Using 3750x as a Core Switch With Multiple VLANs at DR Site - Page 2

snowmizer · ‎10-11-2012

I am working on replacing our existing Cisco 3560 switch at our DR site with a new 3750X switch. The current 3560 switch only uses VLAN 1. I have modified our configuration at our home office to make use of VLANs for our internal network, switch management network, and ESX management network. I would like to duplicate this functionality on the 3750X switch at DR. In DR our ASA inside interface is the default gateway for everything. At the home office the default gateway is an IP address assigned to via glbp in each VLAN. I also need to allow inter-vlan routing to allow certain IPs on the internal network to connect to the ESX and Switch management VLANs.

I set up the necessary VLANs (110 - Internal, 150 - Switch Management, 180 - ESX management) and assigned IP addresses (and ip helper-address to the DC) to each VLAN and assigned the appropriate VLANs to each port on the 3750X switch. I have a test PC and a test laptop plugged into the appropriate switch ports. I set the default gateway for the test PC and test laptop to the IP address associated to VLAN 110 on my switch. I have the "ip default-gateway" statement pointing at the IP address of the inside interface on my ASA. Unfortunately for the rest of this configuration I don't have my firewall since I'm configuring the switch and then will take it out to the DR site and plug it in when I'm done. I also haven't configured any ACLs yet. When I try to ping the PC or laptop from the switch I get no response but when I ping the default-gateway address for the PC and laptop from the PC or laptop it works fine. I ran a Wireshark capture on the laptop and I can see the ICMP request coming in but I don't see the laptop reply.

I haven't been able to find a reason why this won't work. Is there a configuration setting I'm missing or is this because until I actually have all of the pieces plugged in this won't work? I tried this with the native VLAN 1 and no extra configurations and it still doesn't work.

Could this be a problem that the PC/laptop aren't allowing pings and once I get a server connected it will work? I tried accessing the switch management port via PuTTy on the laptop but that doesn't work either. I guess I'm just wanting someone to look at the configuration I've outlined and tell me if this is possible or if the problem is just how the PC/laptop are handling things.

Thanks.

nickbonifacio · ‎10-12-2012

Hi snowmizer,

Can you do the following (just to rule it out):

ip cef

interface Vlan110

ip route-cache cef

ip route-cache

!

interface Vlan150

ip route-cache cef

ip route-cache

!

interface Vlan180

ip route-cache cef

ip route-cache

Nick Bonifacio CCIE #38473

snowmizer · ‎10-12-2012

Didn't make a difference on preventing access to VLAN 150 from a machine on VLAN 110.

ALIAOF_ · ‎10-12-2012

If this is going to be behind the firewall why not let the firewall handle that part i.e access between the two VLAN's instead of using the swtich ACL's.

Would you mind posting the config on how you have setup the ACL and applied it to the VLAN's?

snowmizer · ‎10-12-2012

I want to make sure that only certain people in the internal network can access the servers and switch in VLAN 150 and 180. Only the network management team (and a few servers) should be able to access VLAN 150 and VLAN 180.

ALIAOF_ · ‎10-12-2012

That is why I suggested to use the firewall for that purpose instead of switch any specific reason you want switch to do that and not the firewall?