Using 3750x as a Core Switch With Multiple VLANs at DR Site

snowmizer · ‎10-11-2012

I am working on replacing our existing Cisco 3560 switch at our DR site with a new 3750X switch. The current 3560 switch only uses VLAN 1. I have modified our configuration at our home office to make use of VLANs for our internal network, switch management network, and ESX management network. I would like to duplicate this functionality on the 3750X switch at DR. In DR our ASA inside interface is the default gateway for everything. At the home office the default gateway is an IP address assigned to via glbp in each VLAN. I also need to allow inter-vlan routing to allow certain IPs on the internal network to connect to the ESX and Switch management VLANs.

I set up the necessary VLANs (110 - Internal, 150 - Switch Management, 180 - ESX management) and assigned IP addresses (and ip helper-address to the DC) to each VLAN and assigned the appropriate VLANs to each port on the 3750X switch. I have a test PC and a test laptop plugged into the appropriate switch ports. I set the default gateway for the test PC and test laptop to the IP address associated to VLAN 110 on my switch. I have the "ip default-gateway" statement pointing at the IP address of the inside interface on my ASA. Unfortunately for the rest of this configuration I don't have my firewall since I'm configuring the switch and then will take it out to the DR site and plug it in when I'm done. I also haven't configured any ACLs yet. When I try to ping the PC or laptop from the switch I get no response but when I ping the default-gateway address for the PC and laptop from the PC or laptop it works fine. I ran a Wireshark capture on the laptop and I can see the ICMP request coming in but I don't see the laptop reply.

I haven't been able to find a reason why this won't work. Is there a configuration setting I'm missing or is this because until I actually have all of the pieces plugged in this won't work? I tried this with the native VLAN 1 and no extra configurations and it still doesn't work.

Could this be a problem that the PC/laptop aren't allowing pings and once I get a server connected it will work? I tried accessing the switch management port via PuTTy on the laptop but that doesn't work either. I guess I'm just wanting someone to look at the configuration I've outlined and tell me if this is possible or if the problem is just how the PC/laptop are handling things.

Thanks.

John Blakley · ‎10-11-2012

Did you enable routing on the 3750? (ip routing)

*** Edit ***

You see the icmp packet making it to the laptop?

HTH, John *** Please rate all useful posts ***

nickbonifacio · ‎10-11-2012

Can you post the configs? Also, do you have Windows firewall off on the laptop?

The laptop and pc are in the same vlan or different vlan?

Nick Bonifacio CCIE #38473

ALIAOF_ · ‎10-11-2012

So you have your switch configured but it is not connected to the firewall yet? If that is the case how are you pinging the ASA's inside interface from the PC and laptop that should not work. Can you post the config and/or the picture?

And yes if you have windows firewall blocking ICMP on the PC and laptop you won't get a response back on the switch.

Also like j.blakley mentioned you'll need ip routing enabled on that switch as well.

snowmizer · ‎10-11-2012

I do have ip routing enabled. One problem was the Windows Firewall (burns me more times than I care to count ). Once I turned the Windows firewall off on the PC I was able to ping it from the switch. This port is a trunk port though. The laptop is plugged into VLAN 110 and even after turning off the firewall on the laptop I couldn't ping the laptop from the switch. Seems like the VLAN routing isn't working. I don't have any ACLs configured yet but the switch should still be able to ping the laptop.

I'll try to attach a config (some stuff that's irrelevant is chopped out to protect the innocent).

nickbonifacio · ‎10-11-2012

Sounds good. I would be interested in seeing the config. Also, are all your vlans in created and you can see them when you do "show vlan brief"? one more thing, are your SVIs up/up?

Nick

Nick Bonifacio CCIE #38473

snowmizer · ‎10-11-2012

The config got attached to my original post. Yes I can see the vlans when I do "show vlan brief". When I do "show int vlan 110"' the status is up/up. The other vlans show up/down. I just want to make sure that vlan 110 works and then I'll apply the same concepts to the other vlans.

Thanks.

nickbonifacio · ‎10-11-2012

What is the IP address and mask of the laptop? I am assuming 10.1.x.x /16?

Also, did you try removing no ip route-cache and no ip route-cache cef just for fun?

Nick Bonifacio CCIE #38473

ALIAOF_ · ‎10-11-2012

Looking at the config which port do you have the laptop hooked up to? You mentioned port being a trunk port? If that is the case change it to an access port. Also I noticed that you have "spanning-tree portfast" enabled on the trunk ports that is not a good idea. Since this switch is running in a L3 mode you do not have to do "ip default-gateway 10.1.5.254". This line can be removed.

Also just curious any specific reason you have your VLAN 110 setup as a /16? That is a huge range.

snowmizer · ‎10-11-2012

The PC that works is plugged into port 47 which is a trunk port. That's how I need that port configured for my ASA. The laptop that doesn't work is plugged into port 14 which is an access port on VLAN 110. I meant to remove the "ip default-gateway..." statement. Thanks for reminding me.

As far as the no ip route-cache statements. I tried removing them from int vlan 110 but they won't delete.

ALIAOF_ · ‎10-11-2012

What is the IP configuration on the PC and what is it on the laptop?

snowmizer · ‎10-11-2012

Sorry forgot to add that to my last reply. Both have an IP 10.1.1.x Subnet: 255.255.0.0 GW: 10.1.5.253 which matches our existing infrastructure.

ALIAOF_ · ‎10-11-2012

Ok I'm very curious now. I just setup my spare 3750x 24 port switch with your configuration. PC IP 10.1.1.10, Laptop IP 10.1.1.20.

I have the PC connected to the access port and I can ping it from the switch. I have the laptop connected to the trunk port and I can not ping it (which makes sense because it is a trunk port - Basically you should not be able to ping the host connected to the trunk port).

Now as soon as I change my trunk port to access port I can ping the laptop. However in your case you are saying that you are able to ping the PC that is connected to the trunk port?

snowmizer · ‎10-12-2012

Ok. So I'm thinking more clearly this morning. When I actually looked at the wiring I see that the PC was plugged into the access port (which I can ping) and the laptop was plugged into the trunk port (which I can't ping). Everything makes sense. Now I think I just need to test the VLAN180 configuration and I think I'm good to go.

Thanks everyone.

snowmizer · ‎10-12-2012

So I got the VLAN routing to work but now I've tried applying vlan maps (VACLs) to only allow certain IPs to get to the VLAN 150 and VLAN 180. The map matches an IP address from my switch management ACL and will forward packets where the IP address is in my ACL. My thinking is that anything else should be dropped. This isn't happening.

Anyone got a good way to apply ACLs to my VLAN 150 and VLAN 180?

Thanks.