02-15-2012 09:57 AM - edited 03-07-2019 04:57 AM
I'm looking for some advice and guidance. Having issues with my new architecture in my test lab.
I have been tasked with building a new environment for our expanding company. Currently have 80 users, and having a hiring blitz and will be at 120 users by Sept. We are moving to a larger environment in May to facilitate all users under 1 roof.
In my test environment, I am trying to duplicate the IP and VLAN architecture which I will be rolling out, but have not been successful in my test. I have an ASA5520, and an older Cisco Layer 2 switch (3600XL). Part of the new network will consist of multiple VLAN's. One VLAN for infrastructure devices, a few to segregate the departments, VPN, wireless, and eventually VOIP. The production switches will consist of POE to facilitate VOIP, but have not purchased that equipment yet.
I am currently testing with one switch, but will add another to test functionality via daisy chain (i know this isn't the best method). I am trying to see if I can test my config and architecture with the current devices, but not successful in communicating through the PC's on each VLAN.
The over all goal is to communicate through the VLANs to prove concept such as communicating to network shares, authenticating to Active Directory, and then to the internet. Since I currently do not have this connected to any internet circuit, I am however, trying to test the communication between VLAN's. I can't communicate accros VLAN's. My XP machine does not authenticate to my AD server, and they can not ping one another (spec below).
What do I need, or what do I need to do to get these devices to communicate with the environment explained above. I suspect it is a limitation of SVI.
Currently 3 VLANs
VLAN 10:
Two servers on the: 10.10.10.X network with the gateway as 10.10.10.1
One of those two servers is my Active Directory
These two machines communicate with each other successfully, but can't communicate with VLAN 20.
I can not run the command "no shutdown" on the VLAN 10.
VLAN 20:
Currently an XP laptop 10.10.20.X network with gateway as 10.10.20.1
This can not communicate with VLAN 10
VLAn 30:
Not in use yet
ASA:
Router on a Stick
Config attached
Switch1:
Config attached but listed a quick snippet
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
!
interface FastEthernet0/3
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
!
interface FastEthernet0/5
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
!!
interface FastEthernet0/7
switchport access vlan 10
switchport trunk encapsulation dot1q
!!
interface FastEthernet0/9
switchport access vlan 30
switchport trunk encapsulation dot1q
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN10
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN20
no ip directed-broadcast
no ip route-cache
!
access-list 10 permit 10.0.0.0 0.255.255.255
Solved! Go to Solution.
02-15-2012 10:11 AM
Your 3500Xl's are layer 2 only so you only need 1 single SVI defined with an ip address and that will be to manage the switch. All routing will be done on your ASA so you don't need more than a single SVI . I would check the trunking encapsulation on both the ASA and the 3500 and make sure they match. See if they both support dot1q and set them both to that . The native vlan must match on each side of the trunk also , if you define no native vlan then it should default to vlan 1 as native. You do not need an access list on the 3500. Did you create the layer 2 vlans on your 3500 by going into the vlan database ?
02-15-2012 10:11 AM
Your 3500Xl's are layer 2 only so you only need 1 single SVI defined with an ip address and that will be to manage the switch. All routing will be done on your ASA so you don't need more than a single SVI . I would check the trunking encapsulation on both the ASA and the 3500 and make sure they match. See if they both support dot1q and set them both to that . The native vlan must match on each side of the trunk also , if you define no native vlan then it should default to vlan 1 as native. You do not need an access list on the 3500. Did you create the layer 2 vlans on your 3500 by going into the vlan database ?
02-15-2012 10:45 AM
glen.grant
thanks for the speedy response. I did create the VLAN's on the layer 2 switch by going into vlan database.
I'll go back and blow them away and make sure that they are set correctly, and I'll test and repost.
02-15-2012 11:10 AM
part of your switch config:
interface FastEthernet0/3
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
the switchports connecting to end devices should be considered access ports (99% of the time in most circumstances)
therefor you can remove the switchport trunk commands here if these ports are indeed connecting to end hosts.
All you would need is this.
interface FastEthernet0/3
switchport access vlan 20
Also i believe the default on an asa is to block traffic between interfaces of the same security level. try this global config command to enable traffic between your security lvl 100 subinterfaces
same-security-traffic permit {inter-interface | intra-interface}
02-15-2012 12:55 PM
glen.grant
This worked. I had a VLAN mismatch. Once I made the change on the ASA, all my VLAN's started to communicate. Thanks for the tip and fix!
02-15-2012 02:15 PM
Glad it helped...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: