cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4581
Views
0
Helpful
15
Replies

VLAN issues - Cannot reach station on another vlan and switch

towedjumper
Level 1
Level 1

I am trying to create a vlan for management of my network devices here in the company and for some reason I can't connect to the vlan from my workstation.  I can ping the station from my SWITCH but not my workstation itself.

Please see attached text file for info.  Basically I can ping the management interface of my ASA from the Core switch it is plugged into as well as my switch in the office I am in, but NOT from my workstation connected to the switch I am on, which makes me think the issue is at my access switch level not higher up the chain.

Not sure if its relevant but both the core switch and my access switch are metro stacks.

1 Accepted Solution

Accepted Solutions

Dennis

Yes, actually my last post got it the wrong way round, apologies for that.

It is the return traffic that is the problem. When you ping from the switch or the access switch the source IP is 172.20.1.x which is in the same subnet as the 172.20.1.253 management interface on the ASA. So the ASA returns the traffic back out of the management interface.

When you ping from the PC the source IP is 10.0.0.x. The traffic to the management interface is routed to the management interface but then the ASA has a route pointing to the inside for the 10.0.0.0/16 subnet and this is what stops it working. You can't add a route via the management interface because that would affect the normal traffic.

Cisco had to have intended this setup otherwise a management interface would be pointless.  You have to connect it to a device somewhere on your lan.

It is pretty much pointless unless you manage it from a PC in the same subnet. If you could place the management interface into a separate VRF then you could add a route for 10.0.0.0/16 into the management VRF and this would not effect normal traffic because the VRF table is separate from the global (main) routing table.

This is why i said most people end up managing the ASA using the inside interface.

Jon

View solution in original post

15 Replies 15

towedjumper
Level 1
Level 1

Oh, and the core switch is a 3750 and the access switch is a 2960-S

Dennis

           

You need a route on the ASA -

route inside 10.0.0.0 255.255.0.0 172.20.1.1

Jon

Won't that mess up my default route for that network?  IE the Inside (or in my case, its named Local) network?

Do you mean this route -

ip route 0.0.0.0 0.0.0.0 10.0.2.253

What is the 10.0.2.253 device and does it have a route to the 172.20.1.0/24 subnet  ?

Jon

10.0.2.253 is the interface on the firewall for the inside network.

The management IP for this firewall is 172.20.1.253 (it is shown in the config as 172.20.1.20 but I changed it to .253 for clarity as I am trying to migrate firewalls and wanted the last octet to match the respective devices..  Sorry if this is confusing, I didn't mean to do that and only made the change a couple of minutes ago.  So for clarity:

CORE SWITCH

Vlan100:  10.0.2.20 /16 network

Vlan120:  172.20.1.1 /24

ASA

Local interface (inside) 10.0.2.253

Management: 172.20.1.253

DISTRIBUTION SWITCH (IDF4):

Vlan100: 10.0.2.24

Vlan120:  172.20.1.24

Dennis

You cannot ping across the ASA ie. you can't ping the management interface if you come in via the inside interface which you would do if you are coming from a vlan 100 PC. It works from the switch because the switch has a L3 interface in vlan 120 so it can ping the management inteface direct.

This is a rather severe limitation of the ASA management interface ie. unless you are on the same subnet you can't manage it properly because the route table always uses the inside interface for return traffic to remote subnets. There are quite a few posts on these forums about the very same issue.

Most people just end up using the inside interface for managing the ASA for this very reason. What the ASA needs is to support VRFs so you can put the management interface into it's own VRF but they don't yet as far as i am aware.

If your core switch is a 6500 then you could use NAT to sort this out but any other switch ie. 4500 or below does not support NAT unfortunately.

Jon

But I am not trying to ping through the ASA for this.  Or at least not trying to.  Both the ASA Local and Management interfaces are on the same switch just different vlans.  What I want to do is to connect to my management interface, for, well, management.  Then I would like to EVENTUALLY put an ACL on this managment vlan.  Cisco had to have intended this setup otherwise a management interface would be pointless.  You have to connect it to a device somewhere on your lan.

Here's a sh ip route from my core switch:

#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.2.253 to network 0.0.0.0

S    192.168.30.0/24 [1/0] via 172.32.0.2
     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, Vlan105
     172.20.0.0/24 is subnetted, 1 subnets
C       172.20.1.0 is directly connected, Vlan120
     172.32.0.0/30 is subnetted, 1 subnets
C       172.32.0.0 is directly connected, GigabitEthernet2/0/16
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C       10.200.200.0/24 is directly connected, Vlan200
C       10.0.0.0/16 is directly connected, Vlan100
C       10.150.0.0/24 is directly connected, Vlan150
S*   0.0.0.0/0 [1/0] via 10.0.2.253

So, having listed that, I can ping the management interface on the 172.20.1.0 network (.253) from the Core switch and the access switch through ssh/console..

From my workstation on the access switch I can ping the vlan interface for the access switch (vlan120) as well as the core (vlan 120 and 100 respectively) but not the end device on the core/vlan120.  The break is the last hop from my access switch to my workstation.

Dennis

Yes, actually my last post got it the wrong way round, apologies for that.

It is the return traffic that is the problem. When you ping from the switch or the access switch the source IP is 172.20.1.x which is in the same subnet as the 172.20.1.253 management interface on the ASA. So the ASA returns the traffic back out of the management interface.

When you ping from the PC the source IP is 10.0.0.x. The traffic to the management interface is routed to the management interface but then the ASA has a route pointing to the inside for the 10.0.0.0/16 subnet and this is what stops it working. You can't add a route via the management interface because that would affect the normal traffic.

Cisco had to have intended this setup otherwise a management interface would be pointless.  You have to connect it to a device somewhere on your lan.

It is pretty much pointless unless you manage it from a PC in the same subnet. If you could place the management interface into a separate VRF then you could add a route for 10.0.0.0/16 into the management VRF and this would not effect normal traffic because the VRF table is separate from the global (main) routing table.

This is why i said most people end up managing the ASA using the inside interface.

Jon

I am thinking you are right on that but I am not 100 percent sure.  I changed my access vlan on my port on the access switch, gave myself a 172 address and could then ping the management ip address BUT could not then ping the VLAN 100 ip on the core switch (IE 10.0.2.20).

I dunno.  This is making my head ache.

Dennis

I changed my access vlan on my port on the access switch, gave myself a 172 address and could then ping the management ip address BUT could not then ping the VLAN 100 ip on the core switch (IE 10.0.2.20).

You should be able to ping the core switch L3 SVI for vlan 100.  What was the default gateway on the client set to, presumably 172.20.1.1 ?

The core switch is doing inter vlan routing ?

Jon

Sorry, I think I was my own worst enemy on this.  I suspect I had the IP for VLAN 120 on my access switch (172.20.1.24) set as the default gateway for my workstation instead of the one on the core switch.  Once I changed it to 172.20.1.1 it could in fact ping out to the VLAN 100 ip on the core switch as well as out to other stations on the network.  I wonder if I created a VM with a management network IP if that would work as well.  Just use it as a management workstation.  Hrm....

EDIT:  To clarify I have a vSphere setup here and thats what I was referring to.  My ESX hosts have network ports that are trunked.

Dennis

Glad you worked that one

There is nothing inherently wrong with using the inside interface of the ASA to manage it. Remember you can restrict which IPs can telnet/ssh into it

I agree that it is less than ideal that if you want to use the management interface you need to be on the same subnet, it doesn't seem very useful to say the least.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: