Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1840
Views
1
Helpful
21
Replies

L2 Switch Behavior

Go to solution
Dragonss
Level 1
Level 1

‎04-27-2023 05:01 AM

Guys, some issues are faced when L2 switch is connected in between Firewall and MPLS Router. We have IPSEC tunnel built over mpls link. When switch is placed we can't ping router LAN interface IP from active firewall, but once we remove it becomes direct connection and able to ping it. what could be the reason ?

1. below points are of L2 Switch config

a. On switch default route is pointed towards Upstream firewall mentioned in setup.

b. Router is connected to switch port, for that we created vlan 30 and made that port access

c. Now 3 ports on switch are member of vlan30. 1 connecting to router, other 2 connecting from firewalls.

4. Now on both firewalls we created vlan interface eg 3.30. after doing all connectivity when we try to ping MPLS router LAN Interface IP from active FW it wasn't reachable.

5. So we thought Sub interface on firewall may be the issue, so we removed vlan and kept physical ports. for eg eth3 connecting directly to switch. still ping to MPLS router LAN Interface ip from active FW wasn't reachable.

6. For TS purpose, we examined L2 switch which sits between FW & RTR and found default route towards Upstream FW, Hence decided to remove it and make direct connectivity which solved the issue. 

7.My query was,if we introduce switch again then do we need to point default route towards Firewall in HA. Please note we tried adding specific IP static routes on switch , it didn't worked. in routing table it considers only default route.

8. so any suggestions will be helpful before adding switch, any checks we need to perform so tunnel should be up again once switch is introduced.

Dragonss_0-1682595452804.png

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎05-07-2023 10:28 PM - edited ‎05-07-2023 10:32 PM

It not tunnel' it relate to any traffic make SW learn mac of FW.

Try send any other traffic like ping from fw to mpls and you will see mac of fw add to table. 

Note:- no need ping success or failed

Note:- we can adjust aging time of mac in SW but cisco not recommend it. Keep as it defualt value.

Thanks

MHM

View solution in original post

0 Helpful
21 Replies 21

Go to solution
MHM Cisco World
VIP
VIP

‎04-27-2023 05:13 AM

Router to L2SW 

Port in l2sw must access vlan30

Port in router must router port with IP address 

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 05:15 AM

yes port in router have ip address configured, same range ip's we configured on Firewalls in HA

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 05:16 AM

do we need to change pointing of default route on switch before adding bck in network ?. 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎04-27-2023 05:25 AM

Since all FW HA and the router in same subnet then the traffic is bridge inside L2Sw' the gw of l2sw have no effect.

What I suspect is the FW HA mac address is same for both FW.

Can you check show mac address see if the sw have mac address for noth FW.

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 05:31 AM

yes switch contains  mac address of both the firewalls.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎04-27-2023 05:45 AM - edited ‎04-27-2023 05:49 AM

Ping from router to broadcast of subnet and see if the both FW rely to this ping request.

Note:- make double check are the sw add mac add or fw to correct vlan

Also the only think here that make l2sw drop ping is the vlan id is change.

So try one think config trunk to fw and allow vlan 30 in trunk but you must sure that vlan30 is not native vlan of sw.

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 07:02 AM

hello, u mean to say from firewall we should pinging broadcast ip of that subnet (rtr we don't have access)

Second point is we double checked mac add for fw

last point we did try trunk but not worked , let me check again for native vlan and get bck 2 u.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎04-27-2023 07:06 AM

hello, u mean to say from firewall we should pinging broadcast ip of that subnet (rtr we don't have access) Yes you can ping from FW let see if all l3 device connect to this subnet reply

Second point is we double checked mac add for fw' are it add to correct vlan' vlan30?

last point we did try trunk but not worked , let me check again for native vlan and get bck 2' update me for this point 

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 07:41 AM

Regarding Native Vlan , currently it is directly connected so no vlan is flowed. Suppose for eg if it comes under Native Vlan what could be further TS?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎04-27-2023 09:00 AM - edited ‎04-27-2023 09:01 AM

Continue TS'

Why I ask about native vlan' it can that the FW send tag frame and this tag is drop by SW so you need 

FW-trunk with native vlan othr than vlan30-SW 

This make FW send tag and SW accpet it' 

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎05-07-2023 09:39 PM - edited ‎05-07-2023 09:41 PM

yes, we got downtime yesterday and connected switch in between FW and RTR. Checked by command (sh int trunk )in native vlan section  there was no vlan30 mentioned. it was very strange why it didn't worked earlier.

Now all looks good, but only query i have which i faced during TS. below is the scenario

So RTR is connected to Pri switch port 46 and HA01(Active) connected to pri switch port 47 and both ports are member of vlan 30. when i reset the tunnel from firewall and then check mac address on port 46 it is not visible. but when i initiate traffic, tunnel comes up and we can see mac address on port 46.

My query is how tunnel initiation is related with L2 layer . Normally mac address should remain on switch port as it is directly connected to rtr int.

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎05-07-2023 10:00 PM

Sorry can you more elaborate about tunnel?

0 Helpful

Go to solution
Dragonss
Level 1
Level 1
In response to MHM Cisco World

‎05-07-2023 10:21 PM

so we have tunnel between FW 2 FW. tunnel is over mpls link. below is the diagram. so when i reset tunnel on HA01 active firewall & parallely chck mac address on port 46 of switch by command sh mac address int gi1/0/46 it is not visible.

But when i initiate traffic tunnel comes up and then mac address is visible on same switch port . 

My query is how tunnel initiation is related with L2 layer . Normally mac address should remain on switch port as it is directly connected to rtr int.

Dragonss_1-1683523116701.png

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dragonss

‎05-07-2023 10:28 PM - edited ‎05-07-2023 10:32 PM

It not tunnel' it relate to any traffic make SW learn mac of FW.

Try send any other traffic like ping from fw to mpls and you will see mac of fw add to table. 

Note:- no need ping success or failed

Note:- we can adjust aging time of mac in SW but cisco not recommend it. Keep as it defualt value.

Thanks

MHM

0 Helpful
Customers Also Viewed These Support Documents