Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
5
Replies

3750 Connected to Two Networks

Go to solution
miketobias
Level 1
Level 1

‎07-06-2010 07:12 AM - edited ‎03-06-2019 11:54 AM

Good Morning,

I am trying to integrate a 3750 switch stack into my network.  This switch stack will be used for a VM environment.  Our network currently has an ASA in place and is divided into a Lan segment and a DMZ segment.  Both of these segments are designated by separate connections off the ASA.  The DMZ is our public facing server network.  Since the VM environment will have a mix of DMZ and LAN servers in it I need to have the switch the VM environment is connected to be on the DMZ and the Lan.  Since these two segments have different subnets I am thinking I can just route through the 3750 and the ASA to separate these environments on one switch statck.  I seen some documenation that mentioned using IP routing and vlans, but I can't find anything that referes to using two networks connected to the 3750 stack.

                                                       ASA

                                                           |
                                                           |

                                                        /      \

                                                    |               |

                                                    |                |           

                                       Lan Switches        DMZ Switches

                                                    |                   |

                                                    |                   |

                                                    -----------------

                                                               |

                                                               |

                                                  3750 VM Environment

I appologize for my poor ascii art skills.

This is just the first way I thought of doing this.  If I do it this way, would it be easier to create two new subnets for the VM switch stack and then have the ASA route to the new subnets, or can I use the existing addressing scheme in the Lan and DMZ and just route those in the ASA?  I suppose that I could dedicate one switch in the stack to the LAN environment and one for the DMZ, but I was thinking that would kill failover ability.  Please let me know if anyone needs more information, I appreciate any help!

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎07-06-2010 07:55 AM 

  I seen some documenation that mentioned using IP routing and vlans, 
but I can't find anything that referes to using two networks connected 
to the 3750 stack.

The implementation of Vlans implies that you will be using different subnets/networks within the same hardware to separate them.

On the 3750, you would create Vlans on the Vlan Database. You can either leave them as Layer 2 Vlan or create a Layer 3 interface that represents those Vlans.

The 3750 Configuration Guide goes over the details:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750scg.html

If I do it this way, would it be easier to create two new subnets for 
the VM switch stack and then have the ASA route to the new subnets, or 
can I use the existing addressing scheme in the Lan and DMZ and just 
route those in the ASA?  I suppose that I could dedicate one switch in 
the stack to the LAN environment and one for the DMZ, but I was thinking
 that would kill failover ability.

You can create the L3 interfaces that represent those subnets on the VM Switch stack or have the ASA the only L3 device for those subnets.

If you decide to use the VM Switch Stack, you will have to change the default gateway on the hosts to point to the stack.

Based on your experience on configuring cisco switches, I would recommend just creating the L2 Vlans on the VM Switch stack and leave the ASA as the sole L3 device for those subnets. Nothing will change on the hosts and you simply associate the switchport connected to the LAN switches are the LAN Switch Vlan while the DMZ switches will be connected to the switchport associated to the DMZ Vlan.

Regards,

Edison

View solution in original post

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to miketobias

‎07-06-2010 08:31 AM

If you don't have any L3 interface in the switch, the packet must leave the switch in order to connect to another segment.

Perhaps the FW is masking the traceroute. If you want to verify this, apply some ACLs in the FW and you will see how the packets are blocked, hence the connection is going thru the FW.

Regards,

Edison

View solution in original post

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to miketobias

‎07-06-2010 08:45 AM

Hello Mike,

Make sure that both your inside host and the DMZ host have set their default gateway to the firewalls respective interfaces. If you want to see the firewall in the traceroute, please follow the steps in the document below.

https://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace

Hope this helps.

NT

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎07-06-2010 07:55 AM 

  I seen some documenation that mentioned using IP routing and vlans, 
but I can't find anything that referes to using two networks connected 
to the 3750 stack.

The implementation of Vlans implies that you will be using different subnets/networks within the same hardware to separate them.

On the 3750, you would create Vlans on the Vlan Database. You can either leave them as Layer 2 Vlan or create a Layer 3 interface that represents those Vlans.

The 3750 Configuration Guide goes over the details:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750scg.html

If I do it this way, would it be easier to create two new subnets for 
the VM switch stack and then have the ASA route to the new subnets, or 
can I use the existing addressing scheme in the Lan and DMZ and just 
route those in the ASA?  I suppose that I could dedicate one switch in 
the stack to the LAN environment and one for the DMZ, but I was thinking
 that would kill failover ability.

You can create the L3 interfaces that represent those subnets on the VM Switch stack or have the ASA the only L3 device for those subnets.

If you decide to use the VM Switch Stack, you will have to change the default gateway on the hosts to point to the stack.

Based on your experience on configuring cisco switches, I would recommend just creating the L2 Vlans on the VM Switch stack and leave the ASA as the sole L3 device for those subnets. Nothing will change on the hosts and you simply associate the switchport connected to the LAN switches are the LAN Switch Vlan while the DMZ switches will be connected to the switchport associated to the DMZ Vlan.

Regards,

Edison

0 Helpful

Go to solution
miketobias
Level 1
Level 1
In response to Edison Ortiz

‎07-06-2010 08:22 AM

Edison,

Thank you for the quick reply.  I really appreciate the help.  I did set it up where I created two vlans on the switch stack, one was a Lan vlan, one was a DMZ vlan.  I connected two hosts to the switch on each of the vlans, emulating one host on the Lan, one on the DMZ, each with its appropriate address (one had an interal address, one a dmz address).  They were both able to connect to their respective networks and out to the internet.  The issue that I had with this config was that if I did a traceroute from one host to the other they wouldn't leave the switch, essentially a traceroute from the lan host went directly to the DMZ host.  If possible I would like to have these interfaces separate enough so that a traceroute from the Lan side would have to go out to the fire wall, into the DMZ via the firewall and then to the DMZ host.  Truly keeping them separate.


Based on your experience on configuring cisco switches, I would recommend just creating the L2 Vlans on the VM Switch stack and leave the ASA as the sole L3 device for those subnets. Nothing will change on the hosts and you simply associate the switchport connected to the LAN switches are the LAN Switch Vlan while the DMZ switches will be connected to the switchport associated to the DMZ Vlan.

In this configuration it appeared that I was able to do what I wanted to, but it didn't really seem to be separating the interfaces if I could just traceroute to the host on the other network without leaving the switch, or is this expected behaviour?  If it is expected then my problem is certainly resolved, it just seemed that I should be able to keep the traffic separated better.  If using the 3750 as a layer 3 device would be that solution let me know.  Thank you for your help so far, if I can just figure out this last part it would be extremely helpful to me.

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to miketobias

‎07-06-2010 08:31 AM

If you don't have any L3 interface in the switch, the packet must leave the switch in order to connect to another segment.

Perhaps the FW is masking the traceroute. If you want to verify this, apply some ACLs in the FW and you will see how the packets are blocked, hence the connection is going thru the FW.

Regards,

Edison

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to miketobias

‎07-06-2010 08:45 AM

Hello Mike,

Make sure that both your inside host and the DMZ host have set their default gateway to the firewalls respective interfaces. If you want to see the firewall in the traceroute, please follow the steps in the document below.

https://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace

Hope this helps.

NT

0 Helpful

Go to solution
miketobias
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-06-2010 09:25 AM

Thank both of you very much.  My firewall was infact not showing the hops to the environment.  Configuration was not the problem, my understanding of the interactions of everything involved was.  Doing a packet trace on the ASA showed that the trace was going out, through the firewall.  My thanks to you both.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card