Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 30728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trunk links

King Amodeni

Hi People.

I configure a trunk link between my 3560-CX and the Sophos XG 210 and i know longer can ping/reach the XG's interface. when i change the 3560-CX port to a routed port, i can ping or reach the XG LAN interface. Is this usual?

if it is, how then can i configure my vlans to reach the XG 210?



This thread was automatically locked due to age.
Parents
  • 0

    You would have to create sub interfaces on the Sophos XG for you to be able to reach the lan port

  • 0 in reply to mark2741

    Hello Mark, Thanks. 

    If i create Vlan subinterfaces, i have to trunk the 3560 interface so the vlans can traverse the trunk link.

    however I am unable to reach the XG interface the moment i trunk that 3560 interface. i can only talk to the XG interface when my cisco 3560 equivalent port is a routed port

  • 0 in reply to King Amodeni

    Could you PM the 3560 config and send me a screenshot of the XG interfaces if that is possible ? 

  • 0 in reply to mark2741

    my cisco switch config is as below


    ip subnet-zero

    ip name-server 8.8.8.8
    ntp server 0.europe.pool.ntp.org
    clock timezone Greece 2 0
    clock summer-time Athens recurring last Sun Mar 3:00 last Sun Oct 4:00

    vlan 300
    name Totiprima_MCR
    vlan 400
    name Totiprima_Office
    vlan 500
    name Trunk_link_to_FW
    vlan 10
    name Dummy
    vlan 20
    name Garage
    end

    interface Vlan20
    description Garage Vlan
    interface Vlan300
    description Totiprima_MCR
    ip address 10.0.1.1 255.255.255.0
    interface Vlan400
    description Totiprima_Office
    ip address 10.0.3.1 255.255.255.0
    interface Vlan500
    description Trunk_link_to_FW
    ip address 172.18.25.202 255.255.255.252

     

    ip routing

    interface range gigabitethernet 0/3-6
    switchport mode access
    switchport nonegotiate
    switchport access vlan 300

    interface range gigabitethernet 0/7 - 8
    switchport mode access
    switchport nonegotiate
    switchport access vlan 400

    interface range gigabitethernet 0/1-2,0/10-12
    switchport access vlan 20

    interface GigabitEthernet0/9
    switchport trunk encapsulation dot1q
    description Trunk Links
    switchport mode trunk
    switchport access vlan 500
    switchport nonegotiate
    switchport trunk native vlan 10

    switchport trunk allowed vlan remove 1-9,11-299,301-399,401-499,501-4094

     

    i cannot get the XG setup until Monday. But i will.

    With this setup i can reach the 3560 from XG but cannot reach XG from the 3560 except i change the gig0/9 to a routed port. but them vlans wont be able to go through that link

  • 0 in reply to King Amodeni

    Ok that's great thank you. I just checked the config on my cisco switch which is connected to a Sophos xg via a trunk. All I have is the uplink interface set as trunk likes yours and my XG with subinterfaces on the lan port of the XG. Below is my config on cisco uplink and xg config. 

     

    !
    interface GigabitEthernet1/0/24
     description Uplink to FW1 Inside
     switchport mode trunk
     spanning-tree portfast trunk
     spanning-tree bpduguard enable
    end

     

  • 0 in reply to mark2741

    Yes the exact same config i have minus the spanning tree settings.

    I upgraded the software though. hope thats not a problem.

     

    do you use an XG 210?

  • 0 in reply to King Amodeni

    I'm sure the spanning-tree setting wouldn't cause an issue, I've currently got the XG in a VMWARE ESXI environment with a NIC connected to switch. If anything your setup is more simple. I'm sure you issue is something simple, send me the XG config on Monday and we can see if we can resolve your issue.

     

    Thanks Mark

  • 0 in reply to King Amodeni

    Please post a shot of the network interface configuration (connecting to the Cisco) in the XG.

    Ian

  • 0 in reply to King Amodeni

    Hello Mark,

    Please find below my settings on the Sophos XG 210 and my 3560 switch.

    I got the supplier support to also have a look and some settings were changed so now

    1. Clients on my vlans have access to the internet
    2. My switch does not have internet access
    3. Clients can ping the inside firewall interface as well as the inside switch interface.
    4. The switch still cannot reach or ping the directly connected fw Lan interface.

     

     

     

     

     

     

     

     

     

    CISCO 3560 CONFIG

     

     

    Current configuration : 4148 bytes

    !

    no service pad

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    boot-start-marker

    boot-end-marker

    !

    aaa new-model

    !

    aaa authentication login default local

    !

    aaa session-id common

    clock timezone Lagos 0 0

    system mtu routing 1500

    !

    no ip subnet-zero

    ip routing

    spanning-tree mode rapid-pvst

    spanning-tree extend system-id

    !

    vlan internal allocation policy ascending

    !

    interface Loopback1

     ip address 172.19.1.1 255.255.255.252

    !

    interface GigabitEthernet0/1

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/2

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/3

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/4

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/5

     switchport access vlan 20

    !

    interface GigabitEthernet0/6

     switchport access vlan 20

    !

    interface GigabitEthernet0/7

     switchport access vlan 400

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/8

     switchport access vlan 400

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/9

     switchport access vlan 500

     switchport trunk allowed vlan 10,300,400,500

     switchport trunk native vlan 10

     switchport mode trunk

     switchport nonegotiate

    !

    interface Vlan1

     no ip address

     shutdown

    !

    interface Vlan300

    ip address 10.0.1.1 255.255.255.0

    !

    interface Vlan400

      ip address 10.0.3.1 255.255.255.0

    !

    interface Vlan500

     description Trunk_link_to_FW

     ip address 172.18.25.2 255.255.255.252

    !

    ip forward-protocol nd

    ip http server

    ip http secure-server

    !

    ip route 0.0.0.0 0.0.0.0 172.18.25.1

    ip ssh time-out 90

    ip ssh version 2

    !

    line con 0

    line vty 0 4

     transport input ssh

    line vty 5 15

     transport input ssh

    !

    ntp server 0.europe.pool.ntp.org

    !

    end

  • 0 in reply to King Amodeni

    Hi try sourcing the ping from a vlan interface on your switch see if that reaches please?

     

    #ping x.x.x.x source vlanxxx

     

    Thanks Mark

  • 0 in reply to King Amodeni

    I think I see the problem now you have your switch set with vlan 500 with address 172.18.25.2.

    You don't have a vlan 500 trunking from the Sophos xg.

    Try source a ping from vlan 300 and vlan 400 that should work?

    Also turn off ip routing.

     

    Thanks Mark

Reply Children
  • 0 in reply to mark2741

    Hi Again Mike

    I have sent the source ping results.

    I initially added vlan 500 on the port 5 vlan sub-interface but the provider support took it out.

    Am i to include the vlan 500?

  • 0 in reply to King Amodeni

    Just create it again with a new address range and add that on to your switch vlan 500 with the new address range and see what happens. Also remove the native vlan off the trunk port for now please, just to make it basic.

  • 0 in reply to mark2741

    Does it matter if i use a /30 or i should use a wider range?

  • 0 in reply to mark2741

    i have deleted vlan 500 and removed ip routing.

    I will restart the switch and reconfigure using a 192.x.x.x /30 range, then revert.

  • 0 in reply to King Amodeni

    Ok I will wait to hear back :)

  • 0 in reply to mark2741


    interface Loopback1
    ip address 172.19.1.1 255.255.255.252
    no ip route-cache
    !
    interface GigabitEthernet0/1
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/2
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/3
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/4
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/5
    switchport access vlan 20
    !
    interface GigabitEthernet0/6
    switchport access vlan 20
    !
    interface GigabitEthernet0/7
    switchport access vlan 400
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/8
    switchport access vlan 400
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/9
    switchport access vlan 500
    switchport trunk allowed vlan 300,400
    switchport trunk native vlan 10
    switchport mode trunk
    switchport nonegotiate
    !
    interface GigabitEthernet0/10
    switchport access vlan 20
    !
    interface GigabitEthernet0/11
    switchport access vlan 20
    !
    interface GigabitEthernet0/12
    switchport access vlan 20
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan20
    description Garage Vlan
    no ip address
    no ip route-cache
    !
    interface Vlan300
    ip address 10.0.1.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan400
    ip address 10.0.3.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan500
    description Trunk_link_to_FW
    ip address 192.168.10.2 255.255.255.0
    !
    ip forward-protocol nd
    ip http server
    ip http secure-server
    !
    ip ssh time-out 90
    ip ssh version 2
    !