure-server
!
!
!
!
end

********************************************************************
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
first of all, is this typo?

He defined port 23 and 24 on the slave as 192.168.101.1; 192.168.100.129


Port 24 on the slave should be 192.168.101.129
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
sorry - typo; The slave is 192.168.101.129 and not 192.168.100.129
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
deleted the comment...

I'm trying to figure out your set up...hold on...
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
Can you describe how your firewall is connected to which ports on the switch?

Also where is the firewall management ports are connected to?
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Just an FYI - I  was not the person who wired and put together this configuration. I am just trying to clean up and find a solution to the horrible (and mismanaged) problem that I am now facing.

The firewall is also in HA mode (Active / Passive) with the secondary firewall in passive mode.

Port 23 on the master firewall is connected to port 23 on the master switch;

Why do you say port 3 on the slave firewall should connect to port 23 on the slave switch?

The ip addresses between slave firewall port 3 and slave cisco switch are not  configured as the same subnet
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
So here is the deal.. Since the ASAs are active/standby  - then port 3 on each ASA needs to be on the same vlan.  So the switch ports should not be layer 3, they should be layer 2 in a vlan.  Port 3 on ASA #1 needs to be able to communicate with Port 3 on ASA #2.  Likewise for all of the other ports.  So they will need to be connected to a layer 2 vlan for this to work.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Also... my preference ... I never use the management port on an ASA.  Its too much of a pain in the but and I see no value in it.  I always manage the ASA with the inside interface.  just my preference.
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
The firewall management ports match the same port for the the subnet is defined for the routing:

For instance, firewall port 3 (master) uses subnet 192.168.100 / 24, therefore the management ip address is this port (192.168.100.253);

Same thing for firewall port 4 (master):

Firewall port 4 (master) uses subnet 192.168.101 / 24, therefore the management ip address is this port (192.168.101.253);
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Please excuse this question, but what does ASA stand for?
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Adaptive Security Appliance
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Its Cisco's name for their firewall
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 12

Expert Comment

by:Infamus
Comment Utility
Yeah that's why I deleted the comment because I misunderstood.

Just to clear up, can you provide the following information?

Master Firewall port 3 ----------------------> which port on the switch?
Master Firewall port 4----------------------> which port on the switch?
Master Firewall mgmt ---------------------->which port on the switch?

Same goes for the slave firewall.
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
I do agree with ken, they shouldn't configure it as layer 3 routed port.

It will be much easier to create a VLAN and let the switch do the routing.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Let me re-iterate this so it wasn't missed:

So here is the deal.. Since the ASAs are active/standby  - then port 3 on each ASA needs to be on the same vlan.  So the switch ports should not be layer 3, they should be layer 2 in a vlan.  Port 3 on ASA #1 needs to be able to communicate with Port 3 on ASA #2.  Likewise for all of the other ports.  So they will need to be connected to a layer 2 vlan for this to work.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Sorry infamous... I posted at the same time... ;)
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
Happens to me too all the time :)
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
Also, this is confusing.....

The gateway for the firewall is the interface of the switch???

Primary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1

Management ip address: 192.168.100.253 and 192.168.101.253


Secondary firewall:
Port 3: IP address 192.168.100.2; gateway 192.168.100.1
Port 4: IP address 192.168.101.2; gateway 192.168.101.1
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Master Firewall port 3 ----------------------> Master Cisco switch port 23
Master Firewall port 4----------------------> Slave Cisco switch port 23

2 management ip's defined:

Master Firewall mgmt ---------------------->192.168.100.253 (port 3 Master firewall)
Master Firewall mgmt ---------------------->192.168.101.253 (port 4 Master firewall)


Slave Firewall port 3 ----------------------> Master Cisco switch port 24
Slave Firewall port 4----------------------> Slave Cisco switch port 24
Slave Firewall mgmt ---------------------->192.168.100.254 (port 3 Master firewall)

2 management ip's defined:

Slave Firewall mgmt ---------------------->192.168.100.254 (port 3 slave firewall)
slave Firewall mgmt ---------------------->192.168.101.254 (port 4 slave firewall)
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
Ok, let's back up a little and look at the configuration for now.

Master Firewall port 3 ----------------------> Master Cisco switch port 23
192.168.100.2                                            192.168.100.1
Master Firewall port 4----------------------> Slave Cisco switch port 23
192.168.101.2                                            192.168.101.1

Slave Firewall port 3 ----------------------> Master Cisco switch port 24
192.168.100.2                                           192.168.100.129
Slave Firewall port 4----------------------> Slave Cisco switch port 24
192.168.101.2                                           192.168.101.129

And the routing is..
ip route 0.0.0.0 0.0.0.0 192.168.100.2
ip route 0.0.0.0 0.0.0.0 192.168.101.2 150

So if port3 on the firewall fails then it will route to port4 of the firewall?

Since the firewalls are redundant, and have same virtual IP of 192.168.100.2, the default route should only be 0.0.0.0 0.0.0.0 192.168.100.2 assuming port 3 is the LAN interface of the firewall.  Also is port4 "heartbeat" between the firewalls?

And the last question is that the management IP is configured on port 3 and port 4 on the firewall?  Which means port3 and port4 has two IP's configured on each port?

What is port3 and port4 of the firewall?
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
Comment Utility
I would just create two vlans configured as follows:

interface vlan 101
ip address 192.168.100.1 255.255.255.248 (or you can use the whole /24 if the firewall is configured as /24)
Description Firewall port3

vlan 102 (assuming this is the heartbeat)
name Firewall port4_Heartbeat

interface range gi1/0/23, gi2/0/23
no ip address
switchport mode access
switchport access vlan 101


interface range gi1/0/24, gi2/0/24
no ip address
switchport mode access
switchport access vlan 102

And connect the firewall as follows;

Master Firewall port 3 ----------------------> Master Cisco switch port 23
192.168.100.2                                            
Master Firewall port 4----------------------> Master Cisco switch port 24
192.168.101.2                                            

Slave Firewall port 3 ----------------------> Slave Cisco switch port 23
192.168.100.2                                          
Slave Firewall port 4----------------------> Slave Cisco switch port 24
192.168.101.2
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
infamous is on target
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Based on what has been suggested, I have come up with the following soltion:

Bridge port 3 and port 4 on the firewall (same config gor both); assign ip 192.168.100.2, gateway 192.168.100.1;

Make a single VLAN on the Cisco switch with ports 1/0/23, 1/0/24, 2/0/23,2/0/24; assign ip 192.168.100.1, gateway 192.168.100.2

Subnet mask is 255.255.255.0

What do you think?

Thanks for all your help. It is much appreciated.

Mark
0
 
LVL 12

Expert Comment

by:Infamus
Comment Utility
You don't need to assign gateway on the VLAN interface.

I'm not sure how the bridge works on your firewall but if it has some kind of routing between the two, it should work.

Thanks.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
You know I made an "assumption" that you were using a cisco firewall based on your description of the HA and the active/passive reference you made... however it dawned on my that you might be using some other firewall.  So what firewalls do you have?
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
I am using a Barracuda NG F300 aapliance. I am quite satisfied with it.

I want to thank you for your guidance as I understand in prinicpal what should be done. The funny thing is that I understand the problem as well as what the solution should better than the "experts" I hired.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
I guess I should have asked that first.  I am not familiar with how that firewall operates and I was giving directions as if it was an ASA.
0
 
LVL 1

Author Closing Comment

by:mbudman
Comment Utility
Thank you for your assistance. The information was excellent.

Cheers,

Mark
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now