ASA vlan trunking to 3750

jasonrpell20 · ‎10-25-2011

I'm sure some of these questions have been asked, but I think my setup is a little different. I have a rather large network with multiple VLANs and routing that I need some help on. Here's the layout:

5540 subinterface = gi0/2.18 = 10.16.18.1/24 TRUNKED to a 2960

2960 has an interface set to VLAN 18 (no IP) goes to a Cisco 4507 with an int. set to VLAN 18 (no IP)

4507 then has a trunk to a Cisco 7206

7206 then trunks to a Cisco 3845

3845 trunks to a 3750 (single)

3750 (single) trunks to a 3750 Stack

3750 Stack has int. set to VLAN 18 that goes to a 3750(lab) w/ int set to VLAN 18 w/ IP 10.16.18.251/24, VLAN502 = 10.202.255.1/30,

VLAN510 = 10.203.255.1/30

3750(lab) then has a trunk that connects to ASA 5510 w/ subinterfaces: e0/1.18 = 10.16.18.253/24, e0/1.510 = 10.203.255.2/30, e0/1.502 = 10.202.255.2/30

ASA5510 then goes to Internet

Any trunks are set to allow all VLANs. From the 2960 to the 3750 stack it's obviously all Layer 2 with trunking.

Issue:

If I sit at the 5540, I can ping 10.16.18.251 and .253 with no problems. I can also ping 10.203.255.1 with no problems. Problem is that I cannot get to the other subinterfaces on the 5510 for VLANs 502 and 510. How do I ensure that my trunk is set up right? I have a route in the 5540 pointing to the 10.203 and 10.202 using the 10.16.18.251 address. It seems like a traceroute gets to the 10.16.18.251 address but then it stops. What route should be on the 5510 to make sure it gets back? The default route on the 5510 points to the Outside. What am I missing? I think it's something to do with the trunk that's just something I don't understand yet. Any help is appreciated. Thanks,

5510:

show int ip bri:

Ethernet0/1.18 10.16.18.253 YES manual up up

Ethernet0/1.502 10.202.255.2 YES manual up up

Ethernet0/1.510 10.203.255.2 YES manual up up

show route

Gateway of last resort is x.x.x.x to network 0.0.0.0

C x.x.x.x 255.255.255.248 is directly connected, Outside

C 10.202.255.0 255.255.255.252 is directly connected, ***

C 10.203.255.0 255.255.255.252 is directly connected, ***

C 10.16.18.0 255.255.255.0 is directly connected, VLAN18

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Outside

3750(lab):

interface GigabitEthernet1/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

end

show int status:

Gi1/0/24 connected trunk a-full a-100 10/100/1000BaseTX

show ip int bri:

Vlan18 10.16.18.251 YES NVRAM up up

Jon Marshall · ‎10-25-2011

Jason

What is the connection between the 3750 stack and the 3750 lab ?

It needs to be a trunk link because you are routing the traffic on the 3750 stack so the packet from the 5540 will be routed onto either vlan 502 or 510.

If the connection is only in vlan 18 then it won't be able to send the traffic onwards.

Out of interest, what is the reasoning behind this setup ie. all the trunks between the 5540 and the 3750 stack ?

Jon

jasonrpell20 · ‎10-25-2011

Well I understand what you're saying, but before this current setup was in place, the 3750(lab) didn't exist, and we just had 3 different Cisco 871s plugged directly into the stack with interfaces set to VLAN 18. The 871s took care of all the other VLANs including 502 and 510 and that traffic was accessible over the VLAN 18 link between the 3750 stack and the 871s. Does the fact that it's a L3 switch change how this would work? Thanks,

Jason

Jon Marshall · ‎10-25-2011

Jason

It depends on where the vlans were routed and how the 871s were setup. If the 3750 stack wasn't routing but simply L2 and the vlans were routed off the 871s then yes that would have worked.

With the 3750 stack routing that is why the traceroute stops at the 3750 ie. it routes the packet onto vlan 502 for example and then tries to send it on. But it can't unless the link is a trunk link which includes vlan 502.

Jon

jasonrpell20 · ‎10-25-2011

The stack isn't doing the routing. The 3750(lab) would be handling the routing for each VLAN, like 502 and 510. The 3750(lab) has a VLAN 18 address of 10.16.18.251 and has a VLAN18 interface plugged into the 3750 Stack with the VLAN 18 interface but no VLAN 18 IP is on the stack.

Should the 3750(lab) have a port set to L3 and be a routed port with the VLAN 18 IP Address and then to access the other VLANs, the next hop from the 5540 would be that IP Address?

I will definitely try the trunking, but I know when I make some changes, I'm going to lose access and I'm not next to it right now.

Jon Marshall · ‎10-25-2011

So if the 3750 lab switch is doing the routing then it should work as you have it.

Can you post "sh in trunk" from the 3750 lab switch,

Jon

Jon Marshall · ‎10-25-2011

Can you also confirm how you have setup the ASA 5510 ie. it may be firewall configuration issue.

Jon

jasonrpell20 · ‎10-25-2011

Sorry for the confusion. It just seems like it's something with the ASA cause everything stops there. If I log into the 3750(lab), I can ping the subinterfaces that are on the 5510 just fine. If I back up to the 3750 stack, I can ping the VLAN 18 address that is on the 5510, but I cannot ping the other subinterfaces, like VLAN 502 or 510.

Here is some info on the 5510:

Gateway of last resort is x.x.x.x to network 0.0.0.0

C x.x.x.x 255.255.255.248 is directly connected, Outside

C 10.202.255.0 255.255.255.252 is directly connected, *** (*** obviously just the name of the subinterface)

C 10.203.255.0 255.255.255.252 is directly connected, *** (*** obviously just the name of the subinterface)

C 10.16.18.0 255.255.255.0 is directly connected, VLAN18

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Outside

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.18

vlan 18

nameif VLAN18

security-level 0

ip address 10.16.18.253 255.255.255.0

!

interface Ethernet0/1.502

vlan 502

nameif ****

security-level 0

ip address 10.202.255.2 255.255.255.252

!

interface Ethernet0/1.510

vlan 510

nameif ****

security-level 0

ip address 10.203.255.2 255.255.255.252