Sure here is a picture I drew up quickly. So that Cisco 3750x 48 port switch in the "current configuration" is what we are trying to eliminate so we can re purpose. I thought it was a standalone switch not even configured, but I found it does have an IP address on vlan1 and I can access it. The switch goes through the IDS and then into the core, but it looks as if the IDS acts transparently to it. interface GigabitEthernet1/0/1 description Connection to CORE1 1/0/7 VLAN1 switchport mode access ! interface GigabitEthernet1/0/3 description ASA 5525-X LAN Primary switchport mode access ! interface GigabitEthernet1/0/4 description ASA 5525-X LAN Secondary switchport mode access Thats all there is to it, besides ssh enabled and a vlan 1 IP for management. I am able to traceroute out to other office locations from this switch. Obviously there is more detail than what I provided in the attempted configuration. There are multiple interfaces off of each Ecessa PL-600 load balancer. Some take the handoff from the ISP's, some connect back to the MS220 in another vlan, etc.. Obviously the ASA firewalls have other interfaces as well, like two DMZ's, WAN interfaces, etc... But in all intents and purposes I don't think that those obvious parts matter in this issue.
... View more
We have an MS220-24 as our Internet edge switch in order to have enough ports for dual redundant Ecessa PL-600 load blancers, an untangle box for guest wifi, and two ISP handoffs. Each port is on a vlan designated for what it needs, which could be any of the following: vlan 10 - Winstream internet handoff vlan9 - AT&T LTE internet handoff from a cradlepoint vlan11 - MDM network (like apple devices) vlan12 Guest network inside vlan66 - Windstream internet outside ip's vlan 67 - Comcast internet handoff vlan 68 Comcast internet outside ip's Port 1 is a trunk with allowed vlans 11-12,66,68 which goes through to our internet IDS box and onto our Cisco 3750x switch stack with the same allowed vlans on its trunk. That Cisco switch stack is the core and devices are in their appropriate vlans, such as firewalls on vlans 66 and 68, Cisco WLC putting people in mdm network or guest network on vlan 11 or 12 depending on the SSID, and of course there are numerous internal vlans as well. We have an internal IDS interface which unfortunately has only one input and one output. However the issue is that we have two ASA5525x firewalls... a primary and a secondary. So we had a spare Cisco 3750x 48 port poe switch laying around during implementation and all it does is use 3 ports for this purpose. It has the Primary firewall LAN, Secondary firewall LAN, and IDS outside interface plugged in. 45 other ports not being used at all. Well we have better uses for this switch and would like to re purpose it elsewhere. So we created a new vlan 15, which is not on ANY OTHER PORTS on the MS220, and assigned it to ports 22,23,24. Last night we moved the cables from our firewall LAN interfaces and our IDS to these three ports, but guess what... internet access completely stopped. The ports all linked at 1 gig, but we lost connection to the world. Meraki switch even lost connection to its servers and I could not access the port configuration using my iphone app. So we reverted everything back to the way it is... totally using the overkill, and separate Cisco 3750x switch to accommodate for our IDS providers deficiencies in not having enough interfaces to accommodate a secondary firewall. What I find weird is that in the MS220, these last 3 ports were the only ports in vlan 15, and they were set as access ports. So to me, it should have behaved like it was a separate dumb 3 port switch (IMO). I have a ticket open with the IDS/IPS provider to see what other solutions they have, and also if they marry or pair the mac address of the switch it connects to (and maybe it just needed a power cycle to re-pair). Any insight would be appreciated.
... View more