[c-nsp] VLAN behavior behind FWSM
John Neiberger
John.Neiberger at efirstbank.com
Wed Jul 20 13:52:49 EDT 2005
Can you elaborate a bit more about the problem you've seen that is
similar to this?
Our problem is getting even stranger. The FWSM *is* getting involved,
but I am at a loss to explain why or even how.
Imagine two VLANS configured on the FWSM, Alpha and Beta. We have users
in Alpha trying to talk to other users in Alpha. The FWSM is seeing some
of this traffic but it is showing up in the log because the traffic is
being denied. The really strange thing is that the FWSM thinks the
traffic is going from VLAN Alpha to VLAN Beta!
So, to further elaborate, let's say that we have two devices in VLAN
Alpha with IP address 10.1.1.1 and 10.1.1.2. VLAN Alpha has an incoming
access list applied. The FWSM logs show entries similar to this:
Jul 20 2005 10:54:27: %FWSM-4-106100: access-list ALPHA-IN denied tcp
ALPHA/10.1.1.1(3178) -> BETA/10.1.1.2(29479) hit-cnt 3 (300-second
interval)
VLAN Beta has an entirely different range of addresses, let's say
10.2.2.0/24. There is no config on the FWSM that would make the FWSM
think that 10.1.1.0 is in any way related to VLAN Beta. Yet, for some
reason, the FWSM is seeing this traffic and dropping it. I can think of
no way that the FWSM could even be seeing this traffic. My only guess is
that perhaps, for example, 10.1.1.1 sends an ARP request for 10.1.1.2
and the FWSM answers with its own MAC address. Then, when 10.1.1.1 send
a TCP SYN to 10.1.1.2, the FWSM thinks that 10.1.1.2 resides on a
different VLAN and drops the traffic because it isn't explicitly allowed
in the ALPHA-IN access list. Very weird.
Any thoughts?
Thanks,
John
--
>>> Kenny Long <long.kenny at gmail.com> 7/19/05 5:39:43 PM >>>
You could assume the FWSM is completely out of the loop but then you
would eliminate finding the problem that I have occasionally seen
cause the symptoms you describe.
If the FWSM is doing the alias command, I would double check this
page, and verify your configs
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#topic1
Please make sure the FWSM is not trying to "own" any of these
problematic IP addresses, by responding to ARP requests with its own
Mac address.
Kenny
On 7/19/05, Simon Hamilton-Wilkes <simon at jettis.com> wrote:
> Yes the FWSM is completely out of the loop, as any other gateway
device
> would be.
>
> Simon
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list