04-14-2013 06:57 AM - edited 03-07-2019 12:48 PM
Hi guys,
I have a 3750X four-switch stack acting as the core of a fairly simple LAN. All I need to achieve (and this seems inordinately hard, but it is entirely likely that I'm just being dense) is to get access to the internet through my core switch, through the firewall and out through my VSAT. I've spoken at some length with the firewall providers (Cyberoam) and they tell me all I need to do when I migrate onto my new system (Cyberoam is currently in place at the entrance to our existing LAN) is change the local IP address of the Firewall, plug in the new switch to the LAN port, and away I go. Tried that, didn't work, so obviously I'm missing something.
This is my running-config from the Core Switch:
CSW01#sh run
Building configuration...
Current configuration : 20866 bytes
!
! Last configuration change at 08:57:30 UTC Wed Mar 30 2011 by mlucas
! NVRAM config last updated at 03:52:46 UTC Wed Mar 30 2011 by mlucas
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CSW01
!
boot-start-marker
boot-end-marker
!
enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE
!
username xxxx password 7 041158280870421D5A2B43
username xxxx password 7 083B43430B1000
username xxxx password 7 013B07165F59015C351D405B
username xxxx password 7 000A120F17530A265D711D1F
username xxxx password 7 15382B5D557A686569
no aaa new-model
!
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
switch 3 provision ws-c3750x-24s
switch 4 provision ws-c3750x-24s
system mtu routing 1500
ip routing
!
!
ip domain-name sierra-rutile.local
!
stack-power stack RUTILE
mode redundant
!
stack-power switch 1
stack RUTILE
switch mode: standalone
stack-power switch 2
stack RUTILE
switch mode: standalone
stack-power switch 3
stack RUTILE
switch mode: standalone
stack-power switch 4
stack RUTILE
switch mode: standalone
!
!
crypto pki trustpoint TP-self-signed-2811275648
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2811275648
revocation-check none
rsakeypair TP-self-signed-2811275648
!
!
crypto pki certificate chain TP-self-signed-2811275648
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383131 32373536 3438301E 170D3131 30333330 30313332
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313132
37353634 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810091BF D55B206B 2ED83C32 F1B0B97D 3FFEE5BE F15F64BD 08D4CAFF 02BBEB57
82D4EBDB 212EED5A A7904B01 2BD2F12B 0E285E27 E833BCA1 AB762E26 845B0C31
148FA85E 72E4ED35 B644A4D6 31C49654 823FD036 9BA2D68D 7F089049 D3D0A7F2
2E939D11 2C88A1AC 15C1BED9 403B6470 48AD92BE 3E7DB911 F152C6F3 CFE913A7
4DFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14315F38 70E5F759 FBFF17EC C5307B18 0ACE9ED7 0D301D06
03551D0E 04160414 315F3870 E5F759FB FF17ECC5 307B180A CE9ED70D 300D0609
2A864886 F70D0101 05050003 81810012 7A89EEC5 1DC1C480 1B49982E 45C48261
28D82235 8AFE6CF6 218C6F61 6CF35D00 6FA84538 B67C4CBD 1F3C76CB 50E45664
D5CA35BC 407C2FC5 F7E49938 037A4C5B 97AFDE5E E0E1DD23 32043BE1 DD3D9E66
1CA6C49C 2ED6DE4F 38AA2EF8 6821FF7F EC2C6F67 DF616DDF 4F05FC66 2A8BF096
3C19DBF5 DFE1F2E5 33BCDF86 5684BF
quit
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-1024 priority 24576
!
!
vlan internal allocation policy ascending
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
no ip route-cache
!
interface GigabitEthernet1/0/1
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 4
switchport mode access
!
Redacted
!
interface GigabitEthernet1/0/48
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/1
switchport access vlan 8
switchport mode access
power inline auto max 15400
!
Redacted
!
interface GigabitEthernet2/0/48
switchport access vlan 8
switchport mode access
power inline auto max 15400
!
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
Redacted
!
interface GigabitEthernet3/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet3/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet3/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
Redacted
!
interface GigabitEthernet4/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet4/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet4/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 10.0.0.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan4
ip address 10.0.4.10 255.255.252.0
!
interface Vlan8
ip address 10.0.8.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan16
ip address 10.0.16.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan20
ip address 10.0.20.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan24
ip address 10.0.24.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan28
ip address 10.0.28.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan32
ip address 10.0.32.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan36
ip address 10.0.36.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan244
ip address 192.168.0.254 255.255.255.0
ip access-group 101 in
!
interface Vlan248
ip address 192.168.10.10 255.255.252.0
ip helper-address 10.0.4.129
ip helper-address 10.0.4.130
!
interface Vlan252
ip address 10.0.252.10 255.255.252.0
!
ip default-gateway 10.0.4.1
no ip http server
no ip http secure-server
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
line con 0
login local
line vty 0 1
login local
transport input ssh
line vty 2 4
login
transport input none
line vty 5 15
login
transport input none
!
end
Cyberoam tell me only that the port on the switch connecting to the LAN port on the Cyberoam needs to be a trunk port. Current LAN-side IP of the Cyberoam is 10.10.10.4, planned new is 10.0.4.1, in line with the rest of my infrastructure. Just plugging in and making it a trunk port meant that I couldn't even ping the Cyberoam from the switch. I'm guessing (hoping) that there's a standard way of configuring the switch to connect to a firewall, but I just don't know what it is. Can anyone help, please?
Thanks in advance,
Matt
04-14-2013 08:05 AM
Hello
see as this stack is acting as your lan core you need to enable ip routing and remove the default-gateway 10.0.4.1 and add a static route
ip route 0.0.0.0 0.0.0.0 10.0.4.1
alssi i dont see any nat translation is.your fw provider doing this?
if not i would suggest enabling nat also.
res
paul
Sent from Cisco Technical Support Android App
04-14-2013 09:52 AM
That's weird... I'm sure I had that in already as a default route. Oh, I need to remove the default gateway? Ok, so enable ip routing, remove the gateway and add that route (that I was sure I had added anyway - losing my mind).
To your mind, a trunk port or access port? What would you do normally?
04-14-2013 09:53 AM
Sorry, yeah, NAT is done on the firewall
04-14-2013 11:15 AM
Hello Matthew, I know this might be a bit of a silly question to ask, but I cant see your vlans created in your config... So are they created? do a 'show vlan'
I have a 3750X and when I do a show run I see all my vlans within the config e.g.
3750X-121#show run
Building configuration...
Current configuration : 20472 bytes
!
! Last configuration change at 15:20:09 BST Sun Apr 14 2013 by Bilal
! NVRAM config last updated at 15:20:14 BST Sun Apr 14 2013 by Bilal
!
Output Omitted
!
vlan 804
name MGMT
!
vlan 805
name AP
!
vlan 811
name AV
!
vlan 812
name C
!
vlan 813
name IPTV
!
vlan 814
name VideoConference
Also, the FW must be set to trunking - and remember about native vlans. As far as im aware, 2 ways of doing this:
Since all your SVI's are on the core, I dont understand why you would need a trunk? Well you might, but I dont think its necessary for this scenario. Anyway if this was the case then config is just standard trunk - just an example below:
Interface gi1/0/1
switchport
switchport encapsulation dot1q
switchport mode trunk
switchport allowed vlan #,#,#,#.....
spanning-tree portfast trunk
Okay so we have the trunk, but we need to route right, to a default gateway? (this is where it doesnt make sense to me agaiin) So why, what will we do with a trunk, when everything is locally routed within the core?
You would have a default gateway anyway to the FW.
If this was a routed port and the FW's address was 10.0.0.1 for example then on the core we could do this:
interface gi1/0/1
no switchport
ip address 10.0.0.2 255.255.255.252
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
You do not need NAT on the core, only the FW. But first you need to get connectivity between the core and the FW.
Hope this helps
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
04-14-2013 11:37 AM
Ah.... I wonder if that's it. The no switchport command for the routed port.
So do I need a default gateway, or not?
My thinking was that I didn't need a trunk port either to the FW. As you say all the inter-vlan routing is done on the switch - there is no need for the VLAN's to be passed up to the FW. And do you need to assign an IP address to the actual port that's connecting to the FW - obviously in the same range as the one on the FW.
04-14-2013 11:49 AM
Hello, you will still need a default route to the firewall or some sort of gateway out in every case.
Try the single routed port for now, it's the most simplest way to get connectivity and a good ping too! (Make sure FW doesn't have any rules blocking)
How many connections are there going to be from the core to the FW?
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 12:16 PM
So do I need a default gateway for the core switch if I put in the default route and set it to no switchport? There's only one connection to the FW from the switch. I'm pretty sure the FW is already set up correctly - there shouldn't be any changes required to that (so they tell me, anyway).
And do I need to assign an IP address to the port on teh switch that's connecting to the FW?
04-14-2013 12:24 PM
So on the 3750x your core, I would do this since you only have one single connection between core and firewall.
Int gi1/0/1
No switchport
IP address x.x.x.x x.x.x.x
No shut
!
Ip route 0.0.0.0 0.0.0.0 (fw ip here)
You only need this default route. And if the port on the FW is configured correctly I don't see why you shouldn't get a good ping!
(Check FW rules too)
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 12:30 PM
Ok, excellent. I'll try that tomorrow and let you know how I got on. Thanks a lot. Oh - no default gateway for the switch, right?
04-14-2013 12:35 PM
Hello
Correct no ip default-gateway for the core and enable ip routing
Res
Paul
Sent from Cisco Technical Support iPad App
04-14-2013 12:44 PM
Lovely thanks. Will give it a go tomorrow evening (out of hours because need to disconnect the current network).
04-14-2013 01:32 PM
Matthew
just to add to Bilal comments|
Keep this in mind for l2/l3 switches
(L2 access switches)
Ip default-gateway= acts as a host device but with l2 switching has no routing )
L3 switches:
Ip routing= for inter vlan routing (communication between broadcast domains in your case multiple vlans)
Dynamic routing protocols such as (ripv2/eigrp/ospf can be ran, also require ip routing enabled
Static routes = requires ip routing enabled to give the functionality to forward traffic with an unknown destination to a router (in your case the firewall ) which would possibly know the path to the unknown destination.
Res
Paul
Sent from Cisco Technical Support iPad App
04-14-2013 01:47 PM
Thanks Paul... that's helpful.
04-14-2013 12:53 PM
Ip routing has already been enabled as shown in initial post in the config.
The ip default-gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router.
Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router. As with the ip default-network command (used when using routing protocols), using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing must be enabled on the router. (Which you have already)
More info on this topic, here: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide