V-lan Communication

Answered Question
Sep 25th, 2008

Hi, Currently we have two sites which are connected via STS IP Sec Tunnel and using Cisco ASA 5505. By default three zones are created:-

1) DMZ

2) Inside

3) Outside

Inside and DMZ are a part of V-lan 1 and outside is V-lan2. We have make exempted rule for communication between Inside and DMZ and added other remote local network also.

Now we have decided to make seperate V-lans for Inside and DMZ of eack site. Just want to know do we need any additional change in the configuration for communication among V-lans locally and remotely. Thanks

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 2 months ago

SVI means switch virtual interface

like

interface vlan 10

ip address x.x.x.x

i meant if u have SVIs the communication will be through the L3 switch between vlans

and traffic from those vlans to outside will be through ASA

host in vlan 10 will sent packet to it is defualt gateway IP which is vlan 10 SVI on L3 switch

we have routing enabled and we have defualt route point to ASA IP which is in vlan 50 then the L3 will route the traffic to vlan 50 then ASA inside interface

hope this helpful

if helpful Rate

Correct Answer by Marwan ALshawi about 8 years 2 months ago

ok i will explain both :)

first one

lets say we have two internal vlans

vlan 10 10.1.1.0/24

vlan 20 20.1.1.0/24

and the scenario like

access_switch with two vlan 10,20---L3 switch---ASA--internet--

ok

now lets consider the first way which is intervaln on the switch

i will creat third valn for the port connected from L3 switch and ASA called vlan 50

and the ASA ip is 50.1.1.1

now on the access switchs only make L2 vlans like

vlan 10

vlan 20

and the link between L2 switch and L3 switch is trunk

on L3 switch we need to creat L2 and L3 vlans

like:

vlan 10

interface vlan 10

ip address 10.1.1.1 255.255.255.0

no shut

vlan 20

interface vlan 20

ip address 20.1.1.1 255.255.255.0

no shut

vlan 50

interface vlan 50

ip address 50.1.1.2 255.255.255.0

no shut

now enable ip routing on L3 switch

ip routing

now make the port with ASA as acces port and put it in valn 50

now creat a defualt route point to ASA inside IP

ip route 0.0.0.0 0.0.0.0 5.1.1.1

if u do show ip route

u will see all VLANs interfaces as directly connected and defualt static route to the ASA

on ASA u need two route for internal networks through vlan50 interface

like

route inside 10.1.1.0 255.255.255.0 50.1.1.2

route inside 20.1.1.0 255.255.255.0 50.1.1.2

route outisde 0.0.0.0 0.0.0.0 interface [outisde interface]

nat (inside) 1 0 0

global (outisde) 1 interface

the defualt gateway for hosts in vlan 10 wil be 10.1.1.1

in vlan 20 will be 20.1.1.1

OR...:

dont make the VLAN interface on the L3 switch only L2 vlans and on the switch creat trunk port to the ASA and on ASA creat two subinterfaces each one in corsponding vlan like vlan 10 and vlan 20 and the same IP addressing

or

on the L3 switch

create make two access ports each one in a vlan that u have like one 10 and the other 20

and connect the access ports to diffrent physical por on ASA

now each vlan has its own interface or subinterface

both works and in both ways each ASA interface will have IP in this case this IP will be the defual gateway for the hosts in the corsponding vlan

thus the communication will be through ASA

u need only the route be done on the ASA

as we have done above each netwrok through the right interface and good luck u need ACLs as well from lower security to hgiher security interface communications

if helpful Rate

Correct Answer by Marwan ALshawi about 8 years 2 months ago

hi Andrew

i think the routing between vlans from security prespective should be done through the firewall right ?

Ray

u have now inside in vlan and dmz in other vlan

if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure

however if u dont make SVIs as Andrew mentioned amd just make the switch pass L2 traffic to the firewall interface

and the firewall interface IP address should be the defual gateway for each host i the corsponding vlan

this way the firewall will handel the communication between VLANs

and take care of the requrment of NATing and ACL

good luck

if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
ray_stone Fri, 09/26/2008 - 00:36

Would same exempted rule applicable for V-lan communication or it requires ip routing command like as a l3 switch configuration?

Ray - here is what I mean:-

Firewall Outside interface in a vlan with NO SVI Layer 3 interface on the switch

Firewall DMZ interface in a vlan with NO SVI Layer 3 interface on the switch

Firewall Inside interface in a vlan with SVI Layer 3 interface on the switch.

Then all other VLAN SVI's will communicate inter-vlan on the inside.

HTH>

ray_stone Fri, 09/26/2008 - 01:03

Sorry, I didn't understand properly. Request you to please mention in more details. Thanks

The outside vlan - does NOT have an ip address on the switch, it just passes traffic at layer 2.

The DMZ VLAN does not have an IP address on the switch, it just passes traffic at layer 2.

The Inside VLAN does have an IP address on the switch - the inside VLAN does pass traffic at layer 3 to the internal network.

HTH>

Correct Answer
Marwan ALshawi Fri, 09/26/2008 - 04:37

hi Andrew

i think the routing between vlans from security prespective should be done through the firewall right ?

Ray

u have now inside in vlan and dmz in other vlan

if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure

however if u dont make SVIs as Andrew mentioned amd just make the switch pass L2 traffic to the firewall interface

and the firewall interface IP address should be the defual gateway for each host i the corsponding vlan

this way the firewall will handel the communication between VLANs

and take care of the requrment of NATing and ACL

good luck

if helpful Rate

ray_stone Fri, 09/26/2008 - 04:51

if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure :- Will the comunication secure between the V-lans through the FW. Thanks

ray_stone Fri, 09/26/2008 - 05:08

May I know why its not secured while configuring on switch.

Another Query : If I configure three different V-lans like 100,200,300 on a L3 switch and add one interface for each V-lan and assign IP address which would be the gateway of client machines and switch is connected with FW and we are using STS Tunnel. Now I want the remote machines of other sites communicate with my all local V-lans. What wud be the process. Thanks

ray_stone Fri, 09/26/2008 - 05:23

Do we require to make sub interfaces on FW as it will bypass all network traffic for remote nodes. Please suggest?

Marwan ALshawi Fri, 09/26/2008 - 05:40

hi guys

ray

u can do it in diffrent ways first of all u need to know what u wana acieve

do u want the communication between vlans pass through the switch and the firewall do firewalling between ur internal networks and outside and remote site network

or u want the communication between vlans be firewalled and routed by the firewall as well

once u decide which method u wanna use then we can guid u easier

thank you

Correct Answer
Marwan ALshawi Fri, 09/26/2008 - 17:19

ok i will explain both :)

first one

lets say we have two internal vlans

vlan 10 10.1.1.0/24

vlan 20 20.1.1.0/24

and the scenario like

access_switch with two vlan 10,20---L3 switch---ASA--internet--

ok

now lets consider the first way which is intervaln on the switch

i will creat third valn for the port connected from L3 switch and ASA called vlan 50

and the ASA ip is 50.1.1.1

now on the access switchs only make L2 vlans like

vlan 10

vlan 20

and the link between L2 switch and L3 switch is trunk

on L3 switch we need to creat L2 and L3 vlans

like:

vlan 10

interface vlan 10

ip address 10.1.1.1 255.255.255.0

no shut

vlan 20

interface vlan 20

ip address 20.1.1.1 255.255.255.0

no shut

vlan 50

interface vlan 50

ip address 50.1.1.2 255.255.255.0

no shut

now enable ip routing on L3 switch

ip routing

now make the port with ASA as acces port and put it in valn 50

now creat a defualt route point to ASA inside IP

ip route 0.0.0.0 0.0.0.0 5.1.1.1

if u do show ip route

u will see all VLANs interfaces as directly connected and defualt static route to the ASA

on ASA u need two route for internal networks through vlan50 interface

like

route inside 10.1.1.0 255.255.255.0 50.1.1.2

route inside 20.1.1.0 255.255.255.0 50.1.1.2

route outisde 0.0.0.0 0.0.0.0 interface [outisde interface]

nat (inside) 1 0 0

global (outisde) 1 interface

the defualt gateway for hosts in vlan 10 wil be 10.1.1.1

in vlan 20 will be 20.1.1.1

OR...:

dont make the VLAN interface on the L3 switch only L2 vlans and on the switch creat trunk port to the ASA and on ASA creat two subinterfaces each one in corsponding vlan like vlan 10 and vlan 20 and the same IP addressing

or

on the L3 switch

create make two access ports each one in a vlan that u have like one 10 and the other 20

and connect the access ports to diffrent physical por on ASA

now each vlan has its own interface or subinterface

both works and in both ways each ASA interface will have IP in this case this IP will be the defual gateway for the hosts in the corsponding vlan

thus the communication will be through ASA

u need only the route be done on the ASA

as we have done above each netwrok through the right interface and good luck u need ACLs as well from lower security to hgiher security interface communications

if helpful Rate

ray_stone Fri, 09/26/2008 - 23:23

Thank you so much!! I Appreciate for this gr8 answers. Still something want to ask :

1) Scenario 1 :- Why you didn't make a trunk port when you connected L3 Switch and ASA Int. As I know both tunnels traffic if goes from the one interface then we make Trunk.

