Cisco 4507R-E: Need help with config for vlans

mansoorms · ‎03-05-2013

Hi

I'm unable to pass the required vlans networks to my firewall I have different vlans configured for each floor of the building,All these floors have Nortel switches which are connected to the core switch thru fibre link.

I have a cisco 4507R-E core switch.please find the config for the core switch below n let me know what else has to be done in order to pass the vlans to my firewalls.

Current configuration : 18527 bytes

!

hostname HQ_Prim_Core_Swt

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$xj2Z$TmV9chRtQWCuXYMsCtBVW/

enable password 7 13521317135C0729

!

username admin password 7 011202095205465E74

username srca password 7 120D09121C0E1F417F7D1A7D65

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 10.1.10.1 10.1.10.20

ip dhcp excluded-address 10.1.11.1 10.1.11.20

ip dhcp excluded-address 10.1.12.1 10.1.12.20

ip dhcp excluded-address 10.1.13.1 10.1.13.20

ip dhcp excluded-address 10.1.14.1 10.1.14.20

ip dhcp excluded-address 10.1.15.1 10.1.15.20

ip dhcp excluded-address 10.1.16.1 10.1.16.20

ip dhcp excluded-address 10.1.17.1 10.1.17.20

ip dhcp excluded-address 10.1.18.1 10.1.18.20

ip dhcp excluded-address 10.1.11.241 10.1.11.254

ip dhcp excluded-address 10.1.10.241 10.1.10.254

ip dhcp excluded-address 10.1.12.241 10.1.12.254

ip dhcp excluded-address 10.1.13.241 10.1.13.254

ip dhcp excluded-address 10.1.14.241 10.1.14.254

ip dhcp excluded-address 10.1.15.241 10.1.15.254

ip dhcp excluded-address 10.1.16.241 10.1.16.254

ip dhcp excluded-address 10.1.17.241 10.1.17.254

ip dhcp excluded-address 10.1.18.241 10.1.18.254

ip dhcp excluded-address 192.168.0.1 192.168.0.40

!

ip dhcp pool VLAN1

network 192.168.0.0 255.255.255.0

default-router 192.168.0.136

dns-server 192.168.0.1 192.168.0.6

netbios-name-server 192.168.0.1 192.168.0.6

netbios-node-type h-node

!

ip dhcp-server 192.168.0.136

vtp mode transparent

cluster run

!

spanning-tree mode pvst

spanning-tree extend system-id

!

redundancy

mode sso

!

vlan internal allocation policy ascending

!

vlan 10

name Ground_Floor

!

vlan 11

name First_Floor

!

vlan 12

name Second_Floor

!

vlan 13

name Third_Floor

!

vlan 14

name Fourth_Floor

!

vlan 15

name Fifth_Floor

!

vlan 16

name Sixth_Floor

!

vlan 17

name Seventh_Floor

!

vlan 18

name Eighth_Floor

!

vlan 19

name Management

!

vlan 20

name Servers

!

vlan 21

name IP-Cameras

!

vlan 22

name Src_Voice

!

vlan 23

name Src_Vsat

!

vlan 30

!

vlan 31

name cloud

!

vlan 121

!

class-map match-all YOU

class-map match-all httpurl

!

interface GigabitEthernet5/9

switchport access vlan 16

switchport mode access

!

interface GigabitEthernet5/43

switchport mode access

!

interface Vlan10

ip address 10.1.10.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 10 ip 10.1.10.250

standby 10 preempt

!

interface Vlan11

ip address 10.1.11.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 11 ip 10.1.11.250

standby 11 preempt

!

interface Vlan12

ip address 10.1.12.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 12 ip 10.1.12.250

standby 12 preempt

!

interface Vlan13

ip address 10.1.13.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 13 ip 10.1.13.250

standby 13 preempt

!

interface Vlan14

ip address 10.1.14.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 14 ip 10.1.14.250

standby 14 preempt

!

interface Vlan15

ip address 10.1.15.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 15 ip 10.1.15.250

standby 15 preempt

!

interface Vlan16

ip address 10.1.16.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 15 preempt

standby 16 ip 10.1.16.250

standby 16 preempt

!

