Announcement

Collapse
No announcement yet.

Cisco Router 3725

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Router 3725

    Hi

    I have quick question, how do i preserve VLAN ID info when forwarding traffic from a Cisco 3725 to another Security Gateway?

    The security gateway sees all traffic comming from VLAN ID 10 even if it originates from ID 50, 20, 40 or 70?

    So in other words if i ping 8.8.8.8 from a PC in VLAN 60 the packet monitor on the security Gateway sees the traffic comming from VLAN 10 IP 172.16.60.122 not VLAN 60 IP 172.16.60.122 so on is return it fails to pass the traffic to the correct VLAN thus the correct IP

    Anyone any ideas?

    Thanks in advance

  • #2
    Re: Cisco Router 3725

    When crossing a layer 3 interface the layer 2 header is re-written, hence the difference between routing and bridging. Layer 2 tagging is only done on trunk ports as well. If a frame is moving from a host in vlan 10 on one switch to another host in vlan 10 on a adjacent switch then the dot1q tag is added when entering the trunk link and removed when the frame is forwarded to that host. Are you filtering on layer 2 headers on the firewall? A diagram would be helpful.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco Router 3725

      Sonicwall NSA 4500
      (Trunk Interface on Sonicwall)

      to

      (Trunk Interface on Switch)
      Cisco 2970 Switch

      All inter vlan traffic is handled by Cisco 3725 (router on a stick scenario) but if any traffic is outside this its passed from the Cisco 3725 to Sonicwall

      The only Vlan that works correctly imcoming is the VLAN 10 all other vlans work fine internally and outgoing but just not incoming as the sonicwall sees all traffic taged as vlan 10 and if its from any vlan apart from 10 it gets dropped (sees it as being spoofed)

      i.e. Vlan 10 172.16.60.122

      172.16.60.122 should = Vlan 60
      Last edited by Senan; 1st August 2012, 13:57.

      Comment


      • #4
        Re: Cisco Router 3725

        Why not filter at layer 3 to avoid this? Like I said if the 3725 is routing the traffic the layer 2 information is rewritten. Or put the 3725 and the inside interface of the Sonic wall on the same vlan and ip subnet. Then filter via layer 3 (ip addresses). Your diagram shows a trunk so that makes me believe its a layer 2 trunk from the Sonicwall to the 2970?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco Router 3725

          No filtering on layer 2 headers on the firewall

          the inside interface on the sonicwall is on the same ip subnet as the cisco 3725 and same vlan?

          it is layer 2 trunk between the sonicwall and the 2970
          Last edited by Senan; 1st August 2012, 14:10.

          Comment


          • #6
            Re: Cisco Router 3725

            Why are you trunking then to the 2970? A trunk encapsulates and carries traffic for multiple vlans at layer 2. The port from the sonic wall to the 2970 should be an access port. Put both the 3725 interface facing the sonic wall and the sonic wall inside interface in the same vlan on the 2970 and both as access ports. If your not filtering at layer 2 then why is the sonic wall complaining about vlan ID's? The sonic wall should be looking at ip address sources, then filter accordingly.

            Are you using subinterfaces for the vlans on the sonic wall? Sounds like the sonic wall is configured with sub interfaces for your vlan subnets. (Like a router on stick scenario) If thats the case the problem is your hosts in the vlans are using the 3725 for routing and the layer 2 headers are being re-written (Hence the vlan ID's are stripped off) so when the sonicwall is getting the traffic it is being dropped. I would do what I said above and drop the sub interfaces/trunk.
            Last edited by auglan; 1st August 2012, 15:15.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco Router 3725

              Hi

              Below is exactly what we are doing

              "Are you using subinterfaces for the vlans on the sonic wall? Sounds like the sonic wall is configured with sub interfaces for your vlan subnets. (Like a router on stick scenario) If thats the case the problem is your hosts in the vlans are using the 3725 for routing and the layer 2 headers are being re-written (Hence the vlan ID's are stripped off) so when the sonicwall is getting the traffic it is being dropped."

              Not sure what you mean here forgive my ignorance could you explain maybe with a diagram what way it should be setup so i can see it visually, id really appreciate it

              "The port from the sonic wall to the 2970 should be an access port. Put both the 3725 interface facing the sonic wall and the sonic wall inside interface in the same vlan on the 2970 and both as access ports. If your not filtering at layer 2 then why is the sonic wall complaining about vlan ID's? The sonic wall should be looking at ip address sources, then filter accordingly."

              Thanks
              Last edited by Senan; 1st August 2012, 16:26.

              Comment


              • #8
                Re: Cisco Router 3725

                Whats the difference between an access port and a trunk port?

                An access port carries traffic for a single vlan and a trunk port encapsulates and carries traffic for multiple vlans.

                All inter vlan traffic is handled by Cisco 3725 (router on a stick scenario) but if any traffic is outside this its passed from the Cisco 3725 to Sonicwall
                Since your hosts are using the subinterfaces on the router for their default gateway, then any traffic not in its local subnet is being routed. Since your using subinterfaces on the sonic wall, and the sonic wall is expecting the vlan ID's on its subinterfaces this scenario won't work as the router is stripping the layer 2 information from the frame and rebuilding it and sending it on to the sonic wall. So the frame will now have a source mac address of the subinterface of the router without the vlan ID's.

                My recommendation was to remove the sub-interfaces on the sonic wall and assign an ip address and vlan in the same subnet of the 3720 interface facing the sonic wall. This way your filtering will be done via layer 3 and not via VLAN ID's.
                Last edited by auglan; 1st August 2012, 16:40.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Cisco Router 3725

                  Thanks Auglan

                  Not sure what you mean here forgive my ignorance could you explain maybe with a diagram what way it should be setup so i can see it visually, id really appreciate it

                  "The port from the sonic wall to the 2970 should be an access port. Put both the 3725 interface facing the sonic wall and the sonic wall inside interface in the same vlan on the 2970 and both as access ports. If your not filtering at layer 2 then why is the sonic wall complaining about vlan ID's? The sonic wall should be looking at ip address sources, then filter accordingly."

                  Thanks

                  Comment


                  • #10
                    Re: Cisco Router 3725

                    Sonic Wall inside interface - 10.10.10.2/30

                    Access port to 2970. Say vlan 80

                    int gi0/1
                    switchport mode access
                    switchport access vlan 80

                    |
                    |
                    | This is the 2970
                    |
                    |
                    |

                    3720 Outside Interface - 10.10.10.1/30

                    Access port to 2970. Same as above

                    int gi0/1
                    switchport mode access
                    switchport access vlan 80

                    Both devices are on a directly connected subnet. Your default route on the router should point to the sonic wall inside interface.


                    Then you need to consult the sonic wall documentation for the filtering options.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment

                    Working...
                    X