Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6509E Switch Vlan Issue

Hi Friends,

I have 2 6509E switch with FWSM. There is 2 valn for the fwsm also. inside vlan 101 and outside vla 95. Outside will be the virtual connection to the MSFC for fwsm to msfc routing and on 101 vlan connects the server Farm, int gig1/1-40 on the same switch.

The Problem what i am facing now is - both my interfaces on the fwsm is showing down

int vlan 95 outside

down/down

int vlan 101 inside

down/down

I read in many places that you need a up/up interface or active trunk to make the SVI up. What i should do in thios case, if i want to conect the msfc to FWSM???

also if i want to create a Managment SVI for the devices, i will not assign any port just for management access only.

regards

Jacob

29 REPLIES

Re: 6509E Switch Vlan Issue

New Member

Re: 6509E Switch Vlan Issue

Dear Andrew.

Thanks for the Link

Sure, i will go through the file. i have configured up to this as of now.

My connectivity is as follows-

ASA Inside -> connect to 6509E MSFC on int vlan 90

====

ASA 5540

int vlan 90

nameif inside

des *** connect to 6509E MSFC ***

ip add 192.168.90.1 255.255.255.224

6509E - (L3 SVI)

int vlan 91

des *** MSFC connect to ASA Inside ***

ip add 192.168.90.5 255.255.255.224

====

6509E MSFC-> connect to FWSM int vlan 95.

====

6509E MSFC

(NO L2 VALN created in the MSFC only SVI)

int vlan 95

des *** routing Vlan to FWSM ***

ip add 192.168.95.5 255.255.255.224

FWSM interface Outisde

int vlan 95

nameif outside

des *** Routing to 6509E MSFC ***

ip add 192.168.95.1 255.255.255.224

====

FWSM interface insde-

(Int Vlan 101 Inside to connect Servers)

int vlan 101

nameif inside

des *** Connect to Inside Servers ***

ip add 192.168.101.1 255.255.255.0

=====

is it correct??? If no L2 for the vlan 95 on the MSFC how will it work?

Need your kind input please

regards

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

All vlans must exist at layer 2 on the 6500 switch.

For vlan 95 you need

1) For the vlan to exist at L2 ie. a "sh vlan" would show vlan 95

2) A L3 SVI on the MSFC for vlan 95

For vlan 101 you need the vlan to exist at L2 ONLY on the 6500 switch. No L3 SVI should be created on the MSFC.

Also have you allocated the vlans to the FWSM with the "firewall vlan-group .." command on the 6500 switches.

Jon

Re: 6509E Switch Vlan Issue

Looks OK - so you need to assign the VLAN's to the FWSM and it should be ok.

HTH>

New Member

Re: 6509E Switch Vlan Issue

Have you allocated thos vlan on MSFC for Firewall module and also on context in FWSM ??

Regards,

Chintan

New Member

Re: 6509E Switch Vlan Issue

Thanks to all,

I am attaching the configuration of the Switch and the FWSM. Thanks Jon, now my vlan 95 is showing up on the FWSM. But still my inside interface vlan 101 is showing down. i have added one port to the inside vlan 101. but still its showing down.

In the third file i have mentioned about the configuration i prepared for the switch can any one please validate that also?

regards

Jacob

New Member

Re: 6509E Switch Vlan Issue

Hi Jacob,

I didn't get any of attached configuration.

Do you mind to send me config at chintan2004@gmail.com

New Member

Re: 6509E Switch Vlan Issue

Thanks, attaching the file again chintan. i will send it through mail also.

Thanks a lot

regards

Jacob

New Member

Re: 6509E Switch Vlan Issue

Hi Jacob,

Do you see vlna 101 (inside vlan)in layer 2 VLAN database ? Do "show vlan" you should have vlan 101. If you don't have , VLAN 101 will be down unless you have in layer 2 daatabase.

Regards,

Chintan

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

Your 6500 switch is running in VTP transparent mode but it shows no sign of vlan 95 or vlan 101. The only vlans it shows are vlans 90 & 100.

On the 6500 switch if you do

6500# sh vlan

do you see entries for vlans 95 & 101. If not you need to create them ie.

6500(config)# vlan 95

6500(config-vlan)# name FWSM_outside

6500(config)# vlan 101

6500(config-vlan)# name FWSM_inside

Jon

New Member

Re: 6509E Switch Vlan Issue

Hi Jacob,

Jon is correct. you have not created VLAN 101 on MSFC L2 VLAN database. you only have vlna 9 and 100. Please create VLAN 101 in global config mode, you should have vlna 101 up/up state :).

vlan 90

name RoutingVlan-to-ASA

!

vlan 100

name Management_Access_Vlan

!

New Member

Re: 6509E Switch Vlan Issue

Chintan, sorry i updated the file.

regards

Jacob

New Member

Re: 6509E Switch Vlan Issue

Jon,

I am sorry, by mistake i attached the previouse file. I am attaching the latest config.

Also i missed to create the inside L2 vlan on the msfc (101) just now i created that and the inside vlan also showing up.

But... again i am not able to ping the vlan interface 192.168.101.1 from the msfc also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing .. missing??

regards

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

"am not able to ping the vlan interface 192.168.101.1 from the msfc"

add this to your config

FWSM-Pri(config)# management-access inside

"also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing"

do you mean you can't ping the host from the gateway or the gateway from the host. Have you assigned the switch port that the host is connected to into vlan 101 ?

Jon

New Member

Re: 6509E Switch Vlan Issue

Jon

Do we have to add any route in the 6509 Switch for 192.168.101.x?

NAT - in fwsm i just did the NAT for (inside) only, do we need the same for outside also?

FWSM i have added a default route only, it is Connected interface so think no need to add any route for 101.x there?

I have added one port, Gig 1/2, to 101 vlan. and from the host

IP 192.168.101.10 /24

GW 192.168.101.1

I am not able to ping the gateway from the Host. Also I am not able to ping from the msfc to the outside interface (192.168.95.1 to 192.168.95.5) and reverse also.

regards

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

For the pinging of the interfaces see Chintan's response ie. you need to allow icmp to the FWSM interfaces.

You will need to add a route to the FWSM for the vlan on the inside ie.

ip route 192.168.101.0 255.255.255.0

Also bear in mind with the FWSM traffic is not allowed through from inside to outside by default. You need to allow it with an acl. This is contrary to the behaviour of standalone pix/asa firewalls.

Not sure what you mean by NAT. if you want o connect to the inside host from outside then you will need

static (inside,outside) 192.168.101.10 192.168.101.10

Jon

New Member

Re: 6509E Switch Vlan Issue

hi Jacob,

By nature , FWSM doens't allow to ping inside interface from MSFC(outside).

Are you able to ping outside interface of FWSM from MSFC?

Can you try folloiwng configuration on FWSM :

icmp permit

icmp permit

Then try pingging inside interface (GW) from host .

Regards,

Chintan

New Member

Re: 6509E Switch Vlan Issue

Dear Chintan / Jon

Thaks a lot, after adding the icmp permit now the host is able to ping the GW and msfc to fwsm outside interface also.

Jon about NAT, do we need to add NAT statement in FWSM as like we do in the traditional Pix. i dont need any NATing here, i mean to ask do we need to add this statement?

nat (inside) 0 x x

nat (outside) 0 x x

regards

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

NAT works pretty much the same way it does on traditional Pix. Yes you can use

nat (inside) 0 192.168.101.0 255.255.255.0

which tells the FWSM not to NAT. You would only need a static if you wanted to initiate the connection from the outside to the 192.168.101.10 host - see previous post.

Glad you got it working.

Jon

New Member

Re: 6509E Switch Vlan Issue

Dear Jon / Chintan,

Thanks for the Help...am still keeping the querry open ... since I have to createa a statefull failover between the fwsm i may please need your help when i do the faiover for FWSM. now i will check the whole scenario with out failover... and later...update you guysss...

thanks so much.....

regards...

