12-02-2003 10:44 AM - edited 03-02-2019 12:05 PM
I have a test network set up to emulate our production network topology and I'd like some assistance in configuring the VLANs. I have a 3550XL set up as the core switch, with a range of ports set to each of 3 VLANs; one port in each VLAN is connected to a PIX525 on the appropriate interface (Inside/Outside/DMZ).
The 'inside' trunk port is connected to a 3500XL which is in the same VTP domain as the core 3550; the host port is connected to the inside domain controller on the 'inside' VLAN, and the 3500 management VLAN matches the core 3550. The 'inside' host port is configured thus:
interface FastEthernet0/1
description Inside host
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
The trunk from the 'inside' switch to the core switch is configured thus:
interfaceGigabitEthernet0/1 description Trunk to Core
switchport trunk encapsulation dot1q
switchport mode trunk
The 'outside' trunk port is connected to a 3550XL which is in a DIFFERENT VTP domain as the core 3550; its host port is connected to an 'outside' host on it's own VLAN (but the VLAN ID matches the 'outside' VLAN ID in the core switch), and the management VLAN has a different IP address than the 'Inside' network's management VLAN.
The outside host port is configured thus:
interface FastEthernet0/1
description Inside host
switchport access vlan 21
duplex full
speed 100
spanning-tree portfast
The trunk from the 'outside' switch to the core switch is configured thus:
interface GigabitEthernet0/1
description Trunk to Core
switchport trunk encapsulation dot1q
switchport mode trunk
Issues:
- I can ping within the 3 different VLANs from host to PIX and vice versa, but not across VLANs. I know the 3550s are capable of cross-VLAN routing, but I'm missing something. I'd like anyone's help in determining what it is...
This is the config of the 'core' 3550 switch:
hostname 3550-24_CORE
!
ip subnet-zero
ip routing
ip host PIX a.a.1.254
ip domain-name test.x
ip name-server x.x.8.101
ip name-server y.y.1.101
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree uplinkfast
!
interface FastEthernet0/1
description Outside vlan
switchport access vlan 21
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/2-7
-same
!
!
interface FastEthernet0/8
description DMZ
switchport access vlan 22
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/9-12
-same
!
!
interface FastEthernet0/13
description INSIDE
switchport access vlan 23
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/14-24
-same
!
!
interface GigabitEthernet0/1
description Trunk to OUTSIDE
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
description Trunk to INSIDE
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
description MANAGEMENT VLAN
ip address a.a.1.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Vlan21 [outside]
ip address y.y.8.1 255.255.255.0
!
interface Vlan22 [DMZ]
ip address x.x.70.1 255.255.255.0
!
interface Vlan23 [inside]
ip address x.x.1.1 255.255.255.0
!
ip default-gateway a.a.1.1
ip classless
ip http server
!
The PIX currently is configured wide-open (i.e., permit any any) on all 3 interfaces, but doesn't even register a hit-count when pings are attempted.
I'm a newbie starting out in an enterprise-scale agency; time to sink or swim!
Thanks for all who assist.
12-02-2003 01:47 PM
A pix won't "route" traffic. it can listen to RIP updates, but not much else. If your 3550's are just running the layer 2 image, your toast.
12-02-2003 02:20 PM
Originally, I had a 4006 with a SupII engine as the core switch; as they don't do L3 routing, I was toast already...unless I missed something there.
I had posted a previous message asking how exactly does a PIX permit traffic between subnets(VLANs), but got no replies. In theory as far as I know, the 3550 can route traffic between the VLANs, leaving the PIX completely bypassed - but then, where would the function of the PIX be? I'm still working on cross-VLAN connectivity right now...the PIX will be the next step - and I'll probably post again about it :-P
12-02-2003 06:24 PM
Hello,
I assume you are using Catalyst 3550 L3 Switch as core switch (Does not matter whether you have SMI or EMI Image in it)
What is the default gateway of hosts of respective segments? is it PIX address or L3 Switch SVI address? If it is PIX address, you cant expect inter VLAN routing by Cat3550.
Then you may also need to reconsider the switch VLAN trunk policy. trunk configuration does not seems to be consistant. Please verify the trunk status also from either end.
-Subba
12-03-2003 06:32 AM
Thank you for your reply;
Yes, I'm using a Cat 3550 Switch as the core switch as well as one for the "outside core" switch that is trying to communicate with the "inside" network across a trunked port.
I changed the hosts' default-gateways to the ip of it's respective VLAN on it's "core" switch, and the default-gateway of the inside edge switch (a 3500XL) to the management VLAN ip on the core. I can now ping across VLANs, but only within each 3550's VTP domain.
My final hurdle will be to get the 2 separate VTP domains to route to each other's hosts. I have dot1q enabled on both trunk ports of the separate core switches, but I'm not sure if I should have the "inside" trunk tag all incoming traffic to VLAN 21 (the "outside" VLAN) or to leave it trunked.
I guess the whole question now is, how do I get 2 separate VTP domains to communicate across a trunked port...
12-03-2003 08:43 AM
the only way i know of to get VTP domains to communicate would be routing. Or, make em one big domain. If you have the emi code. configure routing,
As far as the Pix goes, its a packet inspection device (firewall) You have to tell it what to let in,
12-03-2003 09:02 AM
OK... I know the 3550s can do L3 routing - any config lines that can help me along?
I'm really not sure how routing and VLANs mix...still trying to wrap my brain around that one.
12-03-2003 04:10 PM
depends on the values for a.a y.y and x.x in your previous posts, and what masking you are using.
If we assume that your network address is 172.16
you can add a line or 2 for running RIP.
in config mode, router rip
version 2
network 172.16.0.0
that should get you running.
as far as roting and vlans go, remember a vlan is a layer 2 concept. you can assign ports to a vlan, and that puts them in the same broadcast domain. you can then route those vlans, just like normal.
get your hands on kennedy clarks cisco lan switching,
its a good read.
12-03-2003 05:34 PM
hi ,
you need to active your ip routing in sw3550
and if still no good . try this
1> ip routing
2> create a vlan interface for each vlan
3> set up a routing pro like ospf to route
12-04-2003 06:50 AM
All 3 VLANs use different network addresses (i.e.,VLAN1=192.168.0.0, VLAN21=172.16.1.0, VLAN22=15.15.1.0, VLAN23=20.20.1.0) and all have /24 masks; VLAN1 is the mgmt. VLAN, and all have virtual interfaces with addresses.
The core 3550 has >ip routing in the config and I can now ping to each VLAN from the core switch (even across to the outside vtp domain), but I can't ping to different VLANs from the host PCs on the differing VLANS - they are still restricted to their own subnets.
Can you give me some config examples to tweak the routing on the 3550 so that the respective hosts can ping each other...
OR...will static address translation in the PIX provide the inside host with an IP address on the outside subnet?
12-04-2003 08:45 AM
I would strongly consider re thinking your IP addressing. you have 4 completely different networks.
Otherwise your will need either 4 network statements
or 4 static routes.
12-04-2003 09:35 AM
The addresses are not "real"...but yes, I have 4 completely separate networks, each in its own VLAN..."Inside", "Outside", "DMZ" and "Management"...that setup duplicates what we have in production, but in smaller scale, actually.
My project is to implement a PIX525, running a v6.3 image, to act as the firewall between each VLAN; each interface on the PIX is connected to the core switch (the 3550) on a port assigned to the corresponding VLAN; I'm working on getting the host in each network to ping THROUGH the PIX and out to the other networks, based on the access-list permits and address translations.
My issue is that even without the PIX in place, the core 3550 should route traffic between VLANs (and the different networks)..and it it NOT. The core switch can ping out to all networks (being the vtp server) and hosts can ping the core switch, but the hosts on each network cannot ping PAST the core switch to OTHER networks (VLANs).
I've been working this all week and I feel like I'm running in circles with the configs...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide