cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
0
Helpful
4
Replies

Layer 3 switching and PIX

rasoftware
Level 1
Level 1

Hi,

I have setup a 3550 as layer 3. I have configure 3 VLANS 10.14.0.0/16, 10.15.0.0/16 and 10.16.0.0/16. I have setup a fourth interface as 172.16.0.2. I run a cable from 172.16.0.2 port to my PIX inside which is 172.16.0.1 address. I have setup a default route of 0.0.0.0 0.0.0.0 172.16.0.1 on the switch.

I can ping ok from the switch to the PIX interface. When I connect to one of the VLAN interfaces ie 10.14.0.0/16 or do an extended PING I see the ICMP arrive on he PIX but I don't see a reply on the client. The packets look like they are getting to the PIX and the PIX is sending a reply. I'm guessing this is a routing issue on the PIX as it probably doesnt know where to reply with 10.14.0.0

What route would I need on the PIX or is the PIX blocking the returning echo?

1 Accepted Solution

Accepted Solutions

atif.awan
Level 3
Level 3

You need to add routes on the PIX for all your internal VLANs. Try this on the PIX:

route inside 10.14.0.0 255.255.0.0 172.16.0.2

route inside 10.15.0.0 255.255.0.0 172.16.0.2

route inside 10.16.0.0 255.255.0.0 172.16.0.2

View solution in original post

4 Replies 4

atif.awan
Level 3
Level 3

You need to add routes on the PIX for all your internal VLANs. Try this on the PIX:

route inside 10.14.0.0 255.255.0.0 172.16.0.2

route inside 10.15.0.0 255.255.0.0 172.16.0.2

route inside 10.16.0.0 255.255.0.0 172.16.0.2

Hi, thats what I figured but it doesn't seem to work.

I noticed this in syslog output on PIX

2006-05-19 10:05:09 Local4.Info 192.100.150.6 :%PIX-6-110001: No route to 10.14.0.1 from 172.16.1.1

I have attached the relevant sections of the PIX and Switch config. I guess it must be routing because I can ping the PIX ok from the switch when its the same network. Once on the routed VLANs it doesnt work.

Here is the output of the ping from the 3550

Test-Switch#ping

Protocol [ip]:

Target IP address: 172.16.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.14.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Test-Switch#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Test-Switch#

I get this on the PIX also, but packets never seem to get back to the switch

1787: ICMP echo request (len 72 id 28160 seq 7595) 10.14.0.1 > 172.16.1.1

1788: ICMP echo reply (len 72 id 28160 seq 7595) 172.16.1.1 > 10.14.0.1

Hi - sorted it.

I forgot route/switches don't add the directly connected routes into the routing table unless the interface has something plugged into it. Plug in laptop in to FE0/4 worked straight away.

Thanks for making me look at my config in detail!

Glad it worked out for you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: