Monday, August 5, 2013

Brocade: Troubleshooting Trunk Port Configuration Problems

Problem: ICMP response works one time, then I get three time outs after the first success.  After that, no ICMP responds at all.
Solution:  The ASAs were blocking this, thinking it was some sort of spoofing problem.  See what happened below.

I had a problem come up not too long ago at a customer where their Cisco ASA was seeing traffic FROM their internal network TO their internal network. This was odd, since there was a layer 3 port on the Brocade core connected to the HA ASAs.  The ASAs were on a 10.10.1.X network (a vlan on the Brocade), and the internal network was just a vlan off that same Brocade switch.  You can see this is not normal behavior, since all internal traffic sourced from and destined to would all be layer 2 only traffic.  Below is the diagram of the network (generically), and the capture I took to troubleshoot IF the traffic was really being seen by the ASAs.

So, from the topology above, you can see that no internal traffic sourced and destined to the internal network of 192.168.73.X should be seen by the ASAs.  However, we see from the packet capture that the ASAs DO see that traffic.  This is not normal.
So, what I found was that there is a trunk port on the core switch to the ASAs.  The ASAs have subinterfaces on them, and the Brocade had the internal network as part of the trunk port (or tagged port in Brocade).  When I took the tagged port that was connected to the ASA out of the  internal vlan (vlan 1 in this case), all started working ok again.  Now, the ASAs wont see the traffic anymore.
This was a configuration problem that took place.  So when configuring your trunk ports, make sure you only have the vlans that need to be there.  In this case of the ASAs, I only needed the vlans that matched the ASAs subinterfaces.

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.