Re: ESW520 VLAN config issue

ayounes2010 · ‎05-02-2011

Hello guys,

I have a headquarters office that has recently bought a new voice system.

We have a site to site connection from the head office to 3 remote offices. All have ASA5505 firewall.

I have created 2 interface on the ASA5505:

1: inside with vlan1 and switchport port1
2: voice with vlan100 and switchport port2

Port1 on the asa goes to port 23 on the switch for vlan data

Port2 on the asa goes to port 24 on the switch for vlan voice

Port23 is member of vlan1 data

I added vlan100 to port 24 but by default vlan1 is member and i can't remove it. Its greyed out

All ports on the switch are member of vlan1 and vlan 100 because the port on the switch goes to the phone and from the phone there is a port that goes to the PC. Phones are getting addresses, and PC as well.

I am having a kind of loop because there is 2 exit for vlan1 (port 23 and 24) and that's slowing down my system and sometime i loose the connectivity to my servers.

When i do a show arp on my asa, i do see that some IP are beeing learned on the wrong interface. some PC addresses 192... are on the voice and some voice IP 10.10... are on the inside.

I am pretty sure that the problem comes from my switch configuration.

Have anyone run into this issue before?

Any help would be appreciate it

Regards,

David Hornstein · ‎05-02-2011

Hi Ali,

Firstly I checked for a software update, and found that my switch had older software.

I updated the software, factory reset my switch and set about to achieved the following;

1. Removed vlan100 from port 24.

2. Set switch port to access mode (allow only one untagged vlan)

3. added vlan100 as a untagged vlan on switch port 24.

See screen captures below;

Tried to change mode to access mode..but the switch sanity checked me and told me you have two vlans attached to the port.

Wouldn't allow me to change the switch port to access mode until I removed a second vlan, in my case i temporarily removed VID=100.

Removed VID=100 and VID=1 and then added VID=100 as a untagged vlan.

It will still work when the port is in trunk mode, but I wanted the port to be in access mode.

(hey I'm a purist).

Changed switch port 24 to access mode , via VLAN MANAGEMENT > INTERFACE SETTINGS

(Access mode will allow only one untagged VLAN to be added to the port.)

That should stop your loop.

have fun.

regards Dave

ayounes2010 · ‎05-02-2011

Hello David,

Thank you for you explanation and examples.

I did that but i run into an issue of not reaching my voice system from the ASA when access to vlan100 only.

If i put my port24 in trunk or access to vlan100T only, i lose connectivity. I can't ping from the asa to my voice network.

If I add back vlan1U to the port everything works fine.

On the ASA5505 it is set to be vlan100 and access only.

That's really weird.

David Hornstein · ‎05-02-2011

Hi Ali,

Interesting, as the ASA has a port that is untagged vlan100, and when you set switch port 24 back to untagged on vlan1 traffic management works again. So this is allowing vlan1 ethernet frames from the ESW switch to enter untagged vlan100 on the ASA5500.

This scenario is wierd, I am guessing that because you added vlan1 on the switch to vlan 100 on the ASA5500, you are struggling to understand how the units vlans 'mesh' together or how it works..

I guess you have looked carefully at the unticked items in the first screen capture belowtaken from the ASAs ASDM interface ?

.

I would hope you have purchased a ASA5500 bundle that support multiple vlans, see second screen capture below.

If you are still having problems, might be useful to open up a TAC case, to get some experts into the machine via webex to verify the ASA side of the configuration is good.

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

regards Dave

ayounes2010 · ‎05-03-2011

Hello Dave,

Yes it's really weird! I have opened a ticket with both TAC and small bisness team for the switch and they both don't know why the issue is happening. They are still working on that.

For the 1st image, i have the 2nd option enabled: enable traffic between two or more hosts connected to the same interface. Do i have to untick this option?

For the 2nd image, I have a security plus license so it allows me for 20VLANS.

Regards,

Ali

David Hornstein · ‎05-04-2011

Hi Ali,

Tick the other option. it does what the description suggests, it will allow packet movement between interfaces that are at the same security level.

regards dave

ayounes2010 · ‎05-04-2011

Hey Dave,

The data has a security level of 100 and voice has security level of 50 so that won't help me that much.

I discovered that the management interface is on vlan1 and that's why it's not letting me remove vlan1 maybe from a port.

I was thinking to change the vlan data from vlan1 to vlan110 on both asa and switch. On the switch i will change the management interface from vlan1 to vlan110 and then i might go to the port and made him access to vlan50 on the 1st switch and access vlan100 on the 3rd switch which i couldnt remove vlan1.

Do you think that might help?

Thanks

Ali

David Hornstein · ‎05-04-2011

Hi Ali,

Yeah, now that i think about it, you hit the nail on the head, the management interface security level pretty tight.

Yeah sounds like you have a great idea in moving forward to a solution.

regards Dave