08-13-2008 04:21 AM - edited 03-11-2019 06:30 AM
Hi,
I have setup a new Cisco L3 Switch and create three different V-Lan.
1) V-lan 100 192.168.12.0/24 f0
2) V-lan 200 192.168.13.0/24 f1
3) V-lan 300 192.168.14.0/24 f2
F3 switch port is directly connected with ASA 5505 FW.
ASA Inside IP 192.168.10.2
Switch F3 IP 192.168.10.1
Now I want that all Vlan traffic request for internet to be go through ASA. Please suggest what type of config I will have to do?
Solved! Go to Solution.
08-13-2008 10:54 AM
AS reference will try to exmplain a bit more so that you can know the obtions in future.
You cannot delete the management default VLAN1 off the switch or any switch as it is a default embeded vlan in the switch code, but you can choose any other vlan for management and leave VLAN1 alone with no IP adddress and be able to telnet to the switch from any other SVI interface , it is just simply for management. The VLAN1 Association on the switch is local to the switch and not the firewall.
If you had created the VLANS on the ASA for example
interface Ethernet0/1.100
vlan 100
nameif inside1
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/1.101
vlan 101
nameif inside2
security-level 101
ip address 192.168.11.1 255.255.255.0
same-security-traffic permit inter-interface
then in the switch the trunk must be configured and associate the ASA VLAN# to the switch L2 VLAN# as bellow.
switch: Layer 2 vlans
vlan database
vlan 100 name inside1
vlan 101 name inside2
interface fastethernet0/48
Description Connection to ASA_Inside_Ethernet1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allow vlan 100,101 etc..
////
In original replies example the fe0/48 defaults to vlan1 anyways and switchport access vlan 1 command is not required Im just pickie about it and place it when there are many vlans configured and want to know who is who on the switch ports, you are correct in saying master port, although I have not heard that tearm in switches but I think you meant by master port the primary physical
connection to the firewall inside interface.
08-13-2008 12:50 PM
No because internal routing is enabled on the switch, they will talk to each other fine.
08-13-2008 12:57 PM
Yes, ACLs will be required in the L3 switch if you want to control traffic between the subnets.
08-13-2008 04:54 AM
No shut the actual interface and create a sub-interface for each vlan. Physical can't have a vlan so you'll need 3 subs. Configure sub-interfaces the same way you would a physical interface. Setup your L3 switch interface as a 802.1q trunk port.
interface physical_interface.subinterface
vlan vlan-id
EX:
interface g0/1.10
vlan 10
Thanks,
Chad
Please rate if helpful.
08-13-2008 05:09 AM
hi Chad
ur idea right 100%
but he said he is useing L# switch and as he mentioned ha has given an ip address to the switch interface so this interface not trunk and layer two port any more
and upon ur config he will use his switch as L2 switch only
while he can benifit from his layer three switch and make all the oruting in the L3 switch and the full config as mention in my post to him
Unless he wants the comunication between vlans be through the firewall in this case he dose not need to make the routing on the L3 switch
thank you
08-13-2008 05:02 AM
the easy way is as follow:
first inter the following command on the switch to enable routing
ip routing
then
creat thre SVIs on the switch
like
interface vlan 100
ip address 192.168.12.1 255.255.255.0
no shut
interface vlan 200
ip address 192.168.13.1 255.255.255.0
no shut
interface vlan 300
ip address 192.168.14.1 255.255.255.0
no shut
then creat a default route point to the ASA inside interface
on the switch
ip route 0.0.0.0 0.0.0.0 192.168.10.2
make the switchport connected to the asa as a routed port
for eaxmle
interfaces fa0/3
no switchport
ip address 192.168.10.1
no shut
now on the ASA creat three static routes each one point to one of ur vlans and going throu the switch interface
on the asa:
route inside 192.168.12.0 255.255.255.0 192.168.10.1
route inside 192.168.13.0 255.255.255.0 192.168.10.1
route inside 192.168.14.0 255.255.255.0 192.168.10.1
and for any clients connected to the switch
if u copnnect client to vlan 100
this client default gateway must be vlan 100 interface that we created above
and the same idea for each vlan
and good luck
please, if helpful rate
08-13-2008 07:23 AM
Marwan's suggestion is the easiest way to do it which is actually creating SVI interfaces in your L3 switch.. you could do ospf adjacency between asa inside and l3 switch but Marvan's example is good way to go with.
Additionally you will need to add those SVI subnets in asa to PAT them using global outboung interface for internet traffic.
e.i.
global (outside) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 192.168.13.0 255.255.255.0
nat (inside) 1 192.168.14.0 255.255.255.0
Rgds
Jorge
08-13-2008 07:32 AM
thanks jorge especially for nating
because i got busy arranging the routing for him
sure the nating must be done for all internal vlans subnets to intgrate with static route that we have added to the asa
i mean the way out and bak end to end
08-13-2008 08:42 AM
Thanks for all suggestions, but as I know when the all V-Lan traffic goes to other device by using a single port on switch then trunk port must be configured. In this above scenario, Is it not required a configured Trunk Port?
08-13-2008 08:49 AM
In above scenario trunking is not required because you are not creating the VLANS in the firewall. When you do 802.1q subinterfaces in ASA then you need to extend those vlans to the switch via trunk. But because you are doing inter vlan routing withing the L3 switch you just simply need the example provided by Marwan.
Rgds
Jorge
08-13-2008 09:04 AM
Well the ASA is setup with default configuration and the inside interface is also associated with V-lan1. Does it requires to change anything on ASA Inside Interface which will be connect with Switch port.
If I use inter v-lan routing on L3 Switch then what commands I need to execute. Thanks
08-13-2008 09:15 AM
lets take ASA inside interface subnet 192.168.10.0/24
ASA Inside IP 192.168.10.2
you can do as follows.
Switch has default VLAN1 which is management vlan. Configure management vlan in same network as your ASA inside subnet
example on switch:
interface vlan1
ip address 192.168.10.3 255.255.255.0
no shut
then connect ASA inside physical port on a switchport on the switch.
interface fastethernet0/48
description ASA_Inside_Interface
switchport access vlan 1
speed 100
duplex full
no shut
And thats it, complete the Marvwan's example, doing default route pointing to ASA inside interface IP address.
For your hosts on 12,13,14 Default gateway will be SVI interface IP address, and for internet access follow the NAT (inside) 1 example above..
Let us know if you need a more complete script but you should be good to go..
[edit]
For inter-vlan routing configuration create the svi on the switch as Marwan provided example, for the SVI interfaces you create for them to be up/up you must connect a host on the allocated switchport and place the switch port in the correct SVI vlan.
example
interface vlan 100
ip address 192.168.13.1 255.255.255.0
no shut
interface fastethernet0/1
Description WIndowsXP_PC1
switchport access vlan 100
speed 100
duplex full
no shut
Rgds
Jorge
08-13-2008 09:51 AM
If I delete V-Lan 1 which is associated with ASA Inside Interface then is it required the following commands on Switch Management Interface.
interface fastethernet0/48
description ASA_Inside_Interface
switchport access vlan 1
speed 100
duplex full
no shut
08-13-2008 09:56 AM
As I understand without V-lan configured on ASA Inside Interface and the connected port of switch will work like as a Master Port.
08-13-2008 10:54 AM
AS reference will try to exmplain a bit more so that you can know the obtions in future.
You cannot delete the management default VLAN1 off the switch or any switch as it is a default embeded vlan in the switch code, but you can choose any other vlan for management and leave VLAN1 alone with no IP adddress and be able to telnet to the switch from any other SVI interface , it is just simply for management. The VLAN1 Association on the switch is local to the switch and not the firewall.
If you had created the VLANS on the ASA for example
interface Ethernet0/1.100
vlan 100
nameif inside1
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/1.101
vlan 101
nameif inside2
security-level 101
ip address 192.168.11.1 255.255.255.0
same-security-traffic permit inter-interface
then in the switch the trunk must be configured and associate the ASA VLAN# to the switch L2 VLAN# as bellow.
switch: Layer 2 vlans
vlan database
vlan 100 name inside1
vlan 101 name inside2
interface fastethernet0/48
Description Connection to ASA_Inside_Ethernet1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allow vlan 100,101 etc..
////
In original replies example the fe0/48 defaults to vlan1 anyways and switchport access vlan 1 command is not required Im just pickie about it and place it when there are many vlans configured and want to know who is who on the switch ports, you are correct in saying master port, although I have not heard that tearm in switches but I think you meant by master port the primary physical
connection to the firewall inside interface.
08-13-2008 11:27 AM
Valuable!!!! I appreciate. Guys please don't mind as I am bit confused in the V-Lans configuration that's why I am putting lot of queries and hope all confusion part will be wash out by your support.
Can you please tell me now how can I do inter-VLan routing into L3 Switch. Please show an example if possible. Thnaks
08-13-2008 11:59 AM
waiting
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide