Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 14
Registered: ‎02-02-2011

FWS648G-POE base L3 routing VLAN's issue

When I have a device on the DMZ I have to make the default gateway 10.11.224.2 for traffic to go out the firewall. If I set it to .1 then LAN access is open to the DMZ and vice versa. I am under the impression that when I setup the FWS is setup as a router that it should be the default gateway. The LAN and voice both work correctly with FWS setup as the gateway.

Should I see an improvement in data transfer rates when vs layer 2? I do like not having to add static routes to desktops for features on the voice network.

Vlan 100 Data

Vlan 130 Voice

Vlan 200 DMZ

The Cisco ASA Firewall

Vlan 100 Data 10.10.224.2

Vlan 130 Voice 10.1.1.10

Vlan 200 DMZ 10.11.224.2

interface Ethernet0/3
description int 0/1/48 data
switchport trunk allowed vlan 100,130,200
switchport mode trunk

The FWS is 10.10.224.1.

Vlan 100 Data 10.10.224.1

Vlan 130 Voice 10.1.1.2

Vlan 200 DMZ 10.11.224.1

PORT-VLAN 100, Name Data, Priority level0, Spanning tree Off
Untagged Ports: (U0/M1)  25  26  27  28  29  30  31  32  33  34  36  44

   Tagged Ports: (U0/M1)  35  47  48
   Uplink Ports: None
DualMode Ports: (U0/M1)   1   2   3   4   5   6   7   8   9  10  11  12
DualMode Ports: (U0/M1)  13  14  15  16  17  18  19  20  21  22  23  24
DualMode Ports: (U0/M1)  46
Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 130, Name Cisco-Voice, Priority level0, Spanning tree Off
Untagged Ports: None
   Tagged Ports: (U0/M1)   1   2   3   4   5   6   7   8   9  10  11  12
   Tagged Ports: (U0/M1)  13  14  15  16  17  18  19  20  21  22  23  24
   Tagged Ports: (U0/M1)  35  46  47  48
   Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 200, Name dmz, Priority level0, Spanning tree Off
Untagged Ports: (U0/M1)  37  39  41  43  45
   Tagged Ports: (U0/M1)  35  47  48
   Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 4000, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
Untagged Ports: (U0/M1)  38  40  42
   Tagged Ports: None
   Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
     Monitoring: Disabled

Current configuration:
!
ver 07.2.02aT7e1
!
module 1 fws1g-48-port-copper-base-module
!
global-stp
!
!
!
vlan 100 name Data by port
tagged ethe 0/1/1 to 0/1/24 ethe 0/1/35 ethe 0/1/46 to 0/1/48
untagged ethe 0/1/25 to 0/1/34 ethe 0/1/36 ethe 0/1/44
router-interface ve 100
!
vlan 120 name Server by port
!
vlan 130 name Cisco-Voice by port
tagged ethe 0/1/1 to 0/1/24 ethe 0/1/35 ethe 0/1/46 to 0/1/48
router-interface ve 130
!
vlan 200 name dmz by port
tagged ethe 0/1/35 ethe 0/1/47 to 0/1/48
untagged ethe 0/1/37 ethe 0/1/39 ethe 0/1/41 ethe 0/1/43 ethe 0/1/45
router-interface ve 200
!
vlan 2000 by port
!
vlan 4000 name DEFAULT-VLAN by port
default-vlan-id 4000
ip show-subnet-length
ip route 10.3.3.0/24 10.1.1.10
ip route 10.1.1.0/24 10.1.1.10
ip route 10.10.224.0/24 10.10.224.2
ip route 10.11.224.0/24 10.11.224.2
ip route 0.0.0.0 0.0.0.0 10.10.224.2 2
!
cdp run
fdp run
clock summer-time
clock timezone us Eastern
!
interface ethernet 0/1/47
port-name UC520
!
interface ethernet 0/1/48
port-name ASA5505
!
interface ve 100
ip address 10.10.224.1/24
!
interface ve 130
ip address 10.1.1.2/24
!
interface ve 200
ip address 10.11.224.1/24

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FWS648G-POE base L3 routing VLAN's issue

Hi Charles,

     It is a wirespeed switch fand does the routing in hardware for L2/L3 - performance should be the some. .

Thanks

Michael.

Occasional Contributor
Posts: 14
Registered: ‎02-02-2011

Re: FWS648G-POE base L3 routing VLAN's issue

Is the default gateway of a device attached to the switch supposed to be the switch.... Just looking over my old posts and I've run into this same issue again. Still havn't figured this out.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FWS648G-POE base L3 routing VLAN's issue

Hi Charles3,

     Ok when using the Vlans with a VE assinged and you want routing to happen.

     Client PC's default gateway should point to the ip address of the VE assigned to that VLAN. (you should then be able to ping from one client in one VLAN to another client in another VLAN)

     Switch/router default gateway should point to the next hop on the network (most likly your firewall).

Hope this helps.

Thanks

Michael.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FWS648G-POE base L3 routing VLAN's issue

Hi Charles3,

     How are you going with this issue?

Thanks

Michael.

Occasional Contributor
Posts: 14
Registered: ‎02-02-2011

Re: FWS648G-POE base L3 routing VLAN's issue

I've reconfigured the ASA and Switch to get the Layer 3 swtiching working correctly. Based on the previous config with the default gateway of the ASA on servers, it was acting on L2 info.

