cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1232
Views
17
Helpful
29
Replies

6509E Switch Vlan Issue

Jacob Samuel
Level 1
Level 1

Hi Friends,

I have 2 6509E switch with FWSM. There is 2 valn for the fwsm also. inside vlan 101 and outside vla 95. Outside will be the virtual connection to the MSFC for fwsm to msfc routing and on 101 vlan connects the server Farm, int gig1/1-40 on the same switch.

The Problem what i am facing now is - both my interfaces on the fwsm is showing down

int vlan 95 outside

down/down

int vlan 101 inside

down/down

I read in many places that you need a up/up interface or active trunk to make the SVI up. What i should do in thios case, if i want to conect the msfc to FWSM???

also if i want to create a Managment SVI for the devices, i will not assign any port just for management access only.

regards

Jacob

29 Replies 29

Dear Andrew.

Thanks for the Link

Sure, i will go through the file. i have configured up to this as of now.

My connectivity is as follows-

ASA Inside -> connect to 6509E MSFC on int vlan 90

====

ASA 5540

int vlan 90

nameif inside

des *** connect to 6509E MSFC ***

ip add 192.168.90.1 255.255.255.224

6509E - (L3 SVI)

int vlan 91

des *** MSFC connect to ASA Inside ***

ip add 192.168.90.5 255.255.255.224

====

6509E MSFC-> connect to FWSM int vlan 95.

====

6509E MSFC

(NO L2 VALN created in the MSFC only SVI)

int vlan 95

des *** routing Vlan to FWSM ***

ip add 192.168.95.5 255.255.255.224

FWSM interface Outisde

int vlan 95

nameif outside

des *** Routing to 6509E MSFC ***

ip add 192.168.95.1 255.255.255.224

====

FWSM interface insde-

(Int Vlan 101 Inside to connect Servers)

int vlan 101

nameif inside

des *** Connect to Inside Servers ***

ip add 192.168.101.1 255.255.255.0

=====

is it correct??? If no L2 for the vlan 95 on the MSFC how will it work?

Need your kind input please

regards

Jacob

Jacob

All vlans must exist at layer 2 on the 6500 switch.

For vlan 95 you need

1) For the vlan to exist at L2 ie. a "sh vlan" would show vlan 95

2) A L3 SVI on the MSFC for vlan 95

For vlan 101 you need the vlan to exist at L2 ONLY on the 6500 switch. No L3 SVI should be created on the MSFC.

Also have you allocated the vlans to the FWSM with the "firewall vlan-group .." command on the 6500 switches.

Jon

Looks OK - so you need to assign the VLAN's to the FWSM and it should be ok.

HTH>

chintan-shah
Level 3
Level 3

Have you allocated thos vlan on MSFC for Firewall module and also on context in FWSM ??

Regards,

Chintan

Thanks to all,

I am attaching the configuration of the Switch and the FWSM. Thanks Jon, now my vlan 95 is showing up on the FWSM. But still my inside interface vlan 101 is showing down. i have added one port to the inside vlan 101. but still its showing down.

In the third file i have mentioned about the configuration i prepared for the switch can any one please validate that also?

regards

Jacob

Hi Jacob,

I didn't get any of attached configuration.

Do you mind to send me config at chintan2004@gmail.com

Thanks, attaching the file again chintan. i will send it through mail also.

Thanks a lot

regards

Jacob

Hi Jacob,

Do you see vlna 101 (inside vlan)in layer 2 VLAN database ? Do "show vlan" you should have vlan 101. If you don't have , VLAN 101 will be down unless you have in layer 2 daatabase.

Regards,

Chintan

Jacob

Your 6500 switch is running in VTP transparent mode but it shows no sign of vlan 95 or vlan 101. The only vlans it shows are vlans 90 & 100.

On the 6500 switch if you do

6500# sh vlan

do you see entries for vlans 95 & 101. If not you need to create them ie.

6500(config)# vlan 95

6500(config-vlan)# name FWSM_outside

6500(config)# vlan 101

6500(config-vlan)# name FWSM_inside

Jon

Hi Jacob,

Jon is correct. you have not created VLAN 101 on MSFC L2 VLAN database. you only have vlna 9 and 100. Please create VLAN 101 in global config mode, you should have vlna 101 up/up state :).

vlan 90

name RoutingVlan-to-ASA

!

vlan 100

name Management_Access_Vlan

!

Chintan, sorry i updated the file.

regards

Jacob

Jon,

I am sorry, by mistake i attached the previouse file. I am attaching the latest config.

Also i missed to create the inside L2 vlan on the msfc (101) just now i created that and the inside vlan also showing up.

But... again i am not able to ping the vlan interface 192.168.101.1 from the msfc also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing .. missing??

regards

Jacob

Jacob

"am not able to ping the vlan interface 192.168.101.1 from the msfc"

add this to your config

FWSM-Pri(config)# management-access inside

"also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing"

do you mean you can't ping the host from the gateway or the gateway from the host. Have you assigned the switch port that the host is connected to into vlan 101 ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco