configuring management interface - help!

Unanswered Question
May 10th, 2010

Hey guys,

Here is my dilemma...

I have a ASA 5520 and a 3750 stack. (connected through subinterface 802.1q trunk)

I need to manage the 3750 but i am turning off IP routing.

I have about 10 vlans on the switches, and they are trunked 802.1q to my asa.

i have been allotted 10.233.8.8/30 for management from my team.

How do i set this up? Do i use the management console or put the management traffic on the trunked interface (i.e. subinterface)

Do i connect the ASA to the switch through the management interface or just through the trunked interface? My manager wanted me to use a management VLAN if that helps.

Help!

Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 05/10/2010 - 06:19

accesshollywood2 wrote:

Hey guys,

Here is my dilemma...

I have a ASA 5520 and a 3750 stack. (connected through subinterface 802.1q trunk)

I need to manage the 3750 but i am turning off IP routing.

I have about 10 vlans on the switches, and they are trunked 802.1q to my asa.

i have been allotted 10.233.8.8/30 for management from my team.

How do i set this up? Do i use the management console or put the management traffic on the trunked interface (i.e. subinterface)

Do i connect the ASA to the switch through the management interface or just through the trunked interface? My manager wanted me to use a management VLAN if that helps.

Help!

Thank you!

Put the 3750 into a vlan that is trunked to the ASA and for which the ASA has a subinterface. Ideally this vlan should be only used for managing the switches - lets say you use vlan 2. Then on the 3750

no ip routing

int vlan 2

ip address 192.168.5.2 255.255.255.0

ip default-gateway 192.168.5.1  <--- where 192.168.5.1 is the subinterface address on the ASA.

Jon

accesshollywood2 Mon, 05/10/2010 - 06:26

Thank jon. but i have other vlans on this switch stack..so do i need the gateway address?

i dont want all my traffic going to the management subinterface? do i

Panos Kampanakis Mon, 05/10/2010 - 07:09

If you have ip routing disabled you can have the ASA translate all the management sources going to your router management ip address to the ASA's subinterface. That way you don't need the gateway as the router will be able to respond to a locally connected ip address in response to the management traffic.

You probably don't want the gateway, especially if you turn off ip routing.

I hope it makes sense.

PK

Jon Marshall Mon, 05/10/2010 - 09:27

accesshollywood2 wrote:

Thank jon. but i have other vlans on this switch stack..so do i need the gateway address?

i dont want all my traffic going to the management subinterface? do i

If you want to access the 3750 from a subnet other than the management vlan you need the ip default-gateway.

The ip default-gateway only affects traffic to and from the switch itself, it has no effect on user traffic going through the switch. So all your traffic will not go to the management subinterface. When you make a switch L2 like the 3750 the ip default-gateway is simply used to remotely access the switch. Users will still go to their respective subinterface on the ASA for their vlan.

Jon

Actions

This Discussion