Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
0
Helpful
13
Replies

Creating VLAN with ip address on Switch and Firewall

Go to solution
ishh
Level 1
Level 1

‎10-04-2021 06:39 AM

I want to know , if you creat a Vlan on switch and create a Vlan on Firewall .. Does its IP address should be same or different .. let supppose If I create a Vlan on Firewall (Vlan 100 : 10.10.10.1)  and on swtich I create same Vlan (Vlan 100 :- 10.10.10.1) or shall I have to give different ip address on Switch like 10.10.10.2 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎10-05-2021 07:14 AM

Hello
Different ip address otherwise you would encounter duplication conflicts between switch and firewall.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ishh

‎10-05-2021 09:17 AM - edited ‎10-05-2021 09:31 AM

Hello

@ishh wrote:

Can we consider Vlan as network device... ? I dont think so 

Yes you can -L3 switch vlan interface(s) (Switch Virtual interfaces- SVI) will have unique addressing(in this case arp addresssing) just like any single physical network device, it needs to have for the reasons i have already mentioned.

 

 

@ishh wrote:

In my two cases .. where I provided same ip address to Vlan e.g Vlan 100 on Firewall and switch .. things starts pinging rather than giving me error of duplication or IP conflict .. 

I don’t know why you were able to do this successfully as I don’t have visibility to your network, However the question is what was you pinging- FW or Switch?

Most probable reason you couldn’t ping the FW was by default FW policy deny echo-reply (response to ping)
As for the L3 vlan interface maybe it wasn’t in a active up state or either the firewall or L3 SVI was Isolated from the network.

It could also be because they were isolated by something called a Virtual Routing/Forwarding instance(VRF) which is a feature that can enable such address assignment.

In any case it is highly recommended not to purposely assign duplicate ip addressing onto the production network.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
13 Replies 13

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2021 06:50 AM - edited ‎10-04-2021 06:51 AM

Both should be in same VLAN to communicate and IP address should be unique (if not you get conflict)

 

Firewall (10.10.10.1) -----VLAN 100 -- Switch (10.10.10.2) should work.

 

Thinking that you going to use Layer 3 between Switch and Firewall.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ishh
Level 1
Level 1
In response to balaji.bandi

‎10-04-2021 06:55 AM

thats what making me confuse ,, You said IP Address should be unique otherwise I will get conflict ... but then you mentioned below different ip addresses 

like 10.10.10.1 on firewall and 10.10.10.2 on switch should work... 

 

Please make it bit more clear ... I know it will work and if I setup same IP Address on switch and firewall like 10.10.10.1 on both side switch and firewall ,,, it even work more better .... but I wana know what is right and whats wrong conceptually .. 

 

Thanks 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ishh

‎10-04-2021 07:59 AM

like 10.10.10.1 on firewall and 10.10.10.2 on switch should work...  These numbers (RED) are not same, so there is no conflict

 

the conflict will be as below  - and it will not going to work.like 10.10.10.1 on firewall and 10.10.10.1 on switch should work...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ishh
Level 1
Level 1
In response to balaji.bandi

‎10-04-2021 08:18 AM

 

Many thanks for your reply , 

but on my job ,, something was not working where they have different ip addresses for same Vlan on Switch and firewall .. so I put same IP Address for same VLAN on switch and firewall and it started working .. I experienced this in two cases where some one migrated their printers on new Vlan and had different IP addresses on switch and firewall .. When I configured same ip address of that specific Vlan on switch and Firewall ,,,they started to ping iP addresses and able to ping from their Lan computers .. in another scenario ,, 

some users were not able to open web page of some application on their office computers and from home .. when I checked it ,, there was no IP address of that specific Vlan on switch but on firewall that Vlan was configured with ip address e.g 10.10.10.0/24 and gateway ip address 10.10.10.1.... so I gave IP address on switch to that Vlan i..e 10.10.10.1 and then users were able to open web page of that application on their office computers and home computers .... but next day I saw some of my colleague change ip address on Switch for same Vlan and set the ip address of 10.10.10.2 .... so now users from home computers cannot open that web page but can open webpage of that app on thier office computers... 

