WS-C4500X-16 routing issues

pgishyan80 · ‎06-25-2016

Hello.

We recently bought WS-C4500X-16 SFP+ and I am trying to configure it. This comes with the new IOS-XE which is a bit different then older IOS I guess. Anyway, down below is the config I need to implement:

We have two suites and server room. Each suite needs to have its own subnet, and server room will be on another subnet:

Servers: 192.168.10.0/24

Suite_A: 192.168.100.0/24

Suite_B: 192.168.200.0/24

We have a ASA5510 with the IP 192.168.10.1 /24 as the router/firewall. Currently the DHCP is configured on the Windows Server vs IP 192.168.10.10. We plan to shut it down and use the WS-C4500X-16 switch as the DHCP server. The DNS with the AD is also configured on Windows Server 192.168.10.10 /24.

What I configured: on WS-C4500X-16:

1) ip dhcp pool Suite_A: 192.168.100.0 /24

2) ip dhcp pool Suite_B: 192.168.200.0 /24

3) int TenGigabyte 1/1: no switchport / ip address: 192.168.10.254 /24 : default-router: 192.168.10.1

4) int TenGigabyte 1/2: no switchport / ip address: 192.168.100.1 /24

5) int TenGigabyte 1/3: no switchport / ip address: 192.168.200.1 /24

Yes, I did not use Vlans but any host I connect to the port TenGb 1/2 or TenGb 1/3 is properly getting IP config via DHCP. I can implement this DHCP via VLANs as well by setting up ports as switchport mode acces / switchport access Vlan100 and Vlan200 for example. Though I don't think it is an issue.

So what my issues is: ASA is connected to D-Link SFP+ L2 switch, Servers connected to the same D-Link switch, CICSCO WS-C4500X-16 is also connected to the D-Link switch (in this case the D-Link switch is just a hub that connects WS-C4500X-16 to the ASA), .

Then, I have a computer connected to the TenGb 1/2 port which gets IP 192.168.100.2 /24 via DHCP. It can ping TenGb 1/2 interface 192.168.100.1, it can pint TenGb 1/1 interface 192.168.10.254, the switch WS-C4500X-16 can ping both TenGb 1/2 interface 192.168.100.1 and the host behind it 192.168.100.2, also it can ping ASA on 192.168.10.1 and DNS server 192.168.10.10

But I can't ping ASA on 192.168.10.1 , and can't ping neither DHCP/DNS server 192.168.10.10

After some research I found that WS-C4500X-16 does not support NAT ... Is this my issue? Can I have any other workaround on this?! This is really very important to implement or... :(

Thanks to all you guys in advance.

Reza Sharifi · ‎06-25-2016

Hi,

You need to decide if you want to use the 4500x switch as a layer-2 switch or layer-2/3.

If you want to keep it as layer-2 than you just need to configure the proper vlans (3) and use one for servers and the other 2 for users. Than you need to have a trunk port between the 4500 and the firewall and make sure all 3 vlans are added to it. You than configure the firewall interface with 3 sub-interfaces and use each sub-interface for a different subnet.

If you want to keep the 4500x as layer-2/3 and want to move the gateway to it than you configured 3 SVIs for all 3 vlans on the 4500x and have layer-3 link with /30 subnet connecting the 4500x to the firewall.

HTH

pgishyan80 · ‎06-26-2016

Hi Reza, and thanx for the answer.

I would like the switch to be the gateway vs IP 192.168.42.254 for all of behind itself, which then should route all the DNS quires to the firewall vs IP 192.168.42.1. My guess that I am talking about L2/3 switching in this case.

So, could you please clarify what is saying "configured 3 SVIs for all 3 vlans on the 4500x and have layer-3 link with /30 subnet connecting the 4500x to the firewall." ? It is not recommended to actually replace the L3 physical port vs SVI (virtual L3) port... I believe. And, why can't I send the traffic from port TenGigabyte 1/10 (192.168.200.0 /24) to the firewall (192.168.42.1 /24) through TenGygabyte 1/1(192.168.42.254 /24) ... if I can ping from Interface TenGigabyte 1/10 to Interface TenGigabyte 1/1 ?

I most likely don't get something important here... that is why can't understand the way to do it. Missing something important..

Reza Sharifi · ‎06-26-2016

Hi,

I am confused about 192.168.42.0 subnet. This is not mentioned in your first post.

Can you clarify?

HTH

pgishyan80 · ‎06-26-2016

Yes, while creating the post I was trying use simple IPs to not to confuse. The actual network config is:

ASA5510: inside LAN :192.168.42.1 /24

W4500 : port 1/1 : 192.168.42.254 /30 (I changed it when you recommended)

: port 1/10: switchport mode acces / switchport access vlan 20

1) Vlan 20 : 192.168.20.1 /24

a) host: 192.168.20.2 /24

I attached config file!!

