using loopback on a DMZ switch

Answered Question

Hi all,


I'm trying to set up monitoring of my DMZ switch. All servers in this dmz are in a 172.18.x.x subnet, and all ports on the switch are in a VLAN51. This VLAN only exists on this switch and there is no trunking involved. The switch is a 3550-12T. I'm trying to reach the switch by creating a loopback interface with a 172.18.x.x address. I am unable to ping the switch from any of the servers that are in that subnet. If I do a show arp on the switch I don't see anything. Anybody have any ideas why I can't reach this switch via the loopback interface?

Do I have to give VLAN 1 an IP and try and get there that way?


I have all firewall rules in place properly as I can get to all servers that are on that switch, I just can't get to the switch.


Any ideas on how best to set this up.


Thanks very much,


Steve

Correct Answer by Jon Marshall about 9 years 9 months ago

Steve


Is there a reason why you want a loopback interface ?.


If you just want the switch to be layer 2 which you very probably do if it is a DMZ switch then shutdown vlan 1, create a vlan51 SVI, assign it an ip address out of the 172.18.x.x range and set the default-gateway to be the DMZ interface on your firewall.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
royalblues Thu, 09/13/2007 - 06:33
User Badges:
  • Green, 3000 points or more

Steve,


When you create a loopback interface, then you need to assign it an ip address that is not being used by any SVI and you need to have proper routing for this new IP.


I would suggest to configure an IP which is not on the 172.18.x.x subnet and have proper routing to this IP from the NMS


HTH

Narayan

royalblues Thu, 09/13/2007 - 06:45
User Badges:
  • Green, 3000 points or more

yes you are correct, but as Jon said, if the switch is behaving purely as L2, it is suggested to create the SVI for that vlan on that switch and monitor it with that IP


Narayan

Jon Marshall Thu, 09/13/2007 - 06:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Steve


That won't work. You would still need an interface on the 3550 with an ip address out of the 172.18.x.x network.


What you could do is


1) create vlan 51 SVI

2) Assign it an address from 172.18.x.x eg 172.18.1.1

3) Create loopback and assign it 10.x.x.x address.

4) Add route "ip route 10.x.x.x 255.255.255.255 172.18.1.1


This would work with the 3550 still acting as layer 2 switch but then it seems a lot more trouble than it is worth.


Jon

thomas.anthony Thu, 09/13/2007 - 06:34
User Badges:

you will not be able to ping or access the loopback IP, you may need to enable routing.

Correct Answer
Jon Marshall Thu, 09/13/2007 - 06:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Steve


Is there a reason why you want a loopback interface ?.


If you just want the switch to be layer 2 which you very probably do if it is a DMZ switch then shutdown vlan 1, create a vlan51 SVI, assign it an ip address out of the 172.18.x.x range and set the default-gateway to be the DMZ interface on your firewall.


HTH


Jon

Actions

This Discussion