Connecting Switch and Firewall

Unanswered Question
Oct 13th, 2009
User Badges:

Hello,

I currently connect the Firewall to one Cisco layer 3 Switch which has 2 VLANs, one for outside and another for inside.


When I try to show arp table on the switch, the arp table to inside host is not always there. So every session initialed by other host has to send a ARP broadcast.Is it normal? How can I improve this issue?


Also, maybe it's coincident, on the SQL connection, the client host always generate the NBT query after the prompt TCP handshake. After 3 times failure in attempt, the session is setup. But it takes more than 3 seconds unnecessarily on NBT query. I am not sure this is something related to Cisco Swtich or Firewall. Can anyone advise?

TIA.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Tue, 10/13/2009 - 08:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


Is the firewall routing between the vlans ?. If so then the arp table you should be looking at is on the firewall and not the L3 switch which is why you are not seeing any arp entries.


As for the SQL connection, if you are talking about a client on one of the vlans connecting through the firewall to a device on one of the other vlans then it is probably just some ports you have not allowed in your access-list on the firewall. Firewalls can introduce all sorts of issues if you are trying to use standard windows networking between vlans but you have a firewall in the way.


Jon

David Lin Tue, 10/13/2009 - 10:32
User Badges:

Jon,

The gateway IP's of inside hosts is the Firewall inside interface IP's. Yes, I do see the ARP table on firewall. But I'm just wondering whether it will slow down the communication in each other.


Regarding the SQL connection, both client and DB server are in the same VLAN where the Firewall inside connects to. The problem happens on Intel Netcard and Broadcom Netcard. Intel to Intel or Broadcom to Broadcom don't have such problem. I suspect the problem is caused by the firewall as the gateway. Previously, we don't have Firewall and it didn't send NBT at all.


Thank you.


Jon Marshall Tue, 10/13/2009 - 11:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


"Yes, I do see the ARP table on firewall. But I'm just wondering whether it will slow down the communication in each other."


Well you will never see the arp entries on the switch unless you make that the gateway for the hosts so your network is working as expected.


As for slowing things down, firewalls can do this, especially if the traffic has to pass through it. A lot of windows networking will work because there are multiple different connection attempts made, if one fails then a different connection attempt is made. What could well be happening is that the firewall is stopping the initial connection attempt simply because the relevant ports have not been allowed through. If they were then you would not notice the slowness.


It's not clear from your description whether the slowness is related to traffic going from one vlan to another or for traffic from one host in the same vlan to another host in the same vlan. If the former then certainly the firewall could be the issue.


As for the NBT issue. If the devices are in the same vlan and are using IP addresses in the same subnet then the firewall should not come into it because the connection should be made directly between the 2 devices without going to the gateway.


Jon

David Lin Tue, 10/13/2009 - 13:41
User Badges:

As the ARP issue, I am surprised why I still see some ARP of inside host even I clean it. Theoretically,I should only see the Firewall IP's.

What I mean of the slowness is the packet goes to the firewall first then the switch, and finally the destined host within the same VLAN instead of going to the switchstraightly. Certainly, we may not be able to find the latency and there is no firewall policy involved. But I suspect the ARP issue causes some difference to the hosts in SQL qurey connection althrough the connection doesn't go through the firewall.

Actions

This Discussion