Solved: L2 Switch Behavior - Page 2

Dragonss · ‎04-27-2023

Guys, some issues are faced when L2 switch is connected in between Firewall and MPLS Router. We have IPSEC tunnel built over mpls link. When switch is placed we can't ping router LAN interface IP from active firewall, but once we remove it becomes direct connection and able to ping it. what could be the reason ?

1. below points are of L2 Switch config

a. On switch default route is pointed towards Upstream firewall mentioned in setup.

b. Router is connected to switch port, for that we created vlan 30 and made that port access

c. Now 3 ports on switch are member of vlan30. 1 connecting to router, other 2 connecting from firewalls.

4. Now on both firewalls we created vlan interface eg 3.30. after doing all connectivity when we try to ping MPLS router LAN Interface IP from active FW it wasn't reachable.

5. So we thought Sub interface on firewall may be the issue, so we removed vlan and kept physical ports. for eg eth3 connecting directly to switch. still ping to MPLS router LAN Interface ip from active FW wasn't reachable.

6. For TS purpose, we examined L2 switch which sits between FW & RTR and found default route towards Upstream FW, Hence decided to remove it and make direct connectivity which solved the issue.

7.My query was,if we introduce switch again then do we need to point default route towards Firewall in HA. Please note we tried adding specific IP static routes on switch , it didn't worked. in routing table it considers only default route.

8. so any suggestions will be helpful before adding switch, any checks we need to perform so tunnel should be up again once switch is introduced.

Dragonss · ‎05-07-2023

Actually on port 46 of switch we have connected cable from router LAN interface so we see mac address of router

so when there is no traffic no mac address on switch port 46 as well. ideally when we connect rtr on switch port, mac address remains constant rite?

Flavio Miranda · ‎04-27-2023

Hello

If you are using a trully Layer2 switch, there will be no routing. You can eventually setup a static routing or a default-gateway on the switch but it is meat for Management traffic to the switch and not traffic passing through the switch.

On the scenario where you create a subinterface on the Firewall, you should have configured this subinterface as trunk (encapsulatio dot1q, if supported on Firewall ) and then put the interface on the access switch in trunk.

If you are going to keep the switch Layer2 in between Router and firewall you need to keep both ports to firewall and to router as access. This way, the switch will just flow the traffic from one end to another without intervention.

Dragonss · ‎04-27-2023

hey,

yes it is for mgmt traffic that's the default route is present towards upstream. We have same scenario in which we have sub interface on firewall but on switch side there is no trunk. but still we did trunk on switch interface but didn't worked.

yes last option is ideal but it is not working as expected

Flavio Miranda · ‎04-27-2023

Which switch model is it?

For management traffic is should not interfere with the Data plan on the switch. As long as you keep both interface on the same vlan with no trunk, the traffic should flow with no problem . If it is not, then either this switch is not exactly layer2 or it have some issue.

One question, what is the intention by adding a switch there?

Dragonss · ‎04-27-2023

switch is 2960 stack.For Redundancy purpose we have 2 HA fw's so one leg goes to sec switch and traffic fail over works fine.

Rtr is single and it is connected to primary switch.

Flavio Miranda · ‎04-27-2023

I´d like to see a diagram. If possible. And I´d wipe this switch out and start over again.

Dragonss · ‎05-07-2023

hi ,diagram was mentioned above. but thanks for your TS steps now switch is introduced and tunnel is up.
can't wipe out switch config as other traffic is passing over it