Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
5
Helpful
3
Replies

physical wiring question - edge router, firewall, L3 switch

aaron.largent
Level 1
Level 1

‎02-05-2010 04:22 PM - edited ‎03-06-2019 09:36 AM

I have a DS3 box which drops me an RJ45 at 100/full.  logically speaking, my network looks like:

DS3 - 3825 - ASA5510 - 3560G - 2960G's

All my internal routing is happening on the 3560G.

Right now, my DS3 box is directly plugged into my 3825.  My 3825 is directly connected to my firewall.  My firewall is directly connected to my L3 switch.  All of the above ports are point-to-point, no trunks, no vlans.

My question is:  what is best practice here?  Should the DS3, edge router, and firewall all be hooking into the L3 switch via vlans/trunks and then logically putting the pieces together?  If so, how exactly do I accomplish this?

I imagine the DS3 -> edge router will remain a point to point.

I feel like the inside interface of the edge router should hook to my L3.  using a subinterface on the edge and a trunk on the L3?  Then I could drop a subinterface of my firewall outside int to a trunk on the L3 on a the same vlan.

then drop a subinterface of the firewall inside interface to a trunk on the L3 on a different vlan, and have an inside IP assigned to that vlan on my L3 switch as the default route of the firewall coming in.

Can someone confirm or correct please?  config examples would be high appreciated!!

Labels:
0 Helpful
3 Replies 3

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-06-2010 01:08 AM 

I have a DS3 box which drops me an RJ45 at 100/full.  logically speaking, my network looks like:
DS3 - 3825 - ASA5510 - 3560G - 2960G's
All my internal routing is happening on the 3560G.
Right
now, my DS3 box is directly plugged into my 3825.  My 3825 is directly
connected to my firewall.  My firewall is directly connected to my L3
switch.  All of the above ports are point-to-point, no trunks, no vlans.
My
question is:  what is best practice here?  Should the DS3, edge router,
and firewall all be hooking into the L3 switch via vlans/trunks and
then logically putting the pieces together?  If so, how exactly do I
accomplish this?
I imagine the DS3 -> edge router will remain a point to point.
I
feel like the inside interface of the edge router should hook to my
L3.  using a subinterface on the edge and a trunk on the L3?  Then I
could drop a subinterface of my firewall outside int to a trunk on the
L3 on a the same vlan.
then
drop a subinterface of the firewall inside interface to a trunk on the
L3 on a different vlan, and have an inside IP assigned to that vlan on
my L3 switch as the default route of the firewall coming in.
Can someone confirm or correct please?  config examples would be high appreciated!!

Hi,

As per the above setup i would suggest that make use of ASA 5510 firewall for incoming and outgoing traffic,Like Let DS3 to connect edge router via point to point and make vlan between edge router and ASA5510 as  outside zone for traffic coming in and out to  your network should be permiited or denied as per rule applied in ASA5510.

and make separet vlan for inside zone between 3560 and ASA5510 for more restriction for communication between outside and inside or make a trunk port in firewall with L3 as pointed by you so that traffic are directed to firewall for further analysis.

check out the below link for 802.1 q trunk configuration in ASA5510

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

Hope to help

If helpful do rate the post

Ganesh.H

aaron.largent
Level 1
Level 1
In response to Ganesh Hariharan

‎02-06-2010 06:05 AM 

ganeshh.iyer wrote:
I have a DS3 box which drops me an RJ45 at 100/full.  logically speaking, my network looks like:
DS3 - 3825 - ASA5510 - 3560G - 2960G's
All my internal routing is happening on the 3560G.
Right
now, my DS3 box is directly plugged into my 3825.  My 3825 is directly
connected to my firewall.  My firewall is directly connected to my L3
switch.  All of the above ports are point-to-point, no trunks, no vlans.
My
question is:  what is best practice here?  Should the DS3, edge router,
and firewall all be hooking into the L3 switch via vlans/trunks and
then logically putting the pieces together?  If so, how exactly do I
accomplish this?
I imagine the DS3 -> edge router will remain a point to point.
I
feel like the inside interface of the edge router should hook to my
L3.  using a subinterface on the edge and a trunk on the L3?  Then I
could drop a subinterface of my firewall outside int to a trunk on the
L3 on a the same vlan.
then
drop a subinterface of the firewall inside interface to a trunk on the
L3 on a different vlan, and have an inside IP assigned to that vlan on
my L3 switch as the default route of the firewall coming in.
Can someone confirm or correct please?  config examples would be high appreciated!!
Hi,
As per the above setup i would suggest that make use of ASA 5510 firewall for incoming and outgoing traffic,Like Let DS3 to connect edge router via point to point and make vlan between edge router and ASA5510 as  outside zone for traffic coming in and out to  your network should be permiited or denied as per rule applied in ASA5510.
and make separet vlan for inside zone between 3560 and ASA5510 for more restriction for communication between outside and inside or make a trunk port in firewall with L3 as pointed by you so that traffic are directed to firewall for further analysis.
check out the below link for 802.1 q trunk configuration in ASA5510
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576
Hope to help
If helpful do rate the post
Ganesh.H

Excellent, thanks!  I was wondering how the ASA accomplished trunks.

Is there a convention for choosing vlan numbers for things like the inside edge router to outside ASA vlan, and the inside ASA interface to L3 switch?

I setup my network with almost no knowledge of conventions, so it is extremely simplistic right now.  When I do this, I'm probably going to change the native vlan away from 1 also, and turn off my vtp server and go with vtp transparent since I have several vlans for my server closet switch that I dont want going out to my access switches.  I think all my unused ports are all still vlan 1 also...  I have a lot of work to do!

Thanks again for the help!

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to aaron.largent

‎02-06-2010 06:15 AM 

Excellent, thanks!  I was wondering how the ASA accomplished trunks.
Is
there a convention for choosing vlan numbers for things like the inside
edge router to outside ASA vlan, and the inside ASA interface to L3
switch?
I
setup my network with almost no knowledge of conventions, so it is
extremely simplistic right now.  When I do this, I'm probably going to
change the native vlan away from 1 also, and turn off my vtp server and
go with vtp transparent since I have several vlans for my server closet
switch that I dont want going out to my access switches.  I think all
my unused ports are all still vlan 1 also...  I have a lot of work to
do!
Thanks again for the help!

Hi,

With ASA 5510: Max 100 VLANs (with the Security Plus Software) and No there is no covention it's up to administrator to select  vlan number for particular interface connections, what i would suggest use outside vlan number as the larger number and inside as the smaller one which is genral practice in designing.

Hope to help

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card