2) Scenario 2 :- You made sub-interfaces on a switch, then which of the settings need to be done on ASA to communication between V-lans 10 or 20. And is it required to make any third V-lan on that interface where you created sub-interfaces. Please show one example if possible. Thanks

Marwan ALshawi Fri, 09/26/2008 - 23:57

for ) Scenario 1 :

i made it as access port in diffrent vlan because here we are routing between vlans on the L3 switch and the communication will be between vlans on the L3 switch through thier SVIs and between vlans and the ASA through L3 vlan 50 SVI thrunk mean L2

by the way

u can make routed interface on the L3 switch between the switch and the ASA onstead of vlan 50 and the port will be exactly like u have a router connected to the ASA and u can keep the same defualt route that point to the ASA inside interface this is another way

and about the 2) Scenario 2:

here u can make the switch port trunk dot1q and on the ASA creat subinterfaces one in vlan 10 with it is own IP address in vlan 10 IP range and the same idea for vlan 20

on ASA will lokks like u have inside1 and inside2

or u can make two access port on L3 switch each one in the corsponding vlan and this way u will need two physical interfaces on the ASA each one in the corsponding vlan IP range

on ASA will be the same idea u will see two interfaces like inside1 and inside2 or u may name it like inside and dmz

here the switch pass L2 only if vlan 10 wanna talk to vlan 20 need to send traffic to the ASA and ASA will route the traffic and u can control the traffic using nat or ACLs

good luck

if helpful Rate

u

ray_stone Sat, 09/27/2008 - 00:32

WOW!!! Outstanding!!!

My all confusion part now has been cleaned. I am very much impressed with your response. Thank you so much once again.

between vlans and the ASA through L3 vlan 50 SVI thrunk mean L2 : Can you explain in more details.

2)what SVI stands?

Thanks

Correct Answer
Marwan ALshawi Sat, 09/27/2008 - 00:38

SVI means switch virtual interface

like

interface vlan 10

ip address x.x.x.x

i meant if u have SVIs the communication will be through the L3 switch between vlans

and traffic from those vlans to outside will be through ASA

host in vlan 10 will sent packet to it is defualt gateway IP which is vlan 10 SVI on L3 switch

we have routing enabled and we have defualt route point to ASA IP which is in vlan 50 then the L3 will route the traffic to vlan 50 then ASA inside interface

hope this helpful

if helpful Rate

ray_stone Sat, 09/27/2008 - 01:52

Another Question : Suppose we have created three V-lans on L3 switch like:

1) Int e0/0 Vlan10 10.0.0.1

2) Int e0/0 Vlan20 20.0.0.2

3) Int e0/3 Vkan30 30.0.0.3

4) Int e0/4--connected---Trunk---L2---nd configured three same above Vlan. Then what wud be the gateway of L2 hosts? As I think the gateway wud be the int IP of L3 V-lans IP. Am I right? Thanks!!!!

Marwan ALshawi Sat, 09/27/2008 - 01:55

first u r right :)

but here

1) Int e0/0 Vlan10 10.0.0.1

2) Int e0/0 Vlan20 20.0.0.2

3) Int e0/3 Vkan30 30.0.0.3

why u have SVI and physical interface what did u mean in this ?

ray_stone Sat, 09/27/2008 - 02:02

Generally I was asking... But in the right way we shd reserve one interface for all V-lans on L3 and create sub-interfaces for V-lans. Right?

Marwan ALshawi Sat, 09/27/2008 - 02:11

nooo this idea with router on stick

now we are talking about multilyaer switch doning intervlan routing

u need uplink trun from L2 switch to pass all vlan tags

in the L3 switch u need the same L2 vlans created and layer 3 vlan interfaces as well which is the SVI for each vlan and this SVI as mentioned before will be the default gateway for hosots in that vlan

and then u need to enable ip routign on the L3 switch

and if u have other L3 switches have other vlans and SVIs u my use routign protocol like RIR EIGRP to route between L3 switches like u have routers and u can get big L2/L3 switchedd and routed network

hope this helpful

Actions

This Discussion