Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
5
Helpful
8
Replies

issue with connected interface

Mark Malone
VIP Alumni
VIP Alumni

‎11-26-2015 04:43 AM - edited ‎03-08-2019 02:51 AM

Hey

we have a SVI interface that will be a mgmt interface on a VSS switch , we will be sourcing all mgmt traffic from that vlan interface.

The issue were facing is traffic to reach any device must first go to the firewall as a security policy and then hit the SVI on each device

but the VSS is in the path of the firewall so this one switch has a connected route so not matter what way i try to influence it when i trace to the SVI for the VSS switch its stops on the VSS switch which is what you would expect as thats where it is. We need to break the logical thinking of the switch and allow traffic for that particular interface when we trace to it, to still pass through the switch hit the firewall and then come back.I know its not ideal but thats what we need.

Is there any way to manipulate connected routes that i can make them route upstream to the firewall even though its locally owned

tried a vrf , manipulate statics but all the time route table says its locally connected

The issue is only with the VSS  switch the design has worked for all other remote and local switches so we cant really change the whole design for one switchs mgmt traffic

Thanks

Labels:
0 Helpful
8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

‎11-26-2015 06:09 AM

Hi Mark

So you have a switch that is in the same IP subnet as the SVI on the VSS and for that switch to get to the firewall it has to go via the VSS switch which means it just stops there.

And you want it to go out to the firewall and then back ?

Is the firewall interface IP in the same IP subnet as the VSS SVI ?

And how do all the other switches work ie.are they in the same IP subnet as the VSS SVI ?

Could you clarify the IP addressing.

Presumably the switch is connected via a trunk ie. I am assming PBR on the VSS switch is not possible because the traffic enters on the management vlan ie. the first L3 interface it hits is the management SVI ?

Jon

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎11-26-2015 06:24 AM

Hi Jon

thanks for the reply

basically we have given each switch an ip address in range 172.21.226.0/23 , the gateway for this subnet is on the firewall 172.21.226.1 , the vss has an ip of .189 , the issue is the jumpbox we use to access the switches is behind the vss so it goes jumpbox - l2 switch - vss - firewall  as the path

when we trace to 172.21.226.189 it stops at the vss which would be correct as thats where the ip is set but we need it even though its a connected interface to go through the vss up to the firewall and then back to the vss , the reason for this is security have said that all mgmt traffic needs to first go to the firewall to be processed first (we have out of band switches directly connected to a vdom on the firewall all mgmt traffic from each switch is set as a source of that vlan interface)

all other switches are either directly connected to the oob switches/firewall and work fine there layer 2 , it just seems to be an issue with the vss as its routing, i tried set the vlan interface in its own vrf and pointed it to the firewall but it still choses the most specific local connected interface the vlan so i cant get the traffic to go to the firewall first.

hopefully i made that clear there and im not sure if this is possible even as were tring to override a connected interface and make it go to the fw first an then back 

*******

And you want it to go out to the firewall and then back ? Yes exactly

Is the firewall interface IP in the same IP subnet as the VSS SVI ? Yes both in /23 network

Presumably the switch is connected via a trunk ie. I am assming PBR on the VSS switch is not possible because the traffic enters on the management vlan ie. the first L3 interface it hits is the management SVI ? Yes trioed pbr but not even getting a hit on the acl , tried extended and standard but same result

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Malone

‎11-26-2015 06:36 AM

Mark

Thanks for clarifying.

Just one other question and I suspect I know the answer but the jumpbox is presumably in the management vlan subnet ?

Jon

Mark Malone
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎11-26-2015 06:41 AM

Thanks Jon i just found the issue , theres an old DNS entry in one of the system so whenever i traced by name i was just hitting vss directly from jumbox, when i use ip address and trace direct to that it takes the correct path hits the firewall first and then the VSS interface so the vrf is actually working as it should be :) were removing the dns entry now so it should work by name too

Thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Malone

‎11-26-2015 06:46 AM

Mark

Thanks for letting me know.

I was thinking VRFs might be a solution but could't understand why it wasn't working :-)

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Malone

‎11-26-2015 06:48 AM

Just out of interest is the jumpbox in a separate IP subnet ?

I am assuming so otherwise even with a VRF I'm not sure how you got it working.

Jon

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎11-26-2015 07:16 AM

Hi yes jumpbox is completely seperate subnet 172.21.2.x

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Malone

‎11-26-2015 07:19 AM

Thanks, makes sense now.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card