www.unix.org.ua

Skip to content

3750 Connected to Two Networks

Technical discussions about Cisco hardware, configuration, network design and troubleshooting.

Moderator: sva

Post a reply

3750 Connected to Two Networks

Postby Mike Tobias on Thu Jul 08, 2010 11:02 am

Good Morning,

I am trying to integrate a 3750 switch stack into my network. This switch stack will be used for a VM environment. Our network currently has an ASA in place and is divided into a Lan segment and a DMZ segment. Both of these segments are designated by separate connections off the ASA. The DMZ is our public facing server network. Since the VM environment will have a mix of DMZ and LAN servers in it I need to have the switch the VM environment is connected to be on the DMZ and the Lan. Since these two segments have different subnets I am thinking I can just route through the 3750 and the ASA to separate these environments on one switch statck. I seen some documenation that mentioned using IP routing and vlans, but I can't find anything that referes to using two networks connected to the 3750 stack.
Code: Select all
                                                       ASA
                                                        |
                                                        |
                                                     /      \
                                                  |           |
                                                  |           |           
                                                 Lan         DMZ
                                              Switches     Switches
                                                  |           |
                                                  |           |
                                                  -------------
                                                        |
                                                        |
                                              3750 VM Environment

I appologize for my poor ascii art skills.

This is just the first way I thought of doing this. If I do it this way, would it be easier to create two new subnets for the VM switch stack and then have the ASA route to the new subnets, or can I use the existing addressing scheme in the Lan and DMZ and just route those in the ASA? I suppose that I could dedicate one switch in the stack to the LAN environment and one for the DMZ, but I was thinking that would kill failover ability. Please let me know if anyone needs more information, I appreciate any help!
Mike Tobias
 
Top

Re: 3750 Connected to Two Networks

Postby Edison Ortiz on Thu Jul 08, 2010 11:04 am

Mike Tobias wrote:I seen some documenation that mentioned using IP routing and vlans, but I can't find anything that referes to using two networks connected to the 3750 stack.

The implementation of Vlans implies that you will be using different subnets/networks within the same hardware to separate them.
On the 3750, you would create Vlans on the Vlan Database. You can either leave them as Layer 2 Vlan or create a Layer 3 interface that represents those Vlans.

The 3750 Configuration Guide goes over the details:
http://www.cisco.com/en/US/docs/switche ... 50scg.html

Mike Tobias wrote:If I do it this way, would it be easier to create two new subnets for the VM switch stack and then have the ASA route to the new subnets, or can I use the existing addressing scheme in the Lan and DMZ and just route those in the ASA? I suppose that I could dedicate one switch in the stack to the LAN environment and one for the DMZ, but I was thinking that would kill failover ability.

You can create the L3 interfaces that represent those subnets on the VM Switch stack or have the ASA the only L3 device for those subnets.

If you decide to use the VM Switch Stack, you will have to change the default gateway on the hosts to point to the stack.

Based on your experience on configuring cisco switches, I would recommend just creating the L2 Vlans on the VM Switch stack and leave the ASA as the sole L3 device for those subnets. Nothing will change on the hosts and you simply associate the switchport connected to the LAN switches are the LAN Switch Vlan while the DMZ switches will be connected to the switchport associated to the DMZ Vlan.


Regards,
Edison
Edison Ortiz
 
Top

Re: 3750 Connected to Two Networks

Postby Mike Tobias on Thu Jul 08, 2010 11:05 am

Edison,

Thank you for the quick reply. I really appreciate the help. I did set it up where I created two vlans on the switch stack, one was a Lan vlan, one was a DMZ vlan. I connected two hosts to the switch on each of the vlans, emulating one host on the Lan, one on the DMZ, each with its appropriate address (one had an interal address, one a dmz address). They were both able to connect to their respective networks and out to the internet. The issue that I had with this config was that if I did a traceroute from one host to the other they wouldn't leave the switch, essentially a traceroute from the lan host went directly to the DMZ host. If possible I would like to have these interfaces separate enough so that a traceroute from the Lan side would have to go out to the fire wall, into the DMZ via the firewall and then to the DMZ host. Truly keeping them separate.
Edison Ortiz wrote:Based on your experience on configuring cisco switches, I would recommend just creating the L2 Vlans on the VM Switch stack and leave the ASA as the sole L3 device for those subnets. Nothing will change on the hosts and you simply associate the switchport connected to the LAN switches are the LAN Switch Vlan while the DMZ switches will be connected to the switchport associated to the DMZ Vlan.

In this configuration it appeared that I was able to do what I wanted to, but it didn't really seem to be separating the interfaces if I could just traceroute to the host on the other network without leaving the switch, or is this expected behaviour? If it is expected then my problem is certainly resolved, it just seemed that I should be able to keep the traffic separated better. If using the 3750 as a layer 3 device would be that solution let me know. Thank you for your help so far, if I can just figure out this last part it would be extremely helpful to me.
Mike Tobias
 
Top

Re: 3750 Connected to Two Networks

Postby Edison Ortiz on Thu Jul 08, 2010 11:05 am

If you don't have any L3 interface in the switch, the packet must leave the switch in order to connect to another segment.

Perhaps the FW is masking the traceroute. If you want to verify this, apply some ACLs in the FW and you will see how the packets are blocked, hence the connection is going thru the FW.


Regards,
Edison
Edison Ortiz
 
Top

Re: 3750 Connected to Two Networks

Postby Nagaraja Thanthry on Thu Jul 08, 2010 11:06 am

Hello Mike,

Make sure that both your inside host and the DMZ host have set their default gateway to the firewalls respective interfaces. If you want to see the firewall in the traceroute, please follow the steps in the document below.

https://cisco.com/en/US/products/hw/vpn ... l#asatrace


Hope this helps.
NT
Nagaraja Thanthry
 
Top

Re: 3750 Connected to Two Networks

Postby Mike Tobias on Thu Jul 08, 2010 11:06 am

Thank both of you very much. My firewall was infact not showing the hops to the environment. Configuration was not the problem, my understanding of the interactions of everything involved was. Doing a packet trace on the ASA showed that the trace was going out, through the firewall. My thanks to you both.
Mike Tobias
 
Top
Post a reply

Return to Cisco Systems

Who is online

Users browsing this forum: No registered users and 8 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron