I have the following scenario:
Internal LAN - 4506 - inside ASA, DMZ ASA - 2950 - Servers
4506 Gig 6/3 connects to 2950 Fas 0/1
The internal network has a default gateway pointing to the 4506.
The 4506, has a default gateway to inside ASA
ASA DMZ is on the same subnet as the Servers on the 2950
So, I would assume that traffic from my machine intended to a Server, will go through my DG (4506), then
through the ASA and finally through the 2950 to the Servers.
But what is happening is that traffic from my machine goes through my DG (4506), but then straight through the 2950 to
the Servers (bypassing the ASA)
From STP point of view, the 4506 is the Root Bridge.
The root port on 2950 is the direct connection to the 4506.
I think this is why, the connection does not go through the ASA.
What I'm trying to understand is the following....
The fact that the 4506 has a DG pointing to the ASA, does not take precedence over the fact that there's a direct
connection between 4506 and 2950?
Layer 2 follow the path directly between Switches
Layer 3 follow the path through the ASA
Which takes precedence and why?
Layer 2 takes precedence but I don't understand why, since my laptop is on a total different subnet from the Servers that
I want to reach.
I think the solution is to manipulate the cost, so that Layer 2 will prefer the path through the ASA (so Layer 2 and Layer
3 will have the same path).
But could someone explain to me why this is happening?
Thank you All,
From your 4500 "sh vlan" output -
100 vlan-dmz active Gi6/3, Gi6/48
you have 2 ports connected to vlan 100 on the 4500. Are you absolutely sure that the server you are trying to get to is connected to the 2950 and not the 4500 ?