lconnell
asked on
VLAN Routing
I have a small network that is connected to the equipment managed by the landlord in our building.
I own and control an ASA which handles all of our routing and a 2960 switch. The landlord has a 4506 switch.
The landlord's switch connects to all of our cubicles for phone and data. The switch then has a default route pointing to their router. I have the 2960 plugged into the 4506. All the cubicles are able to get internet through our ASA.
I am confused as the 4506 does not have any trunk ports setup and the access ports are VLAN 14. I'm assuming it's taking that traffic, sending it to their router and then back down which somehow finds my ASA. How is this working?
My ASA does not have VLAN 14 configured at all. My native VLAN is 1. How are access ports of VLAN 14 able to communicate with my ASA?
My ASA inside interface is 10.89.101.2/24
The 4506 VLAN 14 interface does not have an ip address assigned
The 4506 has a default route 0.0.0.0 0.0.0.0 10.83.8.1
If the 4506 is sending everything to their router, how is it making it back to the ASA?
ASA -> 2960 -> 4506 -> 2800RTR
| |___ PC/PHONE (VLAN 14,16)
VLAN 1
I own and control an ASA which handles all of our routing and a 2960 switch. The landlord has a 4506 switch.
The landlord's switch connects to all of our cubicles for phone and data. The switch then has a default route pointing to their router. I have the 2960 plugged into the 4506. All the cubicles are able to get internet through our ASA.
I am confused as the 4506 does not have any trunk ports setup and the access ports are VLAN 14. I'm assuming it's taking that traffic, sending it to their router and then back down which somehow finds my ASA. How is this working?
My ASA does not have VLAN 14 configured at all. My native VLAN is 1. How are access ports of VLAN 14 able to communicate with my ASA?
My ASA inside interface is 10.89.101.2/24
The 4506 VLAN 14 interface does not have an ip address assigned
The 4506 has a default route 0.0.0.0 0.0.0.0 10.83.8.1
If the 4506 is sending everything to their router, how is it making it back to the ASA?
ASA -> 2960 -> 4506 -> 2800RTR
| |___ PC/PHONE (VLAN 14,16)
VLAN 1
ASKER
I know it will be hard without the config, but it is very simple on the 4506. All my computers are plugged into it. They are access ports 14 with a voice vlan of 16. The default route points to their router which I know nothing about.
Believe i or not the switch didn't have a trunk port. The VLAN interface was there for an ip-helper but i don't think it would work without an ip address, right?
Believe i or not the switch didn't have a trunk port. The VLAN interface was there for an ip-helper but i don't think it would work without an ip address, right?
No the ip helper wouldn't work without an ip address. The interface won't even come ip without one.
I guess there router is still the mystery. Maybe it has a route to your ASA. Probably policy routing you source traffic to your Asa.
I guess there router is still the mystery. Maybe it has a route to your ASA. Probably policy routing you source traffic to your Asa.
ASKER
Ok. How would the router know how to get to my ASA? I'm sure the router has the ip 10.89.101.1 and my ASA is 10.89.101.2. In between the ASA and the router is the 4506 and the 2960. Only access ports are configured on the 4506.
I just don't understand how it can communicate with the ASA.
I just don't understand how it can communicate with the ASA.
ASKER
On my side of the network there is no use of any VLAN's. When I plugged in a new Cisco switch I got a warning about native vlan mismatch.
On the 2960 how is the port that the ASA is connected to configured?
Since the router and the ASA are in the same subnet (10.89.101.0/24), assuming the switches are configured correctly, they should be able to talk to each other.
Since the router and the ASA are in the same subnet (10.89.101.0/24), assuming the switches are configured correctly, they should be able to talk to each other.
ASKER
Even though they have 10.89.101.1 on vlan 14 and asa is on 10.89.101.2 on vlan 1?
The port is trunked to the 2960. Allowing all vlan's I guess is how the ASA works with trunking? You use sub interfaces to define vlan's. But only vlan 16 which is the phones is configured.
The port is trunked to the 2960. Allowing all vlan's I guess is how the ASA works with trunking? You use sub interfaces to define vlan's. But only vlan 16 which is the phones is configured.
The ASA does support trunking and yes, you do it by defining sub-interfaces.
Can you sanitize the configuration of all 4 devices and post?
VLAN 1 is used as the default VLAN on all Cisco devices and on a trunk port is called the "native" VLAN. The native VLAN is the VLAN any un-tagged frames is assumed to be on.
So if the ASA does not have any sub-intefaces on the interface that 10.89.101.0/24 is on, then that traffic will be un-tagged and the 2960 will make it on VLAN 1. Depending on how all of the other devices happen to be configured, that traffic can make to through the whole network on VLAN 1.
Can you sanitize the configuration of all 4 devices and post?
VLAN 1 is used as the default VLAN on all Cisco devices and on a trunk port is called the "native" VLAN. The native VLAN is the VLAN any un-tagged frames is assumed to be on.
So if the ASA does not have any sub-intefaces on the interface that 10.89.101.0/24 is on, then that traffic will be un-tagged and the 2960 will make it on VLAN 1. Depending on how all of the other devices happen to be configured, that traffic can make to through the whole network on VLAN 1.
I think you need to give us a bit of a clearer diagram.
I don't get why you have the ASA at all if all of your PCs/Phones use the 4506 switch!?
The ASA doesn't need VLANs. If it connects to an access port on the switch all traffic will go on whatever VLAN is configured as the access VLAN on the switchport. If it's connected to a trunk port it will just use whichever VLAN is configured as the native VLAN. This could be any VLAN, so it's likely to be configured as VLAN 14.
I don't get why you have the ASA at all if all of your PCs/Phones use the 4506 switch!?
The ASA doesn't need VLANs. If it connects to an access port on the switch all traffic will go on whatever VLAN is configured as the access VLAN on the switchport. If it's connected to a trunk port it will just use whichever VLAN is configured as the native VLAN. This could be any VLAN, so it's likely to be configured as VLAN 14.
ASKER
There is no configuration on the 2960 switch. The ASA plugs into the 4506, the 4506 plugs into the 2960. I have some servers on the 2960. All workstations and phones are plugged into the 4506, get their internet from the ASA. All devices use gateway of the ASA.
ASA -> 4506 -> 2800 [10.89.101.1]
|
2960----[servers]
!! ASA !!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.2 255.255.255.0
!
interface Ethernet0/0.16
vlan 16
nameif voice
security-level 100
ip address 10.89.103.2 255.255.255.0
!
interface Ethernet0/2
nameif wireless
security-level 10
ip address 10.89.102.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!! 4506 !!
vlan 14
name DMZ2
!
vlan 16
name DMZ4
interface GigabitEthernet3/1
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/2
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/3
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/4
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/5
switchport access vlan 14
switchport voice vlan 16
!
!
interface Vlan1
ip address 10.81.8.3 255.255.255.0
ip helper-address 10.81.8.4
!
interface Vlan14
no ip address
ip helper-address 10.89.101.201
shutdown
!
interface Vlan16
no ip address
ip helper-address 10.89.101.201
shutdown
!
!
ip route 0.0.0.0 0.0.0.0 10.81.8.1
ASA -> 4506 -> 2800 [10.89.101.1]
|
2960----[servers]
!! ASA !!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.2 255.255.255.0
!
interface Ethernet0/0.16
vlan 16
nameif voice
security-level 100
ip address 10.89.103.2 255.255.255.0
!
interface Ethernet0/2
nameif wireless
security-level 10
ip address 10.89.102.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!! 4506 !!
vlan 14
name DMZ2
!
vlan 16
name DMZ4
interface GigabitEthernet3/1
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/2
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/3
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/4
switchport access vlan 14
switchport voice vlan 16
!
interface GigabitEthernet3/5
switchport access vlan 14
switchport voice vlan 16
!
!
interface Vlan1
ip address 10.81.8.3 255.255.255.0
ip helper-address 10.81.8.4
!
interface Vlan14
no ip address
ip helper-address 10.89.101.201
shutdown
!
interface Vlan16
no ip address
ip helper-address 10.89.101.201
shutdown
!
!
ip route 0.0.0.0 0.0.0.0 10.81.8.1
On the ASA you have eth0 configured in IP subnet 10.89.101.0/24 which is VLAN 14.
Since this is not defined as a sub interface, all traffic that is sent OUT from the ASA on this VLAN is untagged.
On all the switch ports on the 4500 you have:
switchport access vlan 14
switchport voice vlan 16
This means that frames on VLAN 16 are tagged as being on VLAN 16 and frames for VLAN 14 are untagged.
My guess is that the 2800 is also setup so that it sends all frames that are from IP address 10.89.101.1 as untagged. So the 4500 assumes they are all on VLAN 14.
So basically all VLAN 14 (subnet 10.89.101.0/24) is all untagged traffic and flows through your whole network as such.
