11-13-2018 08:27 AM - edited 03-05-2019 11:02 AM
Hi all!
I'm having some issues configuring our new network infrastructure.
We have 4 Cisco WS-C3850-24P-L switches in 2 stacks.
One is for our LAN core and the other for our SERVER core.
We have 2 PFSense firewalls with CARP failover connected in LAGG LAPC to the stacks and configured the VLANS for the LAN segment.
Right now I'm trying to configure the distribution and core switches in a way that their management ports are connected to his own interface in the PFSense that I can create firewall rules to allow or deny access.
At the moment I have the issue that I can't ping/SSH the management ports when I'm on another VLAN (VLAN22) even though I have an allow all rule in the PFSense.
PFSenses and servers are in a 10.32.1.0/24 network.
VLAN22 is in a 10.32.22.0/24 network
All the management ports on the switch are in a 10.32.3.0/24 network and are up and connected with their management port on the "SWITCH"-switch which is directly connected to the PFSense on a 10.32.3.0/24 network.
The distriubution switches are all WS-C2960X-24PS-L switches
I've included a mockup below to visualize the connections.
Solved! Go to Solution.
11-15-2018 01:08 AM
Hey Jon
Thank you for your help, I've looked furher into the ip route and the management VRF's and found this link:
I've enabled ip routing on the 2960's and added the ip route to the "Switch" gateway:
ip route 0.0.0.0 0.0.0.0 10.32.3.2
Thanks all!
11-13-2018 08:52 AM - edited 11-13-2018 08:54 AM
Hello
Do the rtrs know how to reach the lan cores subnets?, Do they have valid routes towards them?
Also do the Lan cores have valid routse towards the rtrs?
How are the cores/fw and rtrs communicating , static or dynamic routing?
11-14-2018 02:43 AM
Hi Paul
Thank you for the response!
The routers are connected to the PFSenses and are WAN interfaces with static IP's.
All my clients have connection the internet and are able to ping clients between the VLANS and I can also ping the PFSense interfaces/gateways.
When I'm on the "Switch" client I can connect to all the management IP's but when I'm on VLAN22 (Operations) I can't access the management IP's..
I've checked on the LAN core with "show IP route" and no routing is enabled.
11-14-2018 04:08 AM - edited 11-14-2018 04:09 AM
Hello
@Tosj Reiling wrote:
Hi Paul
Thank you for the response!
The routers are connected to the PFSenses and are WAN interfaces with static IP's.
All my clients have connection the internet and are able to ping clients between the VLANS and I can also ping the PFSense interfaces/gateways.
When I'm on the "Switch" client I can connect to all the management IP's but when I'm on VLAN22 (Operations) I can't access the management IP's..
I've checked on the LAN core with "show IP route" and no routing is enabled.
When you say it fails on vlan22 is that from a port assigned to vlan22 on the "Switch" or from any switch in vlan 22 or from any switch in any other vlan apart from the server vlan?
I've checked on the LAN core with "show IP route" and no routing is enabled.
Are the PFsence FW's performing your inter-vlan routing for the site then ?
From the PFsence can you ping vlan22 sourced from 10.32.3.0 vlan?
what does the arp table show?
11-14-2018 05:17 AM
11-14-2018 04:50 AM - edited 11-14-2018 04:51 AM
Just to add to Paul's questions, what is the default gateway set to on the switches ie. it needs to be the management VIP on the firewalls.
Jon
11-14-2018 04:59 AM
11-14-2018 05:12 AM
Are you using the dedicated management interface on the 3850s ?
If so try adding this -
"ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.32.3.2"
Jon
11-14-2018 05:19 AM
11-14-2018 05:40 AM
Pick one of the 3850s you cannot connect to and add it to the switch and then see if you can then connect
Jon
11-14-2018 05:53 AM
11-14-2018 07:00 AM
You need to add the same route to all your 3850s.
I am not sure the 2960 switches support VRFs though so you would need to manage them inband ie. just trunk the management vlan to them.
Jon
11-15-2018 01:08 AM
Hey Jon
Thank you for your help, I've looked furher into the ip route and the management VRF's and found this link:
I've enabled ip routing on the 2960's and added the ip route to the "Switch" gateway:
ip route 0.0.0.0 0.0.0.0 10.32.3.2
Thanks all!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide