This setup is in GNS3:
I have two L3 Switches connected via a lacp etherchannel link. Switch 1 is providing inter-vlan routing for 4 vlans (Vlan 10, 11, 15 and 17). The switches are using vlan 20 for their connectivity. They are configured for redundancy using hsrp with Switch 1 being the Primary and 2 the secondary. I have provided for the standby IPs as gateway for the vlans in the DHCP pools.
I have connected the two switches to two ASA in a failover active/standby scenario, with the ASA inside interfaces being on the same vlan 20 the switches are in. The switches and ASAs can ping each other with no problem. The subnets are as follows:
Vlan 10 - 192.168.10.0 (Standby 192.168.10.254)
Vlan 11 - 192.168.11.0 (Standby 192.168.11.254)
Vlan 15 - 192.168.15.0 (Standby 192.168.11.254)
Vlan 17 - 192.168.17.0 (Standby 192.168.11.254)
Vlan 20 - 192.168.20.0 (Standby 192.168.11.254 configured as ASA failover for inside interfaces)
Subsequently, vlan routing now seems to be messed with the hosts only being able to ping the vlan interface of their respective vlan on Switch 1, Nothing else. I cannot for the life of me figure out where I have messed up.
Please help. I have attached a screenshot of the topology for reference.
Solved! Go to Solution.
Thanks for the reply. I have enabled ip routing on both switches and pretty much mirrored the config of Switch 1 on Switch 2 except for respective IP addressing. Instead of using static routing, I have gone for ospf for ease of configuration. The config is pretty long, especially for the ASA so I'll attach the config text files, unless you prefer I post then right with the post.
Posting the configs as text files is quite appropriate. I have taken a quick look at the configs. Can you tell us what model of switch this is? Would you post the output of show ip route from both switches and the output of show standby?
I'm using an IOU image 'i86bi-linux-l2-ipbasek9-15.1g.bin'. It was the only one I could find where HSRP and VTP both worked. As for the other outputs, 'show ip route', and 'show standby', see the attached text file. I chose to put all the outputs in a sectioned text file as I was getting an 'The contents of the attachment doesn't match its file type.' error when I tried uploading the individualized output files.
Does a machine from vlan 10 can ping another machine in vlan 11?
At least, between these 2 vlans, can you do the following tests:
- from machine in vlan 10 ping its default gateway in vlan 10
- from machine in vlan 10 ping the default gateway in vlan 11
- from machine in vlan 10 ping the machine in vlan 11
If this isn't working, please shut all interfaces on SW2 and re-do all tests.
Also, on switch 1, can you share in a text file the output of sh ip arp vlan 10 & sh ip arp vlan 11
On both switches, can you do a show spanning-tree summary.
From switch 1, can you do ping 192.168.20.4?
From a machine in vlan 10, can you ping:
While doing these tests above, please connect a host on each vlan (10 and 11) directly to switch 1 first and then use hosts behind the other switches you have which are connected to SW1 and SW2.
Does a machine from vlan 10 can ping another machine in vlan 11? At least, between these 2 vlans, can you do the following tests: - from machine in vlan 10 ping its default gateway in vlan 10 - from machine in vlan 10 ping the default gateway in vlan 11 - from machine in vlan 10 ping the machine in vlan 11
A machine in Vlan 10 can ping it's own default gateway
A machine in Vlan 10 can only ping Vlan 11 gateway if Switch 2 is off
A machine in clan 10 cannot ping a vlan 11 machine
Also, on switch 1, can you share in a text file the output of sh ip arp vlan 10 & sh ip arp vlan 11 On both switches, can you do a show spanning-tree summary.
See the attached text files
From switch 1, can you do ping 192.168.20.4? From a machine in vlan 10, can you ping: - 192.168.20.4 - 192.168.20.1 - 192.168.20.2
From Switch 1, I can ping 192.168.20.4
From a machine in Vlan 10, I cannot ping any addresses in the 192.168.20.0 subnet.
It seems the issue was/is with the IOU image, 'i86bi-linux-l2-adventerprisek9-15.2d'. I've since replaced it with 'i86bi_linux_l2-adventerprisek9-ms' and inter-VLAN routing is working just fine. Vlan 10 and 11 can reach other other including the other vlans, 15 and 17. The image however keeps popping up segmentation faults (segfault) and the devices either stop working or shutdown. I'm looking for another image.
The issue I have now, other than the hunt for a stable L2 image is the connection between the L3 switch and the ASA. What's the best practice, considering the HSRP on the switches and the failover on the ASA? Is it;
- Have the Switches and ASAs in the same vlan?
- Should the interface on the switch be in access or trunk mode?
- Should the interface on the ASA be a subinterface with the vlan (20) specified?
- This has proven to work with routing even working in the vlan but traffic from the other vlans is not reaching the ASAs
- Have the link between each Switch and ASA as a separate vlan?