Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 30728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trunk links

King Amodeni

Hi People.

I configure a trunk link between my 3560-CX and the Sophos XG 210 and i know longer can ping/reach the XG's interface. when i change the 3560-CX port to a routed port, i can ping or reach the XG LAN interface. Is this usual?

if it is, how then can i configure my vlans to reach the XG 210?



This thread was automatically locked due to age.
Parents
  • 0

    You would have to create sub interfaces on the Sophos XG for you to be able to reach the lan port

  • 0 in reply to mark2741

    Hello Mark, Thanks. 

    If i create Vlan subinterfaces, i have to trunk the 3560 interface so the vlans can traverse the trunk link.

    however I am unable to reach the XG interface the moment i trunk that 3560 interface. i can only talk to the XG interface when my cisco 3560 equivalent port is a routed port

  • 0 in reply to King Amodeni

    Hello Mark,

    Please find below my settings on the Sophos XG 210 and my 3560 switch.

    I got the supplier support to also have a look and some settings were changed so now

    1. Clients on my vlans have access to the internet
    2. My switch does not have internet access
    3. Clients can ping the inside firewall interface as well as the inside switch interface.
    4. The switch still cannot reach or ping the directly connected fw Lan interface.

     

     

     

     

     

     

     

     

     

    CISCO 3560 CONFIG

     

     

    Current configuration : 4148 bytes

    !

    no service pad

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    boot-start-marker

    boot-end-marker

    !

    aaa new-model

    !

    aaa authentication login default local

    !

    aaa session-id common

    clock timezone Lagos 0 0

    system mtu routing 1500

    !

    no ip subnet-zero

    ip routing

    spanning-tree mode rapid-pvst

    spanning-tree extend system-id

    !

    vlan internal allocation policy ascending

    !

    interface Loopback1

     ip address 172.19.1.1 255.255.255.252

    !

    interface GigabitEthernet0/1

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/2

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/3

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/4

     switchport access vlan 300

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/5

     switchport access vlan 20

    !

    interface GigabitEthernet0/6

     switchport access vlan 20

    !

    interface GigabitEthernet0/7

     switchport access vlan 400

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/8

     switchport access vlan 400

     switchport mode access

     switchport nonegotiate

    !

    interface GigabitEthernet0/9

     switchport access vlan 500

     switchport trunk allowed vlan 10,300,400,500

     switchport trunk native vlan 10

     switchport mode trunk

     switchport nonegotiate

    !

    interface Vlan1

     no ip address

     shutdown

    !

    interface Vlan300

    ip address 10.0.1.1 255.255.255.0

    !

    interface Vlan400

      ip address 10.0.3.1 255.255.255.0

    !

    interface Vlan500

     description Trunk_link_to_FW

     ip address 172.18.25.2 255.255.255.252

    !

    ip forward-protocol nd

    ip http server

    ip http secure-server

    !

    ip route 0.0.0.0 0.0.0.0 172.18.25.1

    ip ssh time-out 90

    ip ssh version 2

    !

    line con 0

    line vty 0 4

     transport input ssh

    line vty 5 15

     transport input ssh

    !

    ntp server 0.europe.pool.ntp.org

    !

    end

  • 0 in reply to King Amodeni

    Hi try sourcing the ping from a vlan interface on your switch see if that reaches please?

     

    #ping x.x.x.x source vlanxxx

     

    Thanks Mark

  • 0 in reply to King Amodeni

    I think I see the problem now you have your switch set with vlan 500 with address 172.18.25.2.

    You don't have a vlan 500 trunking from the Sophos xg.

    Try source a ping from vlan 300 and vlan 400 that should work?

    Also turn off ip routing.

     

    Thanks Mark

  • 0 in reply to mark2741


    #ping 172.18.25.2 source vlan300
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.2, timeout is 2 seconds:
    Packet sent with a source address of 10.0.1.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


    ping 172.18.25.2 source vlan400
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.2, timeout is 2 seconds:
    Packet sent with a source address of 10.0.3.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms


    ping 172.18.25.2 source vlan500
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.2, timeout is 2 seconds:
    Packet sent with a source address of 172.18.25.2
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms


    ping 172.18.25.1 source vlan500
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.1, timeout is 2 seconds:
    Packet sent with a source address of 172.18.25.2
    .....
    Success rate is 0 percent (0/5)


    ping 172.18.25.1 source vlan300
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.1, timeout is 2 seconds:
    Packet sent with a source address of 10.0.1.1
    .....
    Success rate is 0 percent (0/5)


    ping 172.18.25.1 source vlan400
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.25.1, timeout is 2 seconds:
    Packet sent with a source address of 10.0.3.1
    .....
    Success rate is 0 percent (0/5)

     

    I still cannot reach the firewall inside interface. i can only reach the switch inside interface

  • 0 in reply to mark2741

    Hi Again Mike

    I have sent the source ping results.

    I initially added vlan 500 on the port 5 vlan sub-interface but the provider support took it out.

    Am i to include the vlan 500?

  • 0 in reply to King Amodeni

    Just create it again with a new address range and add that on to your switch vlan 500 with the new address range and see what happens. Also remove the native vlan off the trunk port for now please, just to make it basic.

  • 0 in reply to mark2741

    Does it matter if i use a /30 or i should use a wider range?

  • 0 in reply to mark2741

    i have deleted vlan 500 and removed ip routing.

    I will restart the switch and reconfigure using a 192.x.x.x /30 range, then revert.

  • 0 in reply to King Amodeni

    Ok I will wait to hear back :)

Reply Children
  • 0 in reply to mark2741


    interface Loopback1
    ip address 172.19.1.1 255.255.255.252
    no ip route-cache
    !
    interface GigabitEthernet0/1
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/2
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/3
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/4
    switchport access vlan 300
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/5
    switchport access vlan 20
    !
    interface GigabitEthernet0/6
    switchport access vlan 20
    !
    interface GigabitEthernet0/7
    switchport access vlan 400
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/8
    switchport access vlan 400
    switchport mode access
    switchport nonegotiate
    !
    interface GigabitEthernet0/9
    switchport access vlan 500
    switchport trunk allowed vlan 300,400
    switchport trunk native vlan 10
    switchport mode trunk
    switchport nonegotiate
    !
    interface GigabitEthernet0/10
    switchport access vlan 20
    !
    interface GigabitEthernet0/11
    switchport access vlan 20
    !
    interface GigabitEthernet0/12
    switchport access vlan 20
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan20
    description Garage Vlan
    no ip address
    no ip route-cache
    !
    interface Vlan300
    ip address 10.0.1.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan400
    ip address 10.0.3.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan500
    description Trunk_link_to_FW
    ip address 192.168.10.2 255.255.255.0
    !
    ip forward-protocol nd
    ip http server
    ip http secure-server
    !
    ip ssh time-out 90
    ip ssh version 2
    !