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

No problem. Just a quick point. When configuring the failover make sure your "firewall vlan-group ..." configuration on the 6500 switches match each other exactly in terms of vlans assigned to the FWSM or the failover doesn't work properly.

Jon

New Member

Re: 6509E Switch Vlan Issue

Hi Jon / Chintan

Thanks a lot for you guyss..... i did the failover also, seems working fine.

thanks a lot for the support.. it was a very good experience..

regards

Jacob

New Member

Re: 6509E Switch Vlan Issue

Dear Jon / Chintan

One more point to add.. on MSFC in the interface vlan 95 ( connecting to the outside fwsm) i did standby config.

6509E-SW01

int vlan 95

ip add 192.168.95.2 255.25.255.248

standby ip 192.168.95.1

standby pri 110

stand pre

!

6509E-SW02

int vlan 95

ip add 192.168.95.3 255.25.255.248

standby ip 192.168.95.1

standby pri 105

stand pre

!

is it correct ? will it make any issue?

regards

Jacob

Hall of Fame Super Blue

Re: 6509E Switch Vlan Issue

Jacob

This is exactly what you should do for failover to work properly. Obviously the default route on the FWSM should point to 192.168.95.1.

Glad it's all working now and appreciate the ratings.

Jon

New Member

Re: 6509E Switch Vlan Issue

Hi Jacob,

Yes, Jon is correct, you should be using HSRP and route on MSFC pointing to HSRP Virtual IP for servr farm.

What is FWSM software and 6500 IOS you use ?

Are you plan to use multiplex context or single context ?

Regards,

Chintan

New Member

Re: 6509E Switch Vlan Issue

Jon/Chintan,

Thanks its working fine. Chintan it is 3.1(4).

Yes it is working as single context mode as of now.

Infact i dont have much idea about the multiple context mode. Multiple Context mode means multiple VLAN group assigned in the switch so it iwll work as a different firewall groups, am i right.... ??? can you please just give some clarity on this???

As of now i am connecting only my server on vlan 101, whihc is the inside. If i have to create muiltiple DMZ's it is the same proces we did for the other interfaces only right? If so I will try this later.

regards

Jaocb

New Member

Re: 6509E Switch Vlan Issue

Hi jacob,

Multiple context mode is kind of using virutal firewall with diff policy in single physical firewall..

so say for example you have diff Server farm needs diff security policy you can use multiple context mode. like DMZ which has diff security requirement than interna private network...

you have to configure Firewall in multiple mode and start creating diff context ( i.e virtual firewall) , allocated vlan to them and so on....

Even you can also achive kind of load-sharing by having active/active mode for FWSM so that some context willbe active on SW1 and some of on SW2 and that way can share load on both switches with resiliency....

Chintan

New Member

Re: 6509E Switch Vlan Issue

Chintan, surely i will try for that..

thanks

Jacob

I sent one mail on ur gmail account. Can u please find some time to have a look on that.

New Member

Re: 6509E Switch Vlan Issue

Hi Jon,

I ran in to one desing issue and finding solution.

I have 6500 with FWSM running multiple context in routed mode...

I have setup like this :

MSFC--Ext-FW ---VRF-lite----Int-FW1-server1

----Int-FW2-server2

Now behind Int-FW1 ( one of context) there are muliteple server and same behind Inter-FW2.

I don't se shared outside valn between Int-FW and VRF-lite rather i have one to one VLAN between each context and VRF.

I might have to use lots of static routes on VRF for server subnect pointing to each int-FW context.

To avoid that, I thought of using RHI but got to know that RHI doesn't support injection VRF ( FWSM 4.0), other alterantive is BGP STUB. But i understood taht BGP stub require outside vlan is shared interface between all context ( i.e i-fw) and VRF.

So, with my desing when i have no shared vlan rather one to one vlan for each context. Can i still use BGP stub between FWSM and VRF ?

Any help apprecieated.

Chintan

519
Views
17
Helpful
29
Replies
CreatePlease to create content