Thats why I wana know what is actually right thing .. please advise .. 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ishh

‎10-05-2021 07:18 AM

Hello

 

@ishh wrote:

 

Many thanks for your reply , 

but on my job ,, something was not working where they have different ip addresses for same Vlan on Switch and firewall .. so I put same IP Address for same VLAN on switch and firewall and it started working .. I experienced this in two cases where some one migrated their printers on new Vlan and had different IP addresses on switch and firewall .. When I configured same ip address of that specific Vlan on switch and Firewall ,,,they started to ping iP addresses and able to ping from their Lan

Only one device replied possibly because that device was the one got registered in the arp table first and the other was for some reason unresponsive however eventually you would encounter duplication and unpredicted connectivity


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ishh
Level 1
Level 1

‎10-05-2021 02:46 AM

Hello 

Can someone reply to this please 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ishh

‎10-05-2021 03:44 AM

As per the description not really how that work, but still we are not sure how your setup, Can you post the configuration, and some network diagram how it was connected.

 

I am not able to think, how it was working ( or may be FW interface may have downs status)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ishh
Level 1
Level 1

‎10-05-2021 06:49 AM

Unfortunately , dont have diagram , recently started this job .. and other things for sure ,, FW interface were not down .. they were up ,, but thats what I thought that Vlan interface always one IP address on every device either its switch or FW OR Router .. cannot provide all the config as I am not familiar with their network yet .. 

but seriously , I put same ip address of same Vlan on Switch and Firewall and things get working .. but I wana know if thats wrong then why is it wrong ,,what are the reason .. dont know if thats too basic that I should know .. 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ishh

‎10-05-2021 07:35 AM - edited ‎10-05-2021 07:42 AM

Hello

In short, a network device has a physical address which is called a mac-address, which is unique, when its interface gets attached to a network this physical address is registered to a mac- address table of the switch.
When a device is assigned an ip address,  this l3 address is registered along with its physical address in what’s called an ARP table

Now using the mac- address and arp tables of switches/routers is how all other devices in the network can form connectivity between each other

So if you assign the same ip address to yet another device then that same ip address is going be registered with a differing arp/mac-address entry and a conflict will be seen as/when both devices with the same ip address are actively connected to the same network as reregistering of either device with the same ip address will occur within these tables thus causing intermittent connectivity as all other hosts try to connect to whatever device should be the real host.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ishh
Level 1
Level 1
In response to paul driver

‎10-05-2021 07:50 AM

Hello Paul

 

Many thanks for your kind reply ... 

 

My question was about VLan .. Can we consider Vlan as network device... ? I dont think so  but yes Switch and Firewall are network devices and they have unique MAC address ... and you can create multiple Vlans on both devices ...and can provide them Ip Address .. I can understand you can provide two different IP addresses to physical interfaces e.g 10.10.10.1 at one end and on other end 10.10.10.2..  but VLAN .......  

 

In my two cases .. where I provided same ip address to Vlan e.g Vlan 100 on Firewall and switch .. things starts pinging rather than giving me error of duplication or IP conflict .. 

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ishh

‎10-05-2021 09:17 AM - edited ‎10-05-2021 09:31 AM

Hello

@ishh wrote:

Can we consider Vlan as network device... ? I dont think so 

Yes you can -L3 switch vlan interface(s) (Switch Virtual interfaces- SVI) will have unique addressing(in this case arp addresssing) just like any single physical network device, it needs to have for the reasons i have already mentioned.

 

 

@ishh wrote:

In my two cases .. where I provided same ip address to Vlan e.g Vlan 100 on Firewall and switch .. things starts pinging rather than giving me error of duplication or IP conflict .. 

I don’t know why you were able to do this successfully as I don’t have visibility to your network, However the question is what was you pinging- FW or Switch?

Most probable reason you couldn’t ping the FW was by default FW policy deny echo-reply (response to ping)
As for the L3 vlan interface maybe it wasn’t in a active up state or either the firewall or L3 SVI was Isolated from the network.

It could also be because they were isolated by something called a Virtual Routing/Forwarding instance(VRF) which is a feature that can enable such address assignment.

In any case it is highly recommended not to purposely assign duplicate ip addressing onto the production network.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ishh

‎10-05-2021 08:14 AM

No issue i will sure still stick with my opinion as suggested before :

 

like 10.10.10.1 on firewall and 10.10.10.2 on switch should work...  These numbers (RED) are not same, so there is no conflict

 

the conflict will be as below  - and it will not going to work.like 10.10.10.1 on firewall and 10.10.10.1 on switch should work...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
paul driver
VIP
VIP

‎10-05-2021 07:14 AM

Hello
Different ip address otherwise you would encounter duplication conflicts between switch and firewall.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card