Jon Marshall Sun, 10/12/2008 - 07:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jacob


It looks from your diagram as though vlan 1 is being routed on the 6500 but also the ASA firewall inside interface is on vlan 1 as well. What is the default-gateway on your vlan 1 clients ie. internet users - is it the vlan 1 interface on the 6500 or the inside interface of the ASA.


I would have a dedicated vlan for communication between the 6500 and the ASA device and definitely not use vlan 1. The default-gateway for clients in vlan 1 should be the 6500 vlan 1 interface. Then use a vlan that only the ASA inside interface and the 6500 L3 SVI are in.

The advantage of a vlan is if you then want another ASA for redundancy you can just add the standby ASA inside interface into the same vlan - so allocate a /29 for the IP subnet just for future use.


Ideally vlan 1 shouldn't be used at all for client data but that's another issue :)


Jon

jacobsamuel2021 Sun, 10/12/2008 - 22:48
User Badges:

Dear Jon,

Thanks for the input.

Gateway is the Vlan 1 Interface IP on 6500 and there is a default route to FW inside interface IP.


So i need an L3 SVI on the 6500 switch for the solution to work? in the current scenario it is not.


My main doubt is this .... the connection from the switch to the Firewall inside.


The interface configuration on 6500 is -


config-if#switchport mode access

config-if#switchport access vlan 1


How the port can be the memeber of a vlan that is connecting to the L3 physical interface (inside) of the firewall. As waht you have suggested It should be a L3 Interface right? I am confused about the L2 Vlan and the L3 physical Interface connection.


I need some clarity on this part please your kind update.


regards

Jon Marshall Mon, 10/13/2008 - 01:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jacob


You need to use an unused vlan for the connectivity. So lets assume vlan 30 with an IP subnet of 192.168.5.0 255.255.255.248.


192.168.5.1 will be the 6500 end of the connection between the 6500 and ASA and 192.168.5.2 will be the inside interface of the ASA.


On the 6500 switch



Create L2 vlan


6500(config)# vlan 30

6500(config-vlan)# name 6500_to_FW


6500(config)# interface vlan 30

6500(config-if)# ip address 192.168.5.1 255.255.255.248


On the interface on the 6500 that the ASA is connected into


int gix/xx

switchport access vlan 30


Change the default route to


ip route 0.0.0.0 0.0.0.0 192.168.5.2



On the ASA change the inside address to 192.168.5.2


ip address inside 192.168.5.2 255.255.255.248


and then you need to add static routes for any vlans on the 6500 that the ASA needs to send packets to eg.


route (inside)


Note that we could use a dynamic routing between the 6500 and the ASA but we'll keep it simple with statics :)


Jon

Actions

This Discussion