cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
17141
Views
46
Helpful
22
Replies
Matthew Lucas
Beginner

Connecting Core switch to firewall

Hi guys,

I have a 3750X four-switch stack acting as the core of a fairly simple LAN. All I need to achieve (and this seems inordinately hard, but it is entirely likely that I'm just being dense) is to get access to the internet through my core switch, through the firewall and out through my VSAT. I've spoken at some length with the firewall providers (Cyberoam) and they tell me all I need to do when I migrate onto my new system (Cyberoam is currently in place at the entrance to our existing LAN) is change the local IP address of the Firewall, plug in the new switch to the LAN port, and away I go. Tried that, didn't work, so obviously I'm missing something.

This is my running-config from the Core Switch:

CSW01#sh run

Building configuration...

Current configuration : 20866 bytes

!

! Last configuration change at 08:57:30 UTC Wed Mar 30 2011 by mlucas

! NVRAM config last updated at 03:52:46 UTC Wed Mar 30 2011 by mlucas

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CSW01

!

boot-start-marker

boot-end-marker

!

enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE

!

username xxxx password 7 041158280870421D5A2B43

username xxxx password 7 083B43430B1000

username xxxx password 7 013B07165F59015C351D405B

username xxxx password 7 000A120F17530A265D711D1F

username xxxx password 7 15382B5D557A686569

no aaa new-model

!

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

switch 3 provision ws-c3750x-24s

switch 4 provision ws-c3750x-24s

system mtu routing 1500

ip routing

!

!

ip domain-name sierra-rutile.local

!

stack-power stack RUTILE

mode redundant

!

stack-power switch 1

stack RUTILE

switch mode: standalone

stack-power switch 2

stack RUTILE

switch mode: standalone

stack-power switch 3

stack RUTILE

switch mode: standalone

stack-power switch 4

stack RUTILE

switch mode: standalone

!

!

crypto pki trustpoint TP-self-signed-2811275648

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2811275648

revocation-check none

rsakeypair TP-self-signed-2811275648

!

!

crypto pki certificate chain TP-self-signed-2811275648

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383131 32373536 3438301E 170D3131 30333330 30313332

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313132

37353634 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

810091BF D55B206B 2ED83C32 F1B0B97D 3FFEE5BE F15F64BD 08D4CAFF 02BBEB57

82D4EBDB 212EED5A A7904B01 2BD2F12B 0E285E27 E833BCA1 AB762E26 845B0C31

148FA85E 72E4ED35 B644A4D6 31C49654 823FD036 9BA2D68D 7F089049 D3D0A7F2

2E939D11 2C88A1AC 15C1BED9 403B6470 48AD92BE 3E7DB911 F152C6F3 CFE913A7

4DFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14315F38 70E5F759 FBFF17EC C5307B18 0ACE9ED7 0D301D06

03551D0E 04160414 315F3870 E5F759FB FF17ECC5 307B180A CE9ED70D 300D0609

2A864886 F70D0101 05050003 81810012 7A89EEC5 1DC1C480 1B49982E 45C48261

28D82235 8AFE6CF6 218C6F61 6CF35D00 6FA84538 B67C4CBD 1F3C76CB 50E45664

D5CA35BC 407C2FC5 F7E49938 037A4C5B 97AFDE5E E0E1DD23 32043BE1 DD3D9E66

1CA6C49C 2ED6DE4F 38AA2EF8 6821FF7F EC2C6F67 DF616DDF 4F05FC66 2A8BF096

3C19DBF5 DFE1F2E5 33BCDF86 5684BF

quit

!

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 1-1024 priority 24576

!

!

vlan internal allocation policy ascending

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 4

switchport mode access

!

Redacted

!

interface GigabitEthernet1/0/48

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/1

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

Redacted

!

interface GigabitEthernet2/0/48

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

interface GigabitEthernet2/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet3/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet4/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!       

interface TenGigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

ip address 10.0.0.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan4

ip address 10.0.4.10 255.255.252.0

!

interface Vlan8

ip address 10.0.8.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan16

ip address 10.0.16.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan20

ip address 10.0.20.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan24

ip address 10.0.24.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan28

ip address 10.0.28.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan32

ip address 10.0.32.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan36

ip address 10.0.36.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan244

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

!

interface Vlan248

ip address 192.168.10.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan252

ip address 10.0.252.10 255.255.252.0

!

ip default-gateway 10.0.4.1

no ip http server

no ip http secure-server

!

access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

!

line con 0

login local

line vty 0 1

login local

transport input ssh

line vty 2 4

login

transport input none

line vty 5 15

login

transport input none

!

end

Cyberoam tell me only that the port on the switch connecting to the LAN port on the Cyberoam needs to be a trunk port. Current LAN-side IP of the Cyberoam is 10.10.10.4, planned new is 10.0.4.1, in line with the rest of my infrastructure. Just plugging in and making it a trunk port meant that I couldn't even ping the Cyberoam from the switch. I'm guessing (hoping) that there's a standard way of configuring the switch to connect to a firewall, but I just don't know what it is. Can anyone help, please?