My only problem now is that when I add the route

route inside 10.10.10.0 255.255.255.0 10.0.0.1 1

to the ASA, I cannot access the servers from the VPN IP 10.10.10.1

If I remove the route I can access the servers, but not the management network 10.1.10.0

When I try to ping the internet ip 4.2.2.2 (Internet) from the 10.0.10.6 (port 3 on the FWS), it goes to the switch, the switch has its default gateway pointing to the inside interface of the asa. The switch forwards the packet it to the inside interface of the asa and goes out. When the reply comes back to the asa, it sees that the destination ip is in the same subnet as the management interface (10.0.10.5) of the asa and thereby sends it out on the management interface of the asa and thus ping fails.

ASA

interface Ethernet0/1
description LAN
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0

interface Management0/0
nameif management
security-level 100
ip address 10.0.10.5 255.255.255.0

ip local pool Anyconnect-Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

object network MANAGEMENT.NAT
subnet 10.0.10.0 255.255.255.0

object network vpn.10.10.10.0
subnet 10.10.10.0 255.255.255.0

nat (management,outside) source static MANAGEMENT.NAT MANAGEMENT.NAT destination static vpn.10.10.10.0 vpn.10.10.10.0

route outside 0.0.0.0 0.0.0.0 206.217.130.253 1
route inside 10.1.0.0 255.255.255.0 10.0.0.1 1
route inside 10.2.0.0 255.255.255.0 10.0.0.1 1
route inside 10.3.0.0 255.255.255.0 10.0.0.1 1


FWS

sho run
Current configuration:
!
ver 07.2.02aT7e1
!
module 1 fws1g-24-port-copper-base-module
!
!
!
!
vlan 5
untagged ethe 0/1/1
router-interface ve 5
!
vlan 10
untagged ethe 0/1/2 to 0/1/12
router-interface ve 10
!
vlan 20
tagged ethe 0/1/24
router-interface ve 20
!
vlan 100
tagged ethe 0/1/13 ethe 0/1/24
router-interface ve 100
!
vlan 110
tagged ethe 0/1/13 ethe 0/1/24
router-interface ve 110
!
vlan 200
tagged ethe 0/1/15 ethe 0/1/24
router-interface ve 200
!
vlan 201
tagged ethe 0/1/15 ethe 0/1/24
router-interface ve 201
!
vlan 300
tagged ethe 0/1/14 ethe 0/1/24
router-interface ve 300
!
vlan 4000 name DEFAULT-VLAN by port
!
!
!
!
--More--, next page: Space, next line: Return key, quit: Control-c                                                                  !
!
default-vlan-id 4000
no ip dhcp-client auto-update enable
ip dns server-address 8.8.8.8
ip route 0.0.0.0 0.0.0.0 10.0.0.5
ip route 10.10.10.0 255.255.255.0 10.0.10.5
!

interface ethernet 0/1/1
port-name ASA5510 WAN e0/1
!
interface ethernet 0/1/2
port-name ASA5510 Management
!
interface ethernet 0/1/3
port-name ASA SSM-10 IPS MGMT
!
interface ethernet 0/1/4
port-name VM1.Mgmt.NIC0
!
interface ethernet 0/1/5
port-name VM2.Mgmt.NIC1
!
interface ethernet 0/1/6
port-name VM3.Mgmt.NIC1
!
interface ethernet 0/1/13
port-name VM1.Network
!
interface ethernet 0/1/15
port-name VM3.Network
!
interface ethernet 0/1/24
port-name Backup Server
!
interface ve 5
ip address 10.0.0.1 255.255.255.0
!
interface ve 10
port-name VLAN 10 Management Router
ip address 10.0.10.1 255.255.255.0
!
interface ve 20
port-name VLAN 20 Backup Router
ip address 10.0.20.1 255.255.255.0
!
interface ve 100
port-name VLAN 100 VM1.AIS Router
ip address 10.1.0.1 255.255.255.0
!
interface ve 110
port-name VLAN 110 VM1.X Router
ip address 10.1.10.1 255.255.255.0
!
interface ve 200
port-name VLAN 200 VM2.SAT Router
ip address 10.2.0.1 255.255.255.0
!
interface ve 201
port-name VLAN 201 VM2.X Router
ip address 10.2.1.2 255.255.255.0
!
interface ve 300
port-name VLAN 300 VM3.JDO Router
ip address 10.3.0.1 255.255.255.0
!
!


Total number of IP routes: 9, avail: 1011 (out of max 1020)
D:Connected  R:RIP  SSmiley Frustratedtatic  OSmiley SurprisedSPF *:Candidate default
        Destination     NetMask         Gateway         Port       Cost   Type
        0.0.0.0         0.0.0.0         10.0.0.5        v5         1      S  
1       10.0.0.0        255.255.255.0   0.0.0.0         v5         1      D  
2       10.0.10.0       255.255.255.0   0.0.0.0         v10        1      D  
3       10.1.0.0        255.255.255.0   0.0.0.0         v100       1      D  
4       10.1.10.0       255.255.255.0   0.0.0.0         v110       1      D  
5       10.2.0.0        255.255.255.0   0.0.0.0         v200       1      D  
6       10.2.1.0        255.255.255.0   0.0.0.0         v201       1      D  
7       10.3.0.0        255.255.255.0   0.0.0.0         v300       1      D  
8       10.10.10.0      255.255.255.0   10.0.10.5       v10        1      S 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.