Solved: Re: Layer 2 communication vs. Layer 3 - Page 2

Federico Coto Fajardo · ‎02-19-2010

Hi All,

I have the following scenario:
Internal LAN - 4506 - inside ASA, DMZ ASA - 2950 - Servers
4506 Gig 6/3 connects to 2950 Fas 0/1

The internal network has a default gateway pointing to the 4506.
The 4506, has a default gateway to inside ASA
ASA DMZ is on the same subnet as the Servers on the 2950

So, I would assume that traffic from my machine intended to a Server, will go through my DG (4506), then
through the ASA and finally through the 2950 to the Servers.

But what is happening is that traffic from my machine goes through my DG (4506), but then straight through the 2950 to
the Servers (bypassing the ASA)

From STP point of view, the 4506 is the Root Bridge.
The root port on 2950 is the direct connection to the 4506.
I think this is why, the connection does not go through the ASA.

What I'm trying to understand is the following....
The fact that the 4506 has a DG pointing to the ASA, does not take precedence over the fact that there's a direct
connection between 4506 and 2950?

Layer 2 follow the path directly between Switches
Layer 3 follow the path through the ASA

Which takes precedence and why?

Layer 2 takes precedence but I don't understand why, since my laptop is on a total different subnet from the Servers that
I want to reach.

I think the solution is to manipulate the cost, so that Layer 2 will prefer the path through the ASA (so Layer 2 and Layer
3 will have the same path).
But could someone explain to me why this is happening?

Thank you All,

Federico.

Federico Coto Fajardo · ‎02-22-2010

Hi Jon,

I see that on port Gig6/48 on the 4506 is connected to one of the Servers (an FTP server). This server should be connected to the 2950 and not to the 4506 you are correct!

But the other servers have no direct connection to the 4506 (only to the 2950).

Could this be causing the problem?

Important points:
1. We found out there was a direct connection from the 4506 to the 2950 (bypassing the ASA) using CDP.
2. Traffic from the LAN is indeed flowing through the ASA (following the routing)
3. At some point we could not reach the servers, and we saw the port Fas 0/1 on 2950 (connecting to 4506 Gig 6/3),
   as err-disabled.
4. I though that the port was in err-disabled because it was receiving BPDUs from the 4506 (and the Fast 0/1 was
   configured with the BPDU Guard feature).
5. VTP should not be passing through the 4506 and the 2950 since the only link between them is an access port on VLAN
   100.
6. After doing a shut/no shut on the err-disable port, everything started working.

Federico.

Jon Marshall · ‎02-22-2010

Federico

Sorry to belabour the point but are you sure when things stopped working that you lost connectivity to servers on the 2950 switch as well as the FTP server connected to the 4500 ?

Even if the connection between the 4500 and the 2950 was down this should not stop you being able to communicate with the other servers unless the whole switch was affected. Did you see anything in the logs of the 2950 when you lost connectivity ?

Jon

Federico Coto Fajardo · ‎02-22-2010

Jon,

I think I understand now.

I am going to check the connection for all the servers to make sure they are only connected to the 2950 (Switch DMZ) and not to the 4506.

Also, I'm going to check which of the servers failed at that time.

The logs from the 2950 shows the following: (Fast 0/1 is the connection to direct connection to the 4506)

45w1d: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/1.
45w1d: %PM-4-ERR_DISABLE: loopback error detected on Fa0/1, putting Fa0/1 in err-disable state
45w1d: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/1.
45w1d: %PM-4-ERR_DISABLE: loopback error detected on Fa0/1, putting Fa0/1 in err-disable state
45w1d: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/1.
45w1d: %PM-4-ERR_DISABLE: loopback error detected on Fa0/1, putting Fa0/1 in err-disable state

Is there a loop caused by this problem?

Please let me know your recommendations..

I'm going to run some tests as well and get back to you...

Federico.

Federico Coto Fajardo · ‎03-08-2010

Thank you Jon.

At the end there were servers connected to the 4506 instead than to the 2950.

We make the changes and everything work as expected.

Thank you.

Federico.

Jon Marshall · ‎03-08-2010

Federico

Glad to have helped and thanks for letting me know the resolution.

Jon