interface Vlan17

ip address 10.1.17.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 17 ip 10.1.17.250

standby 17 preempt

!

interface Vlan18

ip address 10.1.18.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 18 ip 10.1.18.250

standby 18 preempt

!

interface Vlan19

ip address 10.1.19.251 255.255.255.0

standby 19 ip 10.1.19.250

standby 19 preempt

!

interface Vlan20

ip address 10.1.20.251 255.255.255.0

standby 20 ip 10.1.20.250

standby 20 preempt

!

interface Vlan21

ip address 10.1.21.251 255.255.255.0

standby 21 ip 10.1.21.250

standby 21 preempt

!

interface Vlan22

ip address 10.1.22.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

standby 22 ip 10.1.22.250

standby 22 preempt

!

interface Vlan23

ip address 10.1.23.251 255.255.255.0

ip helper-address 10.1.20.101

ip helper-address 10.1.20.102

shutdown

standby 23 ip 10.1.23.250

standby 23 preempt

!

interface Vlan30

ip address 192.168.30.13 255.255.255.0

standby 30 ip 192.168.30.12

standby 30 preempt

!

interface Vlan31

ip address 10.101.1.53 255.255.255.0

!

interface Vlan121

ip address 192.168.168.251 255.255.255.0

shutdown

!

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.0.9

ip route 10.1.0.0 255.255.255.252 192.168.0.9

ip route 10.36.0.0 255.255.0.0 192.168.0.9

ip route 10.66.4.88 255.255.255.252 10.101.1.51

ip route 10.200.7.156 255.255.255.252 10.101.1.51

ip route 10.201.20.0 255.255.255.0 10.20.6.6

ip route 172.16.0.0 255.255.0.0 192.168.0.9

ip route 192.168.99.0 255.255.255.0 192.168.0.9

ip http server

ip http secure-server

!

route-map Operations permit 10

match ip address 30

set interface GigabitEthernet2/3

!

Kinly help/suggest.

Giuseppe Larosa · ‎03-05-2013

Hello Mansoor,

you are using static routing so there is nothing to pass to the firewall devices.

Have you configured appropriate static routes on the firewall devices for the 10.1.X.0 networks using the multilayer switch as IPv4 next-hop?

that is the return path?

Are the IP next-hops used in your static routes adjacent ( out of connected L3 interfaces)?

I see in the next-hops

192.168.0.9 ?

10.20.6.6 ?

10.101.1.51 ---> ok out of SVI vlan 31

Hope to help

Giuseppe

mansoorms · ‎03-05-2013

Hi Larosa,

Thanx for response.

This is the first time i'm working with L3 switch.n the routes were already configured by the previous engineer.

I've been assigned the task to allow the vlans10-18 from this switch to the ASA 5510 firewall so that the users can access internet via ASA.

Can u please show me how to allow the networks from 10.1.0.0 to firewall.Also these networks are clasified as vlans10 to 18 as seen in the config.

The ASA has following interfaces:

E0/0-xx.xxx.167.130/128

E0/1-shut

E0/2-10.1.16.75/24 (This is where the switch is connected)

M0/0- Management interface.

The ASA ip is 192.168.0.7.

If u need anything else please tell.

Kindly help me in configuring as this is critical.

Thanx.

mansoorms · ‎03-06-2013

Hi ,

I'm really sorry for not mentioning this fact from the begining.Act all the users are accessing the internet thru Juniper i.e, 192.168.0.9 . Thats the reason u r seeing the default route in the config of switch.

The requirement states that this connection via ASA should be a backup one. Is it possible to configure that on Cisco 4507 R-E switch.

If i'm doing anything as u mentioned above the users will not able to access internet .

So kindly suggest me how to go.

mansoorms · ‎03-07-2013

Hi ,

I was able to access the internet on 6th floor only.

Other users on other floors still unable to access the internet .

Kindly suggest me what else has to be one.

mrmozaffari · ‎03-07-2013

Hi Mansoor,

Have you checked your firewall?

Are you sure that it has nat for these networks?

Have you checked the access rules on your firewall?

If you are not sure please send a copy of firewall configuration.