Re: Cisco 2950 Issue

On 20 May, 17:33, Trendkill <jpma...@xxxxxxxxx> wrote:
On May 20, 11:49 am, Darren Green <darrenfgr...@xxxxxxxxxxxxx> wrote:





I have a customer who has set up an 2 x ISA servers with load
balancing.   The outside ports connect to 2 x D Link switches (un-
managed). The inside connects to a single Cisco 2950 we manage.

DLink1 Dlink2
     |       |
---------------
     |       |
  ISA1   ISA2
     |       |
--------------
         |
 Cisco 2950

The customer has configured an outside and inside virtual Ip address.
Traffic from an outside source can send to the virtual IP ok. When
configuring the virtual Ip address on the inside the ISA's cannot
receive traffic.

The reason I think this is an issue to do with the 2950 is as follows:

A host has to arp for the virtual MAC address for the ISA's virtual IP
address. As the virtual MAC is not known on any port the switch has to
flood traffic out all ports. This can happen a lot apparently so I am
wondering if the cisco switch is throttling the traffic by default due
to lots of unknown unicasts. (seehttp://www.isaserver.org/articles/basicnlbpart2.html)

I can't understand why this would work on the D Links but not the
2950. The 2950 config is very basic, no special features have been
configured.

Anyone know how I can go about proving / ruling out an issue on the
2950 ?

Regards

Darren

Please paste the configs from the 2950s.  The 2950 would not
'throttle' traffic due to unicasts, this is standard operation for any
ethernet segment.  I would also like to see the router config for this
vlan.  I presume the default gateway for the ISA's is external, so how
does the ISA know how to get back to your other vlans, static route?
Is it setup properly?  Can you ping the ISA from the router in the
same vlan?- Hide quoted text -

- Show quoted text -

Thanks for the follow up.

I will capture a copy of the config an post later tonight. There are
no additional VLANs set up on the inside LAN (I need this changing)
but for now it's all 1 x flat VLAN. I will call the client and ask
them to test ping connectivity.

AFAIK the customer said that they can ping to internal user addresses
from the ISA NIC IP's. When the customer enters the virtual IP on the
ISA's (like we would say for HSRP) the connections drop.

I suspected it was something to do with the flooding unknown unicasts
following reading the link I attached.

Regards

Darren
.

Relevant Pages

  • Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
    ... "If the paired interfaces are connected to the same switch, ... VLANs for the two ports. ... IPS is able to track traffic per-VLAN, ... VLAN Pair mode uses one interface only and this is the only supported ...
    (Focus-IDS)
  • RE: ID sensors on a Cisco Catalyst 6509 switch
    ... ID sensors on a Cisco Catalyst 6509 switch ... capability using the VLAN ACLs. ... We'll use ports 1-4 on the 10/100 mod. ...
    (Focus-IDS)
  • Re: Creating VLANS on 6500 IOS 12.2
    ... How do you just create a basic VLAN for a few ports so the devices in ... so they want me to give them two ports of the ... On a Cisco layer-3 capable switch running IOS there are two ways to ... configure a layer 3 interface. ...
    (comp.dcom.sys.cisco)
  • Re: 470-48T switches can I do this?
    ... My fibers are going into the core, one is on the 172.16.x.x vlan while ... those that are used on the core switch. ... set the ports or MLT on ES470 and core switch as trunk port. ...
    (comp.dcom.sys.nortel)
  • RE: ID sensors on a Cisco Catalyst 6509 switch
    ... ID sensors on a Cisco Catalyst 6509 switch ... capability using the VLAN ACLs. ... We'll use ports 1-4 on the 10/100 mod. ... selection of capture ports. ...
    (Focus-IDS)