Routing Problem between 2 subnets

ryancraigcascardo · ‎12-12-2013

I will try to explain what my current setup and the issues I have run into. I am using all cisco gear.

Internet -> Router (192.168.100.1 -> L3 switch (192.168.100.2) -> ASA (Transparent Mode) -> L3 switch (192.168.100.3)

L3 switch (100.3) provides internet access for all who connect to it and has been working just fine. Recently I had to setup a different subnet off of that L3 switch (100.3) so now port 20 connects to a L2 switch to provide internet access to 192.168.2.0/24 network as well as access to some services on 192.168.100.0/24.

Internet -> Router (192.168.100.1 -> L3 switch (192.168.100.2) -> ASA (Transparent Mode) -> L3 switch (192.168.100.3) -> L2 switch (192.168.2.0/24)

The problem I am having is that I am able to ping machines on the 192.168.2.0 network and vice versa but if i try to hit a web port or ssh most of the time it does not work. What makes it difficult it sometimes does work which drives me crazy and confuses me. Now if I bypass the ASA everything seems to work just fine. I have the access rules on the asa on the outside interface

source 192.168.100.0/24 dest 192.168.2.0/24 ip permit

source 192.168.2.0/24 dest 192.168.100.0/24 ip permit

and on the inside interface

any any ip permit

L3 Switch (100.3)

Where am I going wrong? I would appreciate any suggestions.

Thanks

Jon Marshall · ‎12-12-2013

Ryan

Because you have given the switches an IP from 192.168.100.x your setup is a little confusing.

Are these L3 switches acting as L2 switches or are they routing.

You have one vlan - IP subnet 192.168.100.x and another new vlan for 192.168.2.x. Where is the routing done for traffic between these vlans.

Are the 192.168.100.x addresses for the switches management IPs ?

How are the L3 switches connected to each other and the firewall ie. L2 trunks, L2 access ports, L3 ports ?

Jon

ryancraigcascardo · ‎12-12-2013

Sorry yes the ips for the L3 switches are for management and not needed in the example. The switches are acting as L2. The routing is occuring at the Router (100.1). L2 access ports.

Jon Marshall · ‎12-12-2013

Are some of the 192.168.100.x clients connected to the L3 switches ?

If so you would need trunks because you have 2 vlans on those L3 switches.

How is the routing setup, are you using subinerfaces on the router ?

Note i'm assumming you are using separate vlans per subnet ?

Jon

ryancraigcascardo · ‎12-13-2013

yes the clients are connected to the L3 switches. I'm starting to see the problem but I have some knowledge gaps. Do I setup a trunk on the interface that connects to the 192.168.2.0? If so do I need trunking ports to get to the router? Or would it be simpler to do routing on the L3 switch that physically connects to the 192.168.2.0?

Jon Marshall · ‎12-13-2013

Ryan

It depends on how it is setup as to where you can do the routing -

Internet -> Router (192.168.100.1 -> L3 switch_1 (SW1) (192.168.100.2) -> ASA (Transparent Mode) -> L3 switch_2 (192.168.100.3) -> L2 switch (192.168.2.0/24)

So in the above do you have clients in 192.168.100.x connected to L3 switch_1 ?

And do you have clients in 192.168.100.x connected to L3 switch_2 ?

The problem is the natural place to do routing is for multiple vlans is actually L3 switch_2. In fact i'm not sure what L3 switch_1 is doing other than connecting the router to the firewall. If you have clients on that switch they are not firewalled from the internet.

The interesting thing is it all works without the ASA but i'm not sure how if you have not setup inter vlan routing,

Can you answer my questions as to where the 192.168.100.x clients are connected and post your router config (minus any public IP info etc.) and we can see where to go from there.

Jon

ryancraigcascardo · ‎12-13-2013

Jon

There are no clients connected to L3 switch_1. The only reason why L3 switch_1 is there is due to a physical location issue and a fiber connection going from L3 switch_1 to the ASA.

I can't post my router config at the moment.

Jon Marshall · ‎12-13-2013

Ryan

Then you can either do as pieterh suggested and treat it all one big subnet and put everything into the same vlan or have 2 separate vlans and use L3 switch_2 to route between vlans.

It all depends on how much config you want to do. Using the L3 switch_2 to route between vlans would mean having to -

1) move the routing for the vlans off the router to the switch.

2) setting up vlans and L3 vlan interfaces on the switch

3) readdressing the router and adding routes to it for the internal vlans because your router is now no longer routing those vlans so it would not be in the 192.168.100.x subnet.

Note if you used the L3 switch_2 to route to my mind it would not make sense to route 192.168.2.0/24 off that switch but still route 192.168.100.0/24 off the router.

The above involves a fair bit of config and disruption to your network. In addition with the setup i have described the firewall would usually be in routed mode ie.

internet -> router -> firewall -> L3 switch

where all vlans are routed on the switch and the only time you go to the firewall is to get to the internet.

So you may want to try the other approach which would involve a lot less work.

Jon

pieterh · ‎12-13-2013

if the switches are only L2 and it is the same vlan

then you in fact you don't have two separate /24 networks

you may look at it as a single /16 network

-> so let your router know you use 192.168.0.0/16

also configure your connected devices as /16

The ASA may stay the same to permit only those /24 address (ranges not subnets)

But may block the netwok address (.0) of both ranges.

the fact hat you only use 192.168.2.1 - 192.168.2.255 addresses on devices connected to the extra switch has no consequence for routing

------------------

if you do put port-20 and that switch in a separate vlan

then

- you need your l3 switch (.3) to route between 192.168.2.0/24 and the network on the router side (192.168.100.0/24

- so configure a vlan interface and use this as gateway for the devices there

- you need to add a route on the router so it sends 192.168.2.0/24 to 192.168.100.3 as gateway

or you must pass both vlans to your router to let the router do the routing.