At the weekend I had an engineer take a look at our (basic) switch configuration with regards to an issue we were having when using failover on our firewalls. We had recently installed new switches and used the configuration of the existing switches on the new ones.
The issue was diagnosed to a misconfiguration of the VLANs on the switches, however, I am not convinced the fix is correct and the actual issue is something else.
The hardware layout is as follows;
2 Cisco SG300-52 switches, both were running VLAN1 (inside network) and ports 49-52 VLAN2 (outside network)
2 Cisco ASA 5506X. Inside interface connected to port 24 (VLAN1) and outside interface connected to port 50 (VLAN2)
Switches were attached to each other using a cable in both VLANs, port1 on VLAN1, port 52 (switch1) port 51 (switch2) on VLAN2
Switches also had upstream links in port 52 which was running HSRP to expose a virtual IP for gateway (my understanding of this might be incorrect)
So
Switch 1
(VLAN1) Gi/1 to Switch2
(VLAN1) Gi/24 to Inside ASA1
(VLAN1) Gi/x - Servers
(VLAN2) Gi/50 to Outside ASA1
(VLAN2) Gi/52 to Switch2
(VLAN2) Gi/51 to ISP
Switch 2
(VLAN1) Gi/1 to Switch1
(VLAN1) Gi/24 to Inside ASA2
(VLAN1) Gi/x - Servers
(VLAN2) Gi/50 to Outside ASA2
(VLAN2) Gi/51 to Switch1
(VLAN2) Gi/52 to ISP
Before any changes were made, when running the ASA on switch 1, everything worked fine. When we failover to the ASA on switch 2, the external link went down.
I attempted to diagnose the issue myself, but could not see anything.
A CCIE engineer has since take a look and made some configuration changes, but I am not convinced they are correct and I was looking for a second or third, or more, opinion.
The changes made were to allow the traffic on both VLAN2 and VLAN2 on ports 1 (inside) AND port 51 (outside). So now we have;
Switch 1
(VLAN1,2) Gi/1 to Switch2
(VLAN1) Gi/24 to Inside ASA1
(VLAN1) Gi/x - Servers
(VLAN2) Gi/50 to Outside ASA1
(VLAN2,1) Gi/52 to Switch2
(VLAN2) Gi/51 to ISP
Switch 2
(VLAN1,2) Gi/1 to Switch1
(VLAN1) Gi/24 to Inside ASA2
(VLAN1) Gi/x - Servers
(VLAN2) Gi/50 to Outside ASA2
(VLAN2,1) Gi/51 to Switch1
(VLAN2) Gi/52 to ISP
switch1#sh vlan
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN
Vlan Name Tagged Ports UnTagged Ports Created by
---- ----------------- ------------------ ------------------ ----------------
1 1 gi1-48,gi51,Po1-8 V
2 External gi1,gi51 gi49-50,gi52 S
switch2#sh vlan
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN
Vlan Name Tagged Ports UnTagged Ports Created by
---- ----------------- ------------------ ------------------ ----------------
1 1 gi1-48,gi52,Po1-8 V
2 External gi1,gi52 gi49-51 S
While this does indeed work, I am struggling to understand why you would need to have the traffic for VLAN2 running over Gi/1 and vice-versa, the traffic for VLAN1 running over Gi51/52 (sw1/sw2). Surely you should only need to have the traffic for VLAN2 going between the switches on the ISL in VLAN2, the same for VLAN1. I have since learnt that you can probably use a single connection to pass traffic over VLAN1 and VLAN2 across the switches, but surely you should not need both connections that are there presently to have both VLANS on them.
Perhaps someone could clarify and put my mind at rest.
Thanks
