VLAN or run cable

Dear Experts:

I need to know what is the best solution for a connection that is needed from one side of the building to the another.

I don't have patching access to connect a new server to a firewall interface of an ASA firewall (vendor).

The server has to be in the room where it is now and one NIC has to be connected to an ASA firewall in the other side of the building. So we have a physical challenge.

I am tempted to just run the cable.
 
Or

Create a VLAN in the switches that connect both sides. There are two Cisco 3560 switches that connect both rooms.

If I create a VLAN what criteria should I keep in mind to keep it secure. The connection is for WAN not LAN.

Will this be the config for that port in the switch:

interface GigabitEthernet0/43
 description WAN connectionto vendor network
 switchport access vlan 88

Is it necessary to use the switchport command for what I want to do?


Regards,

M
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
It is necessary to use switchport command if you will use switches for link with firewall. Command will create new VLAN (if it is not already created) on switch and add that port to VLAN, and you want that traffic in separate VLAN.
interface GigabitEthernet0/43
 description WAN connection to vendor network
 switchport mode access
 switchport access vlan 88

You need to add that VLAN to trunk if trunks will be used (if it is not automatically added),  you can check that with #show interfaces trunk command. You may also need to create switch virtual interface (SVI) on one of the switches for that VLAN (if network architecture is L3 at some point), also, most likely, you need to add that vlan to nat on firewall.
On SVI (or subinterface if you don't have svi) you can apply ACL for security etc...

There are too many scenarios how you can actually connect server to firewall.

I don't see any reason to connect separate cable from firewall to server for there is also this scenario:
If you connect server to switch on access port that is a part of vlan 88 - then traffic is forwarded through trunk link to other switch and then again access port vlan 88 is connected to some port on firewall - it is like you connected directly one cable from firewall to server.
In this case there is no SVIs, no subinterfaces, all you need to configure is on firewall (default gateway on server is in this case vlan 88 address on firewall).
:)
0
nociSoftware EngineerCommented:
And if the firewall support VLAN too, then terminate the VLAN internal on the firewall, saves one switchport & firewall port as well.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I need helping setting up the trunk between the two switches...
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

JustInCaseCommented:
interface GigabitEthernet0/x
 description trunk between switches
 switchport mode trunk
 switchport trunk allowed vlan all

That will allow all VLANs through trunk.
if you want you can set trunk for only specific vlans with let's say 15, 16, 17, 20 and 88
switchport trunk allow vlan 15 - 17, 20,  88

And of course you need to do it on both switches for trunk interface

You can verufy trunk settings with
# show interfaces trunk
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I have it like this and is not working.

interface GigabitEthernet0/43
 description vendor network
 switchport access vlan 88
 switchport trunk allowed vlan 88
 switchport mode access
!
0
JustInCaseCommented:
for access server to switch is
interface GigabitEthernet0/43
interface access vlan 88

for link between switches
interface GigabitEthernet0/23 -- this is not the same port as above  :)
 switchport access vlan 88
 switchport trunk allowed vlan all

If you set vlan 88 as allowed vlan - no other vlans will pass through trunk - so you killed all traffic between switches.

you can delete unneeded parts of config by command no before command that you want to erase. Example
#no switchport access vlan 88

I don't know what port is link between switches... That's why I wrote interface GigabitEthernet0/x :)
If you don't know what link connect switches try issue
#sh cdp neighbors
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Should I give VLAN 88 an IP address?
0
JustInCaseCommented:
That depends on your configuration. Maybe you need, maybe you don't.

If ports that are connected to firewall and server are access ports than there is no need for IP address. In that VLAN acts like cable and there is no need to give cable IP address.
 :)
But you will need change configuration on ASA.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Hi,

I am back to this. We had to put out a fire  somewhere else.

I gave the VLAN interface an ip address for that network.

However it needs to be ping from the network I m in.

So is like this now and is not working:

I am in network 172.16.X.Y

Server in VLAN 88 is in network 172.17.x.y to ASA firewall interface

So in switches is like this:
 
interface Vlan88
 description Connection firewall
 ip address 172.17.255.241 255.255.255.0

interface GigabitEthernet0/43
description Connection firewall
 switchport access vlan 88

Command option:

(config-if)#switchport trunk ?
  allowed        Set allowed VLAN characteristics when interface is in trunking
                 mode
  encapsulation  Set trunking encapsulation when interface is in trunking mode
  native         Set trunking native characteristics when interface is in
                 trunking mode
  pruning        Set pruning VLAN characteristics when interface is in trunking
                 mode
0
JustInCaseCommented:
If server can get to internet that you can access server through ASA you just need to adjuct ASA config.
If you want to access to server over L3 switch you should enable routing on the switch (if it is not already enabled).
On the switch should be issued
#ip routing
but that might mean some additional configuration in your network at least you should add ACL on interface VLAN 88 to deny traffic from other host that you don't want to have access to server.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
getting some where... I think

I can ping the server from the switch that is plugged in not from the switch the ASA is plugged in...
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
will this command help me?

switchport trunk encapsulation dot1q

I think is a trunking issue.

From the pinging switch I get a result from the show interface trunk command.

No result from the none pinging switch.
0
JustInCaseCommented:
Most likely if you did set trunk it is already dot1q. But you can try, I don't expect any difference.
 :)
That is the only tagging method today, Cisco's ISL is dead.

On both switches you need to have vlan 88 created and vlan 88 must be allowed on trunk.
Issue command
# sh interface trunk
on both routers and paste it here

And on what switch is interface vlan 88 located?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
result for sh int trunk command,

none pinging switch where ASA is:

switch-3560-wc2#sh int trunk

switch-3560-wc2#
***nothing**


pinging switch where server is:

switch-c3560x-r1-s1#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       10,15,30,255

Port        Vlans allowed and active in management domain
Gi0/1       10,15,30,255

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       10,15,30,255

VLAN 88 entries in both switches:

interface GigabitEthernet0/43
 description  asa/server
 switchport access vlan 88

interface Vlan88
 description asa/server
 ip address 172.17.255.241/242 255.255.255.0

pinging switch entry trunking port:

interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q <--- missing in other side
 switchport mode access


None pinging switch with ASA in:

**the trunking port does not have the: switchport trunk encapsulation dot1q**

interface GigabitEthernet0/48
 switchport access vlan 10
 switchport mode access

Thank you!
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
This also came to light...

The ip that I need to make work is for vlan 255...

So I am thinking to undo VLAN 88 and change to VLAN 255...

Any other thoughts?
0
JustInCaseCommented:
Port        Vlans allowed on trunk
Gi0/1       10,15,30,255
No VLAN 88 is allowed on trunk

Your trunk is int Gi0/1
you should issue command under
# int gi0/1
#switchport trunk allowed vlan add 88
 *check what port is trunk on other side and issue the same command
interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q <--- missing in other side
 switchport mode access

is this directly connected to server or it is connected to other switch?
If it is connected to the other switch why you have
# switchport access vlan
# switchport mode access

# switchport mode trunk
# switchport trunk allowed vlans all

if it is connected to server
#switchport access vlan 88
# no switchport trunk encapsulation dot1q
0
JustInCaseCommented:
You can move it to vlan 255 if you want.
can you issue also
# sh vlans
and paste it here?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
From none pinging switch:

1    default                          active    Gi1/1, Gi1/2, Gi1/3, Gi1/4
                                                Te1/1, Te1/2
10   VLAN0010                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                Gi0/41, Gi0/42, Gi0/44, Gi0/45
                                                Gi0/46, Gi0/47, Gi0/48
88   VLAN0088                         active    Gi0/43
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup


From pinging switch:

1    default                          active    Gi0/42, Gi0/44, Gi0/45, Gi0/46
                                                Gi1/1, Gi1/2, Gi1/3, Gi1/4
                                                Te1/1, Te1/2
10   VLAN0010                         active    Gi0/2, Gi0/3, Gi0/4, Gi0/5
                                                Gi0/6, Gi0/7, Gi0/8, Gi0/9
                                                Gi0/10, Gi0/11, Gi0/12, Gi0/13
                                                Gi0/14, Gi0/15, Gi0/16, Gi0/17
                                                Gi0/18, Gi0/19, Gi0/20, Gi0/21
                                                Gi0/22, Gi0/23, Gi0/24, Gi0/25
                                                Gi0/26, Gi0/27, Gi0/28, Gi0/29
                                                Gi0/30, Gi0/31, Gi0/48
15   VLAN0015                         active    Gi0/36, Gi0/37, Gi0/38, Gi0/39
                                                Gi0/40
30   VLAN0030                         active    Gi0/47
31   VLAN0031                         active    Gi0/41
88   VLAN0088                         active    Gi0/43
255  VLAN0255                         active    Gi0/32, Gi0/33, Gi0/34, Gi0/35
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
0
JustInCaseCommented:
non pinging switch
Gi0/43 is trunk port (but I am not sure it is the right port)

switch-3560-wc2#sh int trunk

switch-3560-wc2#
***nothing**
this is no good

opinging switch
# int gi0/1
#switchport trunk allowed vlan add 88

issue on pinging switch
#sh cdp neigh
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
this is progress here... will do after hours (I was ask)

will update you later
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Okay, almost there...

I can't get the trunking interface to work.

When I enter to the server side switch "switchport mode trunk". I get the switch from the ASA side unreachable or cut off.

this needs fixing:

ASA side:

interface GigabitEthernet0/1
 switchport access vlan 10
 switchport mode access

Switch server side:

interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode access

I think. I need it to look like this:

ASA side switch:
!
interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,15,30,255
 switchport mode trunk
!


Server side switch:

interface GigabitEthernet0/1
 description to smac-c2821
 switchport access vlan 10 <--- Our LAN
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,15,30,255
 switchport mode trunk


To 255 is the VLAN that VLAN 88 needs to reach.
0
JustInCaseCommented:
I guess you moved server to VLAN 10.
On switch where server is connected

interface g x/x
 switchport mode access
 switchport access vlan 10

if only server is attached to that port you don't need to create trunk port.
Trunks are created so more than one VLAN can be forwarded through link.

Ports should be either ACCESS OR TRUNK.
If end device is connected (so, only one VLAN) most likely that should be ACCESS port and untagged.
If other switch is connected (more that 1 VLAN) should be TRUNK port.

Switchport access vlan 10 will be completely ignored on trunk ports if port is set as trunk, although access you can still see in config.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
"Ports should be either ACCESS OR TRUNK." That was learned the hard way.... :D

The server and the ASA operate in VLAN 255 and I am in VLAN 10


So I need to get the trunking ports not the port of VLAN 88 well configured.

As of right now both switch are connected with port 1 and 48.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
So to end this,

I am going to both switches using port 48. Right now is port 1 to 48.

I see this now for both in port 48:

Switch with Firewall
 interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,15,30,255
 switchport mode trunk

Switch with Server:

interface GigabitEthernet0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode access
!


I think both should be the same as the switch with the server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.