Solved: using loopback on a DMZ switch

steve.hart · ‎09-13-2007

Hi all,

I'm trying to set up monitoring of my DMZ switch. All servers in this dmz are in a 172.18.x.x subnet, and all ports on the switch are in a VLAN51. This VLAN only exists on this switch and there is no trunking involved. The switch is a 3550-12T. I'm trying to reach the switch by creating a loopback interface with a 172.18.x.x address. I am unable to ping the switch from any of the servers that are in that subnet. If I do a show arp on the switch I don't see anything. Anybody have any ideas why I can't reach this switch via the loopback interface?

Do I have to give VLAN 1 an IP and try and get there that way?

I have all firewall rules in place properly as I can get to all servers that are on that switch, I just can't get to the switch.

Any ideas on how best to set this up.

Thanks very much,

Steve

Jon Marshall · ‎09-13-2007

Steve

Is there a reason why you want a loopback interface ?.

If you just want the switch to be layer 2 which you very probably do if it is a DMZ switch then shutdown vlan 1, create a vlan51 SVI, assign it an ip address out of the 172.18.x.x range and set the default-gateway to be the DMZ interface on your firewall.

HTH

Jon

View solution in original post

royalblues · ‎09-13-2007

Steve,

When you create a loopback interface, then you need to assign it an ip address that is not being used by any SVI and you need to have proper routing for this new IP.

I would suggest to configure an IP which is not on the 172.18.x.x subnet and have proper routing to this IP from the NMS

HTH

Narayan

steve.hart · ‎09-13-2007

If I understand you correctly, you are saying that I would need to give Loop1 an IP like 10.x.x.x or something other than 172.18.x.x and then setup routing to 10.x.x.x. Is that correct?

royalblues · ‎09-13-2007

yes you are correct, but as Jon said, if the switch is behaving purely as L2, it is suggested to create the SVI for that vlan on that switch and monitor it with that IP

Narayan

Jon Marshall · ‎09-13-2007

Steve

That won't work. You would still need an interface on the 3550 with an ip address out of the 172.18.x.x network.

What you could do is

1) create vlan 51 SVI

2) Assign it an address from 172.18.x.x eg 172.18.1.1

3) Create loopback and assign it 10.x.x.x address.

4) Add route "ip route 10.x.x.x 255.255.255.255 172.18.1.1

This would work with the 3550 still acting as layer 2 switch but then it seems a lot more trouble than it is worth.

Jon

thomas.anthony · ‎09-13-2007

you will not be able to ping or access the loopback IP, you may need to enable routing.

Jon Marshall · ‎09-13-2007

Steve

Is there a reason why you want a loopback interface ?.

If you just want the switch to be layer 2 which you very probably do if it is a DMZ switch then shutdown vlan 1, create a vlan51 SVI, assign it an ip address out of the 172.18.x.x range and set the default-gateway to be the DMZ interface on your firewall.

HTH

Jon

steve.hart · ‎09-13-2007

Hi Jon,

I think that is the piece I was missing, I didn't give VLAN 51 an IP. Thanks for your help.

Steve