Need a L3 connection?

Unanswered Question
Oct 11th, 2008

Hi All,

I am attaching a diagram of a network. As per the diagram do i need a L3 connection from my switch to the Firewall? using no switchport command OR the current configuration will work or not? Please check

regards

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Sun, 10/12/2008 - 07:44

Jacob

It looks from your diagram as though vlan 1 is being routed on the 6500 but also the ASA firewall inside interface is on vlan 1 as well. What is the default-gateway on your vlan 1 clients ie. internet users - is it the vlan 1 interface on the 6500 or the inside interface of the ASA.

I would have a dedicated vlan for communication between the 6500 and the ASA device and definitely not use vlan 1. The default-gateway for clients in vlan 1 should be the 6500 vlan 1 interface. Then use a vlan that only the ASA inside interface and the 6500 L3 SVI are in.

The advantage of a vlan is if you then want another ASA for redundancy you can just add the standby ASA inside interface into the same vlan - so allocate a /29 for the IP subnet just for future use.

Ideally vlan 1 shouldn't be used at all for client data but that's another issue :)

Jon

jacobsamuel2021 Sun, 10/12/2008 - 22:48

Dear Jon,

Thanks for the input.

Gateway is the Vlan 1 Interface IP on 6500 and there is a default route to FW inside interface IP.

So i need an L3 SVI on the 6500 switch for the solution to work? in the current scenario it is not.

My main doubt is this .... the connection from the switch to the Firewall inside.

The interface configuration on 6500 is -

config-if#switchport mode access

config-if#switchport access vlan 1

How the port can be the memeber of a vlan that is connecting to the L3 physical interface (inside) of the firewall. As waht you have suggested It should be a L3 Interface right? I am confused about the L2 Vlan and the L3 physical Interface connection.

I need some clarity on this part please your kind update.

regards

Jon Marshall Mon, 10/13/2008 - 01:34

Jacob

You need to use an unused vlan for the connectivity. So lets assume vlan 30 with an IP subnet of 192.168.5.0 255.255.255.248.

192.168.5.1 will be the 6500 end of the connection between the 6500 and ASA and 192.168.5.2 will be the inside interface of the ASA.

On the 6500 switch

Create L2 vlan

6500(config)# vlan 30

6500(config-vlan)# name 6500_to_FW

6500(config)# interface vlan 30

6500(config-if)# ip address 192.168.5.1 255.255.255.248

On the interface on the 6500 that the ASA is connected into

int gix/xx

switchport access vlan 30

Change the default route to

ip route 0.0.0.0 0.0.0.0 192.168.5.2

On the ASA change the inside address to 192.168.5.2

ip address inside 192.168.5.2 255.255.255.248

and then you need to add static routes for any vlans on the 6500 that the ASA needs to send packets to eg.

route (inside)

Note that we could use a dynamic routing between the 6500 and the ASA but we'll keep it simple with statics :)

Jon

Actions

This Discussion