Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access switch that's in trunk mode

Hi,

I have a Cisco ASA firewall, trunked off this I have a Cisco 3750 (128.101.10.52/16) which I can access via telnet from my PC.

Now off the 3750 I have trunked a 3560 (172.24.0.249/16) which I can't access from my PC although I can access it via a telnet session from the 3750.

I have tried adding the "ip route" to the 3750 or ASA's IP but I still can't access.

What do you need from me fo your tom be able to help?

The IP route on the 3750 is 0.0.0.0 0.0.0.0 128.101.10.71 which is our core LAN switch. The 3750 can ping this, I assume the the 3560 needs to ping this too which it can't, it's like the 3750 is not passing the traffic through. I know it is because I have lots of servers on the 3560 which I can access.

Thanks

18 REPLIES

Re: Can't access switch that's in trunk mode

Andy,

Can you supply the config of both switches? that would be a good start.

New Member

Re: Can't access switch that's in trunk mode

Here you go. The 3750 is fine, it's 3560's.

Re: Can't access switch that's in trunk mode

Andy,

Physically - on the 3750, which port is connected to the ASA? Which port is connected to the 3560?

Layer 2 config- on the 3750 I can only see one trunk port configured 1/0/1?

layer 3 config on both looks OK - any specific reason why for vlan 6 you are using a /16? I would probably go down to a /24

HTH.

New Member

Re: Can't access switch that's in trunk mode

Hi,

3750 to ASA (trunk) = interface FastEthernet1/0/1

3750 to 3560 (trunk) = interface FastEthernet1/0/2

Yeah, i've been meaning to chage it to /24 it's more tidy, plus is it better for broadcasts?

Re: Can't access switch that's in trunk mode

In the 3750 - int fa 1/0/2 change from switchport to trunk port.

Yep - and it gives you 255 address back for something else!

Re: Can't access switch that's in trunk mode

As long as the 3750 connects onto port 1/0/2 on the other switch?

New Member

Re: Can't access switch that's in trunk mode

Little confused...sorry

Can you explain again,

3750 to ASA (trunk) = 3750 interface FastEthernet1/0/1

3750 to 3560 (trunk) = 3750 interface FastEthernet1/0/2

FastEthernet1/0/2 on the 3750 plugs into FastEthernet0/1 on the 3560.

Re: Can't access switch that's in trunk mode

Sorry - I confused myself on which device was connected to which port. Can you try the following on the 3560:-

Paste in this order.....

ip default-gateway 172.24.0.250

no ip routing

Can you also post you asa config - sanitised of course, remove anyt password's, external IP addresses etc?

New Member

Re: Can't access switch that's in trunk mode

Tried:

ip default-gateway 172.24.0.250

no ip routing

But no luck. If it helps the server that are patched into the 3560 I can get onto from my PC and access their C$ and remote desktop them, it's just managing the 3560 via SSH or telnet.

The ASA config is so huge can I just ask what part you may ned to help you?

Port 2 on the ASA is the trunk port to the 3750, so I have many virtual VLANS i suppose (not sure of the proper word), here is the config for the trunk:

interface GigabitEthernet0/2.6

vlan 6

security-level 10

ip address 172.24.0.100 255.255.0.0 standby 172.24.0.249

ospf cost 10

Although I didn't configure msot of this ASA I see the standby address is the same as this switch! I did remove it but stil no luck.

Re: Can't access switch that's in trunk mode

Can you ping from the 3560 to the ASA??

Have you any acl's on the ASA that would block you from getting to the 3560?

New Member

Re: Can't access switch that's in trunk mode

I can't ping the firewalls inside address of 128.101.10.50 but I can ping 172.24.0.100 which is the VLAN gateway on the firewall.

Just added an IP any any each way and still nothing.

Tried Packet tracer on the ASA and it beleives it can get through to the 3560:

192.168.90.5 is me

"packet-tracer input inside tcp 192.168.90.5 172.24.0.248 telnet"

New Member

Re: Can't access switch that's in trunk mode

Strange thing is, I have just logged onto the ASA via telnet then type ping 172.24.0.249:

ping 172.24.0.249

Sending 5, 100-byte ICMP Echos to 172.24.0.249, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Re: Can't access switch that's in trunk mode

Double check your NAT and all your acl's that filter!!

New Member

Re: Can't access switch that's in trunk mode

I have a NAT exempt from my PC's IP to 172.24.0.0 /24 and ACE's from my IP (inside) to 172.24.0.0.24 which is totally open and the opposite rule so 172.24.0.0/24 (on the DMZ_webservers interface) to my IP on any port.

I can get to the servers on 172.24.0.0/24 from my PC so I know the rules are working, but van't telnet to 172.24.0.249.

I can only telnet to the 3560 fromthe 3750 (128.101.10.52) and any 172.24.0.0/24 client in that the 3560 switch.

Re: Can't access switch that's in trunk mode

can you ping the switch from your PC?

New Member

Re: Can't access switch that's in trunk mode

No but I can ping, the firewall and the 3750.

Re: Can't access switch that's in trunk mode

In all honesty it should work, don't see why it does not if you say the ASA is not filtering anything.

The only other thing I could suggest - is reboot the 3560, in the past I have issues with switches not being able to reach ip addresses....and a re-load fixes all, but my switches are 3548XL's - so not really a straight comparision :o(

HTH.

New Member

Re: Can't access switch that's in trunk mode

NP, it's probably staring me in the face.

271
Views
0
Helpful
18
Replies
CreatePlease to create content