Reza Sharifi · ‎06-26-2016

I don't see any SVI (layer-3 interface) for subnet 192.168.42.1 /24 on the switch.

I only see the SVI for vlan 20 (92.168.20.1 /24 )

Also, if you create an SVI for 192.168.42.1 /24 (say you call it vlan 40). You can't use the same subnet on a /30 to connect to the firewall. That will cause duplicate IP address. You need a new subnet for the /30. Example: 192.168.43.0/30

.1 goes to the switch interface and .2 on the firewall

HTH

pgishyan80 · ‎06-27-2016

Can you please clarify where it says: .1 goes to the switch interface and .2 on the firewall ... ? What goes to the switch, what goes to the firewall and how?!

i apologize for asking may be some damn questions .. sometimes I can hardly get what you guys mean ))

Thank you.

Reza Sharifi · ‎06-27-2016

This is for /30 IP subnet between the switch and the firewall. The interface between the switch and firewall will need IP on each side. So for example, on the switch interface say te1/0 is connected to the firewall, you would need one IP on that interface and one on the firewall side.

example

inter te1/0

ip address 192.168.43.1 255.255.255.252

than on the firewall

ip address 192.168.43.2 255.255.255.252

pgishyan80 · ‎06-27-2016

Oh, okay. So, I will need to pull up the old ASA5505 and start working on it. I need to configure first on old ASA because I can't change anything on the ASA5510 - it is actively in use and we have VPN users, VPN channels, rules, etc... getting more complicated (((

Thanks though.

pgishyan80 · ‎06-28-2016

Okay, so this worked: I configured old ASA5505 Inside Interface as 192.168.50.1/30 and the W4500 switch Interface TenGigabyte 1/1 as vlan 1 with IP 192.168.50.2/30 and now I can ping from ASA to switch and back. Not quite understanding why it MUST be a /30 subnet to work (any explanation or link to the explanation would be Great!) but it worked. Still did not get a chance to test from another vlan inside the switch to ping the ASA (e.g. vlan 10 with IP 192.168.10.1 or any host behind that vlan 10).

Also, since I have multiple vlans, in order to deny access from vlan 10 to vlan 20 what should I use - access list control ?! is that right?!

Thank you.

pgishyan80 · ‎06-26-2016

And I actually did the L3 configuration: but what happens I no longer able to ping from W4500 to firewall (I was able before changing the subnet to /30). The firewall logs don't even show rejected ICMP or something else. NO log for the switch IP. Though if in the past the Vlan 20 subnet when ping the firewall was getting "TimeOut" , now it has Reply from Vlan 20 IP - host unreachable...

I have a feeling that I am almost there in place....

paul driver · ‎06-27-2016

Hello

What I configured: on WS-C4500X-16:

1) ip dhcp pool Suite_A: 192.168.100.0 /24

2) ip dhcp pool Suite_B: 192.168.200.0 /24

3) int TenGigabyte 1/1: no switchport / ip address: 192.168.10.254 /24 : default-router: 192.168.10.1

4) int TenGigabyte 1/2: no switchport / ip address: 192.168.100.1 /24

5) int TenGigabyte 1/3: no switchport / ip address: 192.168.200.1 /24

I don't see of the 4500x:

- Any L3 interfaces for 192.168.100/24 or 192.168.200/0/24
- A L2 vlan defined for Vlan 20
- ip routing enabled

Also you have a vrf MGT subnet of /24 but you L3 interface between the ASA is a /30 and the default route isn't in the same subnet as its a .1

interface FastEthernet1
vrf forwarding mgmtVrf
ip address 192.168.42.5 255.255.255.0

interface TenGigabitEthernet1/1
ip address 192.168.42.254 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.42.1

As for the ASA,

Do you have any inside static routes these subnets applied?
It can perform Natting.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pgishyan80 · ‎06-27-2016

I attached the current config to this message.

I was trying to add the native vlan 1 as the switchport access to the TenGyg 1/1 port .. not giving any error messages, but also not showing in the config file.

I am totally lost now between L2 and L3 switching. My guess my problem is in there. I you could check the config file and tell me what is wrong. Also, if I can't use the native vlan 1 to assign to the port 1/1 then I can create some Vlan 50 let say and assign it to the port.

this is becoming odd though.

Also, since we are in a production environment, I can't have the ASA directly connected to the W4500 switch. Right now ASA goes to Catalyst 2960 switch over the ethernet, then over SFP goes to D-link switch, and the W4500 is connected to the D-link over the SFP+ as well. When I did this I got "native vlan mismatch on cisco w4500 int 1/1 and cisco 2960 int 1/1 . That is why I decided to change my Vlan and use the native vlan 1 so that I will not have any mismatching. Not sure though if it was anything I should worry about or I could simply disable CDP debugging/logging and all about it.

The only static route I have on ASA is " 0.0.0.0 0.0.0.0 ISP_gateway"

Thank you.