Since this is not defined as a sub interface, all traffic that is sent OUT from the ASA on this VLAN is untagged.
On all the switch ports on the 4500 you have:
switchport access vlan 14
switchport voice vlan 16
This means that frames on VLAN 16 are tagged as being on VLAN 16 and frames for VLAN 14 are untagged.
My guess is that the 2800 is also setup so that it sends all frames that are from IP address 10.89.101.1 as untagged. So the 4500 assumes they are all on VLAN 14.
So basically all VLAN 14 (subnet 10.89.101.0/24) is all untagged traffic and flows through your whole network as such.
ASKER
Ok,
How is eth0 on ASA configured for VLAN 14? I don't see anywhere it says that.
When a switchport is configured for a certain vlan, isn't that tagged? I'm confused.
The only untagged packets should on the 4506 should be vlan1.
Sorry if I'm being thick headed, I'm having a hard time grasping vlan 14 being untagged.
How is eth0 on ASA configured for VLAN 14? I don't see anywhere it says that.
When a switchport is configured for a certain vlan, isn't that tagged? I'm confused.
The only untagged packets should on the 4506 should be vlan1.
Sorry if I'm being thick headed, I'm having a hard time grasping vlan 14 being untagged.
It;s not configured for VLAN 14, its not configured for any VLAN.
Any "access" vlan is untagged. When you configure the following on an interface:
switchport access vlan 14
switchport voice vlan 16
What really happens is the same thing as if you configured:
switchport mode trunk
switchport trunk vlan allowed 16
switchport native vlan 14
Native VLAN's are untagged. So VLAN 14 is untagged. Any
Any "access" vlan is untagged. When you configure the following on an interface:
switchport access vlan 14
switchport voice vlan 16
What really happens is the same thing as if you configured:
switchport mode trunk
switchport trunk vlan allowed 16
switchport native vlan 14
Native VLAN's are untagged. So VLAN 14 is untagged. Any
ASKER
Ok thank you.
So if it only had:
-switchport mode access
-switchport access vlan 14
That would not be tagged until it hit the trunk?
So since vlan 14 is not tagged and it's on the same subnet as my ASA it can talk with each other?
This means two different vlan's on the same subnet can communicate without inter-vlan routing?
So if it only had:
-switchport mode access
-switchport access vlan 14
That would not be tagged until it hit the trunk?
So since vlan 14 is not tagged and it's on the same subnet as my ASA it can talk with each other?
This means two different vlan's on the same subnet can communicate without inter-vlan routing?
ASKER
What's the point of saying switchport access vlan 14 if it isn't tagged? It's just going to talk on the native vlan anyway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks alot, that makes sense. how should i configure my 2960 switch in my scenario?
should i create a trunk port or access port so my asa can talk to the computers on the 4506?
do i need to have access port 14 on the 2960 that connects to the access port on 4506?
should i create a trunk port or access port so my asa can talk to the computers on the 4506?
do i need to have access port 14 on the 2960 that connects to the access port on 4506?
ASKER
I'm in a bind can you give me a hand?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the breakdown. So native vlan 14 should be set on both switchport trunks?
This tells the 4506 not to tag vlan 14 traffic to the 2960?
On the 2960 it says any traffic going to the 4506 will be part of vlan 14?
Do I understand that correctly?
This tells the 4506 not to tag vlan 14 traffic to the 2960?
On the 2960 it says any traffic going to the 4506 will be part of vlan 14?
Do I understand that correctly?
You can set the native to be whatever you want, but it should be the same at both ends of the link. It's usually good practice to use an unused VLAN for the native VLAN.
This doesn't mean you can't use VLAN 14 though. Strictly speaking it's just whichever VLAN you want untagged traffic to be on. In this case yes, you should configure the native VLAN as 14 as the ASA is also doing that.
This doesn't mean you can't use VLAN 14 though. Strictly speaking it's just whichever VLAN you want untagged traffic to be on. In this case yes, you should configure the native VLAN as 14 as the ASA is also doing that.
craigbeck is correct, typically the native VLAN on trunks is a VLAN that is not used by anything else.
Special traffic is passed between switches on the native VLAN.
Just like it is best practices not to use VLAN 1 for anything because that is the default native VLAN.
Special traffic is passed between switches on the native VLAN.
Just like it is best practices not to use VLAN 1 for anything because that is the default native VLAN.
It will be really hard to give you an answer without actually seeing how things are configured.