Cisco ASA/Catalyst Switch VLAN Configuration

Unanswered Question
Jan 11th, 2010

Hi,

I'm looking to setup an environment to host some web content. The environment will be made up of 2 web servers and a backend SQL server. I have a Cisco ASA 5510 and a 24-port 2960 switch. The SQL servers will sit on the Inside interface and the Web servers will be connected to the DMZ interface. The part I would like to try and get some advice on is how the links between the switch and the ASA would be setup. I have attached a diagram of the setup as I think it would be setup. It's not going to be possible for me to introduce anymore hardware due to space constraints.

I would be grateful if someone could comment on whether this is a good way of setting this up or not and if there is a more preferred was of doing it.

Thanks

N

Network.png

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Mon, 01/11/2010 - 09:18

Hi Neil,

You could connect the 2960 via 3 links (just the way you have it and if you have enough ports on the Firewall). It this case each link would be an access port, because you are putting one vlan on each link.  The other way which is also a more common way of doing it is to connect the 2960 to the firewall using only one link and then trunk the link to carry all 3 vlans and use Sub-interfaces on the firewall.   Since the 2960 is a layer-2 device only and you can not add any more devices then you have to use the firewall to the routing and the firewall work.  I would also recommend changing vlan 1 to some other number like 10.  Vlan 1 is used for control traffic and should not be used as a user vlan or management vlan.

HTH

Reza

Jon Marshall Mon, 01/11/2010 - 09:22

cco_welcom wrote:

Hi,

I'm looking to setup an environment to host some web content. The environment will be made up of 2 web servers and a backend SQL server. I have a Cisco ASA 5510 and a 24-port 2960 switch. The SQL servers will sit on the Inside interface and the Web servers will be connected to the DMZ interface. The part I would like to try and get some advice on is how the links between the switch and the ASA would be setup. I have attached a diagram of the setup as I think it would be setup. It's not going to be possible for me to introduce anymore hardware due to space constraints.

I would be grateful if someone could comment on whether this is a good way of setting this up or not and if there is a more preferred was of doing it.

Thanks

N

Neil

Firstly don't use vlan 1. There are potential security issues with vlan 1 that are not present when you use other vlans so choose another vlan for your management vlan and shutdown the vlan 1 interfaces on the switches.

The rest looks fine although i would ask why you have a totally separate switch for management and then you have both the DMZ and inside on the same switch. There is nothing wrong with using the same switch for both inside and DMZ but if you have another switch why not use that one for the inside ie. your switch labelled for management becomes a joint switch for management and the inside where the database servers are connected.

Having physical separation from your DMZ is always a better choice if you have the hardware.

Is there any reason why you want the management switch as a completely separate switch ?

Jon

cco_welcom Mon, 01/11/2010 - 09:39

Hi,

Thank you for the reply. The setup above (everything apart from the management switch) will be replicated for each client. So each client has their own 5510, 2960, servers etc. Each 5510 will then have the outside interface directly connected to the 'WAN switch'. The management switch is going to provide management access to the ASA/Switch and servers for each client.

Part of the setup is actually already in place and I am looking to modify it to the above with any new clients. I did miss one aspect off the diagram, the servers already have a seperate network card connected to the management VLAN and this is how they are managed, i.e. the management PC will use this address. The management VLAN stations will no way to route to the Inside and DMZ Vlans. I have attached an updated diagram. Does this still look viable?

I had thought about the idea of using a single link and sub-interfaces which also looks good.

Jon Marshall Mon, 01/11/2010 - 10:34

cco_welcom wrote:

Hi,

Thank you for the reply. The setup above (everything apart from the management switch) will be replicated for each client. So each client has their own 5510, 2960, servers etc. Each 5510 will then have the outside interface directly connected to the 'WAN switch'. The management switch is going to provide management access to the ASA/Switch and servers for each client.

Part of the setup is actually already in place and I am looking to modify it to the above with any new clients. I did miss one aspect off the diagram, the servers already have a seperate network card connected to the management VLAN and this is how they are managed, i.e. the management PC will use this address. The management VLAN stations will no way to route to the Inside and DMZ Vlans. I have attached an updated diagram. Does this still look viable?

I had thought about the idea of using a single link and sub-interfaces which also looks good.

Neil

Yes it looks fine altho i would still consider moving the inside to the management switch but it is not critical.

You really do need to get rid of vlan 1.

Why use subinterfaces if you can use full interfaces. Subintefaces are useful when you have run out of physical interfaces but this doesn't seem to be an issue for you.

Jon

Actions

This Discussion