VLAN tagging and FW1 NGX 6.0

[elblindo]

Hello,

I have to solve a strange problem with solaris 10/01 and FW1 NGX60.
I've a tagged vlan switch-port (vlans 40 and 50) connected to a ce-quadcard-port and configured two vlans as ce40005 and ce50005, as supposed by SUN-manpages.
If CP FW1 is down, the vlans can connect as expected, if FW1 is up, the following mysterious behaviour occur :

- a Ping from physical interface ce3 to a physical interface ce0 = success
- a Ping from physical interface ce3 to a vlan-interface ce50005 = error (i can see a echo-request with snoop)
- a Ping from Client connected to vlan 50 to an address behind ce3 = error ( i can see a echo-request from vlan-client and echo-response from destination on interface ce3, but no echo-response on vlan-interface ce50005)
- a Ping from Client connected to vlan 40 to an address on vlan 50 = error (I can snoop only a echo-request in ce40004, no echo-response)

The ruleset allows ping to all the source and dests, an the log shows the incoming request as accepted.

Is there anything I forgot to successful configure vlans on CP-Fw1?

Thanks in advance

elblindo

[chillyjim]

Check the anti-spoofing

[elblindo]

Hello chillyjim,

Thanks for your response.
I checked the smartdefense-setting twice, incl. antispoofing, enabled and disabled it on all interfaces, made topology-update with no success at all. I set all smartdefense-filters to "log only", nothing happens other than before.
It seems, that the pakets were not routed. My last post was a little bit wrong that way. If FW1 is down, I can ping its vlan-interfaces ce50005 and ce40005, but not devices in subnets behind these interfaces. Therefor I decided to make a fresh install of Solaris 10. Without installation of FW1 the pakets were routed. Until now there wasn't time to newly setup FW1 on this new Solaris-installation.

If I make further (successful) steps, I will report here.

Regards

elblindo