Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3392
Views
0
Helpful
20
Replies

new firewall, vlan problems

Go to solution
CiscoSteve3
Level 1
Level 1

‎06-03-2015 01:52 PM - edited ‎03-08-2019 12:24 AM

Hi guys,

 

I have a 3750X behind my new PA-3020.  All my vlans have IPs on the 3750 and therefore show as directly connected.  I want to move some vlans to the PA-3020.  I'm creating subinterfaces on my firewall, tagging them for the right vlans, etc.  But when I remove the SVI from my switch, the traffic is not getting there.  My research has told me to keep the vlan in the database, but not to give it an interface on the switch.  My default route is configured for the parent interface on the firewall, all traffic is getting there fine.  

 

Here is my test scenario:

 

Firewall ethernet 1/2 IP 10.38.0.1/29 is connected to 3750X int gig 1/0/1 ( a routed layer 3 interface with IP 10.38.0.5/29).

Firewall ethernet 1/2.100 IP 10.38.2.1/24, tagged 100

Workstation IP 10.38.2.6

 

3750x#

ip route 0.0.0.0 0.0.0.0 10.38.0.1 (default gateway)

ip route 10.38.2.0 255.255.255.0 10.38.2.1

 

I thought my workstation would be able to ping the FW eth1/2.100 - but it can't.  The switch can.

 

What am I doing wrong?  Is there a better/easier way to route some vlans through the switch and others through the firewall?

 

Thanks!

 

Steve

 

 

 

 

Labels:
0 Helpful
20 Replies 20

Go to solution
CiscoSteve3
Level 1
Level 1
In response to Jon Marshall

‎06-05-2015 10:24 AM

Correct, vlan 30 is routed on the switch.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to CiscoSteve3

‎06-05-2015 10:27 AM

Just in case you missed it, I made a later post just above that with some changes you need to make.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to CiscoSteve3

‎06-05-2015 10:03 AM

Steve

dhcp relay to 172.19.1.9, 172.19.1.11

are the above your DHCP servers ?

If so you need you don't put them on the vlan 3 subinterface on the firewall you put them on the vlan 30 interface on the switch ie.

int vlan 30
ip helper-address 172.19.1.9
ip helper-address 172.19.1.11

but you leave them on the vlan 100 subinterface on the firewall.

In addition you are using a subinterface for vlan 3 so remove the "switchport trunk native vlan 3" command from the trunk interface on your switch because you need the packets to be tagged now.

Jon

0 Helpful

Go to solution
CiscoSteve3
Level 1
Level 1
In response to Jon Marshall

‎06-05-2015 10:28 AM

Thanks Jon,

 

Yes, the dhcp servers are also on the vlan 30 interface on the switch.  In my lab, my test vlan 30 doesn't actually have access via the lab switch to the dhcp servers, so I was attempting to get them across the firewall to my LAN where they could reach the dhcp servers.  In production, I would not need a dhcp relay for an vlan routed on the switch.

 

I will remove the native vlan 3 command and try it again.

0 Helpful

Go to solution
CiscoSteve3
Level 1
Level 1
In response to Jon Marshall

‎06-05-2015 11:01 AM

That did it, finally!  Removed the native vlan 3 from the switch interface.

 

Thank you guys for some excellent support and fine troubleshooting!

 

Steve

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to CiscoSteve3

‎06-05-2015 11:22 AM

Steve

No problem, glad we got there in the end :-)

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card