topic Re: 6509E Switch Vlan Issue in Switching

6509E Switch Vlan Issue

Jacob Samuel — Wed, 06 Mar 2019 10:15:15 GMT

Hi Friends,

I have 2 6509E switch with FWSM. There is 2 valn for the fwsm also. inside vlan 101 and outside vla 95. Outside will be the virtual connection to the MSFC for fwsm to msfc routing and on 101 vlan connects the server Farm, int gig1/1-40 on the same switch.

The Problem what i am facing now is - both my interfaces on the fwsm is showing down

int vlan 95 outside

down/down

int vlan 101 inside

down/down

I read in many places that you need a up/up interface or active trunk to make the SVI up. What i should do in thios case, if i want to conect the msfc to FWSM???

also if i want to create a Managment SVI for the devices, i will not assign any port just for management access only.

regards

Jacob

Re: 6509E Switch Vlan Issue

andrew.prince — Sat, 01 Nov 2008 11:58:15 GMT

I sugges you read the below:-

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwsm_cfg.html

HTH>

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 12:42:08 GMT

Dear Andrew.

Thanks for the Link

Sure, i will go through the file. i have configured up to this as of now.

My connectivity is as follows-

ASA Inside -> connect to 6509E MSFC on int vlan 90

====

ASA 5540

int vlan 90

nameif inside

des *** connect to 6509E MSFC ***

ip add 192.168.90.1 255.255.255.224

6509E - (L3 SVI)

int vlan 91

des *** MSFC connect to ASA Inside ***

ip add 192.168.90.5 255.255.255.224

====

6509E MSFC-> connect to FWSM int vlan 95.

====

6509E MSFC

(NO L2 VALN created in the MSFC only SVI)

int vlan 95

des *** routing Vlan to FWSM ***

ip add 192.168.95.5 255.255.255.224

FWSM interface Outisde

int vlan 95

nameif outside

des *** Routing to 6509E MSFC ***

ip add 192.168.95.1 255.255.255.224

====

FWSM interface insde-

(Int Vlan 101 Inside to connect Servers)

int vlan 101

nameif inside

des *** Connect to Inside Servers ***

ip add 192.168.101.1 255.255.255.0

=====

is it correct??? If no L2 for the vlan 95 on the MSFC how will it work?

Need your kind input please

regards

Jacob

Re: 6509E Switch Vlan Issue

Jon Marshall — Sat, 01 Nov 2008 12:56:53 GMT

Jacob

All vlans must exist at layer 2 on the 6500 switch.

For vlan 95 you need

1) For the vlan to exist at L2 ie. a "sh vlan" would show vlan 95

2) A L3 SVI on the MSFC for vlan 95

For vlan 101 you need the vlan to exist at L2 ONLY on the 6500 switch. No L3 SVI should be created on the MSFC.

Also have you allocated the vlans to the FWSM with the "firewall vlan-group .." command on the 6500 switches.

Jon

Re: 6509E Switch Vlan Issue

andrew.prince — Sat, 01 Nov 2008 13:00:21 GMT

Looks OK - so you need to assign the VLAN's to the FWSM and it should be ok.

HTH>

Re: 6509E Switch Vlan Issue

chintan-shah — Sat, 01 Nov 2008 13:55:00 GMT

Have you allocated thos vlan on MSFC for Firewall module and also on context in FWSM ??

Regards,

Chintan

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 16:21:14 GMT

Thanks to all,

I am attaching the configuration of the Switch and the FWSM. Thanks Jon, now my vlan 95 is showing up on the FWSM. But still my inside interface vlan 101 is showing down. i have added one port to the inside vlan 101. but still its showing down.

In the third file i have mentioned about the configuration i prepared for the switch can any one please validate that also?

regards

Jacob

Re: 6509E Switch Vlan Issue

chintan-shah — Sat, 01 Nov 2008 16:25:45 GMT

Hi Jacob,

I didn't get any of attached configuration.

Do you mind to send me config at chintan2004@gmail.com

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 16:29:03 GMT

Thanks, attaching the file again chintan. i will send it through mail also.

Thanks a lot

regards

Jacob

Re: 6509E Switch Vlan Issue

Jon Marshall — Sat, 01 Nov 2008 16:29:09 GMT

Jacob

Your 6500 switch is running in VTP transparent mode but it shows no sign of vlan 95 or vlan 101. The only vlans it shows are vlans 90 & 100.

On the 6500 switch if you do

6500# sh vlan

do you see entries for vlans 95 & 101. If not you need to create them ie.