Thanks in advance,

Matt

22 REPLIES 22
paul driver
VIP Mentor

Hello
see as this stack is acting as your lan core you need to enable ip routing and remove the default-gateway 10.0.4.1 and add a static route

ip route 0.0.0.0 0.0.0.0 10.0.4.1

alssi i dont see any nat translation is.your fw provider doing this?

if not i would suggest enabling nat also.

res
paul

Sent from Cisco Technical Support Android App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

That's weird... I'm sure I had that in already as a default route. Oh, I need to remove the default gateway? Ok, so enable ip routing, remove the gateway and add that route (that I was sure I had added anyway - losing my mind).

To your mind, a trunk port or access port? What would you do normally?

Sorry, yeah, NAT is done on the firewall

Hello Matthew, I know this might be a bit of a silly question to ask, but I cant see your vlans created in your config... So are they created? do a 'show vlan'

I have a 3750X and when I do a show run I see all my vlans within the config e.g.

3750X-121#show run

Building configuration...

Current configuration : 20472 bytes

!

! Last configuration change at 15:20:09 BST Sun Apr 14 2013 by Bilal

! NVRAM config last updated at 15:20:14 BST Sun Apr 14 2013 by Bilal

!

Output Omitted

!

vlan 804

name MGMT

!

vlan 805

name AP

!

vlan 811

name AV

!

vlan 812

name C

!

vlan 813

name IPTV

!

vlan 814

name VideoConference

Also, the FW must be set to trunking - and remember about native vlans. As far as im aware, 2 ways of doing this:

  1. Trunk
  2. Routed

Since all your SVI's are on the core, I dont understand why you would need a trunk? Well you might, but I dont think its necessary for this scenario. Anyway if this was the case then config is just standard trunk - just an example below:

Interface gi1/0/1

switchport

switchport encapsulation dot1q

switchport mode trunk

switchport allowed vlan #,#,#,#.....

spanning-tree portfast trunk

Okay so we have the trunk, but we need to route right, to a default gateway? (this is where it doesnt make sense to me agaiin) So why, what will we do with a trunk, when everything is locally routed within the core?

You would have a default gateway anyway to the FW.

If this was a routed port and the FW's address was 10.0.0.1 for example then on the core we could do this:

interface gi1/0/1

no switchport

ip address 10.0.0.2 255.255.255.252

no shut

!

ip route 0.0.0.0 0.0.0.0 10.0.0.1

You do not need NAT on the core, only the FW. But first you need to get connectivity between the core and the FW.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ah.... I wonder if that's it. The no switchport command for the routed port.

So do I need a default gateway, or not?

My thinking was that I didn't need a trunk port either to the FW. As you say all the inter-vlan routing is done on the switch - there is no need for the VLAN's to be passed up to the FW. And do you need to assign an IP address to the actual port that's connecting to the FW - obviously in the same range as the one on the FW.

Hello, you will still need a default route to the firewall or some sort of gateway out in every case.

Try the single routed port for now, it's the most simplest way to get connectivity and a good ping too! (Make sure FW doesn't have any rules blocking)

How many connections are there going to be from the core to the FW?

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

So do I need a default gateway for the core switch if I put in the default route and set it to no switchport? There's only one connection to the FW from the switch. I'm pretty sure the FW is already set up correctly - there shouldn't be any changes required to that (so they tell me, anyway).

And do I need to assign an IP address to the port on teh switch that's connecting to the FW?

So on the 3750x your core, I would do this since you only have one single connection between core and firewall.

Int gi1/0/1
No switchport
IP address x.x.x.x x.x.x.x
No shut
!
Ip route 0.0.0.0 0.0.0.0 (fw ip here)

You only need this default route. And if the port on the FW is configured correctly I don't see why you shouldn't get a good ping!
(Check FW rules too)

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ok, excellent. I'll try that tomorrow and let you know how I got on. Thanks a lot. Oh - no default gateway for the switch, right?

Hello
Correct no ip default-gateway for the core and enable ip routing
Res
Paul

Sent from Cisco Technical Support iPad App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Lovely thanks. Will give it a go tomorrow evening (out of hours because need to disconnect the current network).

Matthew

just to add to Bilal comments|

Keep this in mind for l2/l3 switches


(L2 access switches)
Ip default-gateway= acts as a host device but with l2 switching has no routing )

L3 switches:
Ip routing= for inter vlan routing (communication between broadcast domains in your case multiple vlans)
Dynamic routing protocols such as (ripv2/eigrp/ospf can be ran, also require ip routing enabled
Static routes = requires ip routing enabled to give the functionality to forward traffic with an unknown destination to a router (in your case the firewall ) which would possibly know the path to the unknown destination.

Res
Paul

Sent from Cisco Technical Support iPad App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Thanks Paul... that's helpful.

Ip routing has already been enabled as shown in initial post in the config.

The ip default-gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router.

Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router. As with the ip default-network command (used when using routing protocols), using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing must be enabled on the router. (Which you have already)

More info on this topic, here: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.