Keith Smith - Think Ahead. Learn More. Solve Now!

Network

Keith Smith - Think Ahead. Learn More. Solve Now! > Network

Procurve inter-vlan routing with cisco asa firewall's

Wednesday, July 09, 2014 - Posted by Keith A. Smith, in Network



Long-winded network post ahead! You have been warned. 


As part of my network overhaul, I wanted to transform our current semi-flat network in to a multi-teared, access controlled, dynamic network that could grow with the company. Our existing network has been plagued with broadcast storms caused by the rouge engineering DHCP server being accidentily connected to the office network. To do this I purchased new switch gear that supports L3 routing and VLANs. This new gear allows me to seperate our large broadcase domain in to smaller, department based broadast domains using VLANs and Inter-vlan routing. The existing network gear, while functional, lacked the capability of Inter-vlan routing and strugged under our daily office load with only two VLANs. I can't say I will miss the old Netgear switches, but they were barely able to support the traffic when we were a 30 person company and are unstable with the 70+ now.

Wanting to keep a fairly tight budget, I ended up choosing HP Procurve 2510 and 2520 POE switches for distribution and a 5406zl loaded with 1Gb modules for my core. The 2510/2520 are layer 2 gigabit switches and the 5406 is layer 3. If I had a larger budget, EDU discount, or was purchasing a huge lot of gear, I would probably have gone Cisco 3750G/2960G. The HP gear is very competitive, offering a lifetime warranty, lifetime support, and the cheapest 10G-baseT I could find. I have worked with HP in the past and have found it very simmilar to manage. The menu based cmd line interface makes it a breeze for the novice, but I still prefer the straight old cmd line.

My firewalls were a tough choice. I wanted something that could support 250+ VPN SSL vpn connections, a Gigabit Metro-E line, a 100Mb EDI line, and have enough throughoput to handle all of this. After looking at Forigate, Juniper, and Cisco, I ended up choosing four Cisco ASA 5515-x's. Each site will have two, setup in Active/Active serving up a maximum of 500 SSL VPN connections per site. I sacrificed the ability to load balance across two or more internet connections, but our EDI line makes up for that. These, at least for now should be able to handle everything we throw at them.

In the last few weeks, I setup all of the HP switch gear in a test enviroment, along with a ESXi host with multiple quad port nics. I wanted to simmulate having multiple machines across multiple switches to ensure my configs would work. Starting out, I got everything up and working. I could ping between Vlans, but I did not have a DHCP server to test ip helper-addresses or a internet connection. This week I added a Server 2008 R2 box and setup DHCP/AD/DNS and connected a spare Cisco ASA 5505 running 8.4. After a few hours of research through somewhat helpful posts, I came up with the following basics to using Inter-vlan routing on HP Procure switches with a Cisco ASA.

Helpful tips:
1) Your core must be a Layer 3 switch. In my lab it is the hp2910al-24g. It is not possible to do this without a L3 switch.
2) On the core, there should be no default gateway. I have seen this far to often as the problem in my research.
3) Enable ip routing on the core switch.
hp2910al-24g:# ip routing

4) Once you create additional VLAN's, only use the default VLAN for switch management if possible.
               hp2910al-24g:# config
               hp2910al-24g:# vlan 10
               hp2910al-24g:(Vlan 10)#

5) Assign IP addresses to each VLAN- only on the core!
               hp2910al-24g:(Vlan 10)# ip address 10.1.0.1/24

6) Assign a ip helper-address for your DHCP server to each VLAN on the core switch (except the one it natively lives on) and add each scope to the DHCP server.
               hp2910al-24g:(Vlan 20)# ip helper-address 10.1.0.2
              
              
7) Be sure to TAG (tagged) the VLANS on your trunks (trk 1-24) to the distribution switches, and on the distribution back to the core. Otherwise only local traffic on the untagged ports will flow on the core.
                hp2910al-24g:(Vlan 10)# tagged Trk1

8) Set a static route to your routers IP, (Replacing 10.1.0.1 with your routers IP.)
                hp2910al-24g:#ip route 0.0.0.0 0.0.0.0 10.1.0.1

9) Set a static route on the ASA back to your core switch: (Where 10.0.0.0 255.0.0.0 is your inside subnet and 10.1.0.254 is the core switch. My router is plugged in to VLAN 10, which is 10.1.0.0- this must match! Your routers interal IP must be on the same subnet as the core switches VLAN IP.)
                ciscoasa5505:#route Inside 10.0.0.0 255.0.0.0 10.1.0.254

10) ALWAYS use the IP of the VLAN as the DHCP default gateway- otherwise nothing will work!
                Example: Vlan 20- IP 10.1.1.254
                                 xptestbox:# ipconfig -a
                                                     IP:10.1.1.100
                                                     Subnet: 255.255.255.0
                                                     Gateway: 10.1.1.254
                                                     DNS:10.1.0.2
11) Restart everything once the configs are made and SAVED.
                 hp2910al-24g:#wr mem
12) Enjoy your working network!

Example configs:

2910al-24g:

; J9145A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-24G"
module 1 type j9145a
trunk 23-24 trk1 trunk
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip routing
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-22
   tagged Trk1
   ip address 10.0.0.254 255.255.255.0
   exit
vlan 10
   name "VLAN10"
   untagged 1-10
   tagged Trk1
   ip address 10.1.0.254 255.255.255.0
   exit
vlan 20
   name "VLAN20"
   untagged 11-20
   tagged Trk1
   ip address 10.1.1.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 30
   name "Vlan30"
   tagged Trk1
   ip address 10.20.30.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 99
   name "VLAN99"
   untagged 21-22
   tagged Trk1
   ip address 10.1.99.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit

2510G-24:
hostname "00005- 2510-24g"
trunk 23-24 Trk1 Trunk
ip default-gateway 10.0.0.254
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   ip address 10.0.0.253 255.255.255.0
   tagged Trk1
   no untagged 1-22
   exit
vlan 10
   name "VLAN 10"
   tagged Trk1
   exit
vlan 20
   name "VLAN 20"
   tagged Trk1
   exit
vlan 99
   name "Vlan 99"
   tagged Trk1
   exit
vlan 30
   name "VLAN 30"
   untagged 1-22
   tagged Trk1
   exit
spanning-tree Trk1 priority 4

Cisco ASA 5505:

route 10.0.0.0 255.0.0.0 10.1.0.254
View Comments 0 Comments
Share Post   


Show command multiple filtering

Wednesday, May 21, 2014 - Posted by Keith A. Smith, in Network

Normally when we do show command we make use of the "|" to filter and put in keywords after like include, exclude, begin and section. As we all know "include" means show only that matches the string like for the example below.



R1#sh run | inc CISCO
neighbor CISCO peer-group

We can do some multiple command filtering like the example below using the "include" keyword. Let's say we want to see the interface name, then the description, the OSPF cost and if its configured with the "mpls ip" command.



R1#sh run | inc interface |^ description |^ ip ospf cost |^ mpls ip
interface FastEthernet0/0
description towards LAN
ip ospf cost 100
mpls ip

sh run | inc Keith
View Comments 0 Comments
Share Post   


More on cisco command output filtering

Wednesday, May 21, 2014 - Posted by Keith A. Smith, in Network

Finding the right piece of information that you need from a Cisco router can often be a challenge. For example, if you use the show running-config command on a large production router, you can easily end up with 25 pages of text output.

Locating that one piece of information you're looking for can take a lot of time. Once you find it, you might need to make a change, only to have to rerun the command and go through the whole process again.

However, there are some shortcuts you can take to find this information more quickly. Let's looks at some filtering options you can use when maneuvering through long command output on a Cisco router.

Filter output using line numbers

You can use the show running-config linenum command to configure the system to include line numbers at the start of each line in the output. Here's an example:

Current configuration : 59161 bytes


    1 : !
    2 : ! Last configuration change at 09:25:35 CDT Tue Aug 16 2005 by root
    3 : ! NVRAM config last updated at 09:25:36 CDT Tue Aug 16 2005 by root
    4 : !
    5 : version 12.3
    6 : service tcp-keepalives-in
    7 : service tcp-keepalives-out
    8 : service timestamps debug datetime msec localtime show-timezone
    9 : service timestamps log datetime msec localtime show-timezone
   10 : service password-encryption

Once you have line numbers to use as reference points, you can then filter the output by starting at a certain line or only returning a specified line. Here's an example of starting the output at a specific line:

Router# show running-config linenum | begin 6 : 


    6 : service tcp-keepalives-in
    7 : service tcp-keepalives-out
    8 : service timestamps debug datetime msec localtime show-timezone
    9 : service timestamps log datetime msec localtime show-timezone
   10 : service password-encryption

Here's an example of requesting only one line returned in the output:

Router# show running-config linenum | include ( 6 : )


    6 : service tcp-keepalives-in

Filter output using Include, Exclude, or Begin

You can also use certain commands to help filter your output. For example, you can use the include command to see only lines that include the word service. Here's an example:

Router# show running-config | include service
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption

You can use the begin command to start the output at a certain line (such as an interface). Here's an example:

Router# show running-config | begin interface Serial3/0
interface Serial3/0


 description MPLS T-1
 bandwidth 1544
 ip address 10.0.100.2 255.255.255.252
 no ip proxy-arp (truncated)

In addition, you can use the exclude command in the same way if there's something particularly long that you don't need to see in the output.

The best thing about these three commands is that they work with almost any output on the router. For example, let's say I wanted to see all routes that begin with the IP address 10.83.x.x. But it doesn't work if I use this:

Router# show ip route 10.83.0.0        
% Subnet not in table

However, if I use something like the following example, I can see all of the routes that begin with 10.83.x.x:

Router# show ip route | include 10.83.     
O       10.83.100.8/30 [110/2370] via 10.83.100.2, 05:32:27, Serial1/2:0.83
O       10.83.100.4/30 [110/2115] via 10.20.100.2, 05:32:27, Serial1/2:0.2
C       10.83.100.0/30 is directly connected, Serial1/2:0.83
O       10.83.103.0/24 [110/2195] via 10.83.100.2, 05:32:27, Serial1/2:0.83

Filter output by interface

On the other hand, if you only need to see the output of one specific interface, you can also filter output in that way. Here's an example:

Router# show running-config interface Serial3/0        
Building configuration...

Current configuration : 209 bytes
!


interface Serial3/0
 description MPLS T-1
 bandwidth 1544
 ip address 10.0.100.2 255.255.255.252
 no ip proxy-arp
 no ip mroute-cache
 no fair-queue
 no cdp enable end

Start searching your output

Did you know that you can search directly from the show running-config command's output? If you use the show running-config command, you should see a –More– prompt at the end of each page of output (depending on your page length).

If you enter a forward slash [/] at this prompt, it will replace the prompt with the slash, and you can then type in whatever you want to search for. Press [Enter], and it will say filtering and then begin showing you the results of your search. (This is exactly how the UNIX pg command works.) Here's an example:

/interface Serial3/0
filtering...
interface Serial3/0


 description MPLS T-1
 bandwidth 1544
 ip address 10.0.100.2 255.255.255.252
View Comments 0 Comments
Share Post   


Page  <123