Hello all,
I am stuck on what should be an extremely simple setup!!!
Cisco ASA5505 with a few VLANs and a couple of Dell switches. For whatever reason I cannot get traffic from VLAN1 (native) to access VLAN70 using the ASA5505 and Dell 4032/2048 switches.
Both traffic for VLAN70 to VLAN70 and VLAN1 to VLAN1 work from any untagged switch port.
VLAN1 will traverse to VLAN70 perfectly from an old Dell 2816 switch I have configured, but not from VLAN1 untagged on 4032 to VLAN70 on 2048 for example.
The Dell 4032 is connected to the Dell 2048 through two SFPs configured as a LAG
Dodgy paint diagram attached.
The ASA is configured with VLAN1 access port. VLAN 50 and VLAN 70 as Trunks (no native VLAN). Also the last port is configured as a trunk, native vlan 1, with 50,70 connected to a tagged port on the Dell 2816.
I've tried many different configs but can't for the life of me get VLAN1 to talk to VLAN70 (as the ASA FW rules allow) except for when connected to VLAN1 on
Here's the traffic results.
A1 - B70 good
A1 - C70 good
B1 - B70 bad
B1 - C70 bad
C1 - C70 bad
C1 - B70 bad
B/C1 - A70 bad
A70 - B70 good
A70 - C70 good
B70 - C70 good
Anyone have thoughts on what could be going on? I don't think the ASA config is bad as VLAN1 traverses everywhere and so does VLAN70 (And I've tried every access/trunk combo I think).
I have no idea what could be wrong in the 4032 config as it should be ok given I've setup others without an issue (although other setups avoided the native vlan and had LAGs as the FW input). Maybe a reboot is in order.
I do remember so oddities when it comes to the 5505's, not like a normal firewall per-se.
routed or transparent more? 3 VLANs vs 2 VLANs max
what version on the ASA?
post configs?
looking up some stuff here..
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html
says:
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2 (70 in your case), then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs
also states With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an....
you might be hitting this limitation with 1,50,70 defined
5505 has the Sec plus license
9.2.(4)5
Routed mode
There will be more VLANs once I get this sorted.
FW rules/sec policy isn't an issue as this setup was used with other switches ok. VLAN1 is using sec level 100 and can go everywhere unrestricted, also the traffic from the old Dell 2816 switch passes traffic just fine which is the confusing part. The Dells aren't the best to setup at times but I've never had an issue like this before on such a simple thing.
In my instance having a single VLAN on one interface changing between access or trunk mode doesn't seem to make any difference. Regardless I don't think the ASA5505 setup is the issue, I suspect it is in the Dell 4032 config.
I'll grab relevant parts of each config if I can and post them up.
Solved: Did you turn it off and on again? Rebooted the N4032 and everything is fine (apart from the whole business not having network/internet etc during reboot).
#Bettertoseekforgivenessthanaskpermission #whoneedschangemanagement
Quote from: KDog on August 22, 2017, 11:50:51 PM
Solved: Did you turn it off and on again? Rebooted the N4032 and everything is fine (apart from the whole business not having network/internet etc during reboot).
#Bettertoseekforgivenessthanaskpermission #whoneedschangemanagement
:itcrowd:
:kiwf:
Quote from: KDog on August 22, 2017, 11:50:51 PM
Solved: Did you turn it off and on again? Rebooted the N4032 and everything is fine (apart from the whole business not having network/internet etc during reboot).
#Bettertoseekforgivenessthanaskpermission #whoneedschangemanagement
Looks like you're ready for my sig, lol! :lol:
Of course, the due diligence guy inside me is saying, "Now don't let that happen again." I've been walked out for accidentally rebooting the email server, so it's best to keep these kinds of incidents to a minimum, no matter how good they may feel. >:D
I see you've resolved it but a quick scan through the thread and I didn't see a mention of security levels on the interfaces of the ASA. If they're both set to security-level 100 then you need an additional command to allow routing between them. Something like "same security inter-interface" (can't remember exactly). Else the other work around is to configure one of the interfaces with a lower level value like 90 but then you'll need to specifically allow the traffic from the lower level interface too the higher one :)