6500(config)# vlan 95

6500(config-vlan)# name FWSM_outside

6500(config)# vlan 101

6500(config-vlan)# name FWSM_inside

Jon

Re: 6509E Switch Vlan Issue

chintan-shah — Sat, 01 Nov 2008 16:32:27 GMT

Hi Jacob,

Do you see vlna 101 (inside vlan)in layer 2 VLAN database ? Do "show vlan" you should have vlan 101. If you don't have , VLAN 101 will be down unless you have in layer 2 daatabase.

Regards,

Chintan

Re: 6509E Switch Vlan Issue

chintan-shah — Sat, 01 Nov 2008 16:37:05 GMT

Hi Jacob,

Jon is correct. you have not created VLAN 101 on MSFC L2 VLAN database. you only have vlna 9 and 100. Please create VLAN 101 in global config mode, you should have vlna 101 up/up state :).

vlan 90

name RoutingVlan-to-ASA

vlan 100

name Management_Access_Vlan

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 16:51:37 GMT

Jon,

I am sorry, by mistake i attached the previouse file. I am attaching the latest config.

Also i missed to create the inside L2 vlan on the msfc (101) just now i created that and the inside vlan also showing up.

But... again i am not able to ping the vlan interface 192.168.101.1 from the msfc also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing .. missing??

regards

Jacob

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 16:52:35 GMT

Chintan, sorry i updated the file.

regards

Jacob

Re: 6509E Switch Vlan Issue

Jon Marshall — Sat, 01 Nov 2008 17:22:29 GMT

Jacob

"am not able to ping the vlan interface 192.168.101.1 from the msfc"

add this to your config

FWSM-Pri(config)# management-access inside

"also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing"

do you mean you can't ping the host from the gateway or the gateway from the host. Have you assigned the switch port that the host is connected to into vlan 101 ?

Jon

Re: 6509E Switch Vlan Issue

chintan-shah — Sat, 01 Nov 2008 17:24:06 GMT

hi Jacob,

By nature , FWSM doens't allow to ping inside interface from MSFC(outside).

Are you able to ping outside interface of FWSM from MSFC?

Can you try folloiwng configuration on FWSM :

icmp permit

Then try pingging inside interface (GW) from host .

Regards,

Chintan

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 18:10:02 GMT

Jon

Do we have to add any route in the 6509 Switch for 192.168.101.x?

NAT - in fwsm i just did the NAT for (inside) only, do we need the same for outside also?

FWSM i have added a default route only, it is Connected interface so think no need to add any route for 101.x there?

I have added one port, Gig 1/2, to 101 vlan. and from the host

IP 192.168.101.10 /24

GW 192.168.101.1

I am not able to ping the gateway from the Host. Also I am not able to ping from the msfc to the outside interface (192.168.95.1 to 192.168.95.5) and reverse also.

regards

Jacob

Re: 6509E Switch Vlan Issue

Jon Marshall — Sat, 01 Nov 2008 18:14:33 GMT

Jacob

For the pinging of the interfaces see Chintan's response ie. you need to allow icmp to the FWSM interfaces.

You will need to add a route to the FWSM for the vlan on the inside ie.

ip route 192.168.101.0 255.255.255.0

Also bear in mind with the FWSM traffic is not allowed through from inside to outside by default. You need to allow it with an acl. This is contrary to the behaviour of standalone pix/asa firewalls.

Not sure what you mean by NAT. if you want o connect to the inside host from outside then you will need

static (inside,outside) 192.168.101.10 192.168.101.10

Jon

Re: 6509E Switch Vlan Issue

Jacob Samuel — Sat, 01 Nov 2008 18:47:01 GMT

Dear Chintan / Jon

Thaks a lot, after adding the icmp permit now the host is able to ping the GW and msfc to fwsm outside interface also.

Jon about NAT, do we need to add NAT statement in FWSM as like we do in the traditional Pix. i dont need any NATing here, i mean to ask do we need to add this statement?

nat (inside) 0 x x

nat (outside) 0 x x

regards

Jacob

Re: 6509E Switch Vlan Issue

Jon Marshall — Sat, 01 Nov 2008 18:50:55 GMT

Jacob

NAT works pretty much the same way it does on traditional Pix. Yes you can use

nat (inside) 0 192.168.101.0 255.255.255.0

which tells the FWSM not to NAT. You would only need a static if you wanted to initiate the connection from the outside to the 192.168.101.10 host - see previous post.

Glad you got it working.

Jon