Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1606
Views
0
Helpful
5
Replies

Cisco ASA and 3750x Switches

qwaven
Level 1
Level 1

‎01-26-2012 09:02 AM - edited ‎03-07-2019 04:33 AM

Hello,

I am wondering if anyone is able to assist with getting vlans working properly between sub-interfaces on a ASA and a trunk port on a switch.

There seems to be issue with the VLAN's being assigned to the correct VLAN and this information being properly sent to the ASA over the trunk.

We seem to be unable to ping most of the interfaces except for one on the switch. Sometimes if we are lucky we are able to ping a host on a different vlan that is on the switch. This seems sparadic at best.

Logs on the ASA show traffic does not seem to be assigned properly to the correct sub interface. We have access rules on the ASA disallowing traffic not part of the same vlan. For example you will see networkA blocked on networkB when it really should be directed through networkA's sub interface.

I'm wondering if anyone can give example commands for the ASA and Switch for at least the basic requirements to enable all the VLAN's to communicate properly with the ASA?

Hope I'm making sense here. If not please let me know.

Thanks for your help!

Labels:
0 Helpful
5 Replies 5

ebarticel
Level 4
Level 4

‎01-26-2012 06:51 PM

Not much info to go on. If you can post some show commands output from switch it may help

Eugen

0 Helpful

qwaven
Level 1
Level 1
In response to ebarticel

‎01-27-2012 09:44 AM

Thanks for your reply.

Well we have 1 ASA and 2 stacks of switches. Stack 1 is IP Based and Stack 2 is not.

[remote] -> {tunnel} -> [ASA] -> [Stack 1] -> [Stack 2]

[ASA] has several sub-interfaces on one of the interfaces connecting to [Stack 1] via Gig 1/0/1 Trunk port.

[Stack 1] has a trunk to [stack 2]

We can ping [Stack 2] just fine.

We cannot ping [Stack 1]; however if we connect to [Stack 2] we can access [stack 1].

--> Show IP INT BRIEF on STACK 1 (trunkated for relivance)

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES NVRAM  administratively down down

Vlan10                 10.0.0.33       YES NVRAM  up                    up

Vlan11                 10.0.1.33       YES NVRAM  up                    up

Vlan12                 10.0.2.33       YES NVRAM  up                    up

Vlan13                 10.0.3.33       YES NVRAM  up                    up

Vlan101                10.1.0.33       YES NVRAM  up                    up

FastEthernet0          unassigned      YES NVRAM  administratively down down

GigabitEthernet1/0/1   unassigned      YES unset  up                    up

GigabitEthernet1/0/2   unassigned      YES unset  down                  down

--> Interface Gig 1/0/1 via show run

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10-13,101

switchport mode trunk

speed 1000

duplex full

We cannot ping any of the VLAN's except for 10.0.0.34 (Stack 2 IP)

On the ASA we'll see logs like this showing one VLAN trying to HOP to another...

4Jan 27 201217:39:1110.1.0.3512310.120.1.2123Deny udp src EB_Server:10.1.0.35/123 dst WAN:10.120.1.2/123 by access-group "EB_Server_access_in" [0x0, 0x0]


EB_SERVER is VLAN 13 or 10.0.3.0 /24 network.

The origin is from VLAN 11 or 10.0.1.0 /24 network

There is a deny rule denying all traffic not in the same vlan. (intentional) and we need to make sure the traffic for vlan x actually goes through vlan x.

Thoughts?

Thanks!

0 Helpful

lucentmoon
Level 1
Level 1
In response to qwaven

‎01-27-2012 01:08 PM

Sounds like an acl problem blocking return traffic.  Can you post relevant acl configurations & ASA subinterface configs please.

0 Helpful

qwaven
Level 1
Level 1
In response to lucentmoon

‎01-27-2012 02:04 PM

On the ASA we have:

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.10

description Server

vlan 10

nameif Server

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/1.11

description Finance Server

vlan 11

nameif F_Server

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface GigabitEthernet0/1.12

description Exchange Front End

vlan 12

nameif EF_Server

security-level 100

ip address 10.0.2.1 255.255.255.0

!

interface GigabitEthernet0/1.13

description Exchange Back End

vlan 13

nameif EB_Server

security-level 100

ip address 10.0.3.1 255.255.255.0

As for ACL. The ASA is practically defaults. It is a brand new device.

Only ACL is what I mentioned above. For each interface/vlan there is one rule saying allow from souce network (which is for the correct vlan) to any and then the implicit deny.

for example vlan 13 will have allow network 10.0.3.0 /24 to any and deny all.

Thanks for your help.

0 Helpful

ebarticel
Level 4
Level 4
In response to qwaven

‎01-27-2012 04:24 PM

Hi Michael,

Which IP address is 10.120.1.2 ? On you ASA log output I see that your ping is denied by 10.120.1.2. Looks like a different subnet to me. Check the ACL on that device.

Eugen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card