ASA 5510 and 3750 Inter Vlan routing?

Answered Question
Aug 16th, 2010
User Badges:

We created following network configuration:

-central L3 3750 stack acting as VTP server for VLANs (all vlans are created here), enabled vlan routing, dhcp server for some VLANs, trunked ports connecting L2 2960 switches.

-several L2 2960 as VTP client with default gateway and to trunked ports to 3750.

In this scenario all VLANs are seeing each other, for now there are no ACL on 3750. We got ASA 5510 as firewall to connect to Internet.

We need your suggestions and help for next few questions:

  1. Dhcp server on 3750 (for example):interface Vlan 100 (LAN) ip address 10.1.100.1, ip dhcp pool LAN, network 10.1.100.0 255.255.255.0, default-router 10.1.100.1, dns server 10.1.100.1 - the question is about DNS server-to leave like this or to configure dns parameters from our ISP (ASA 5510)
  2. Access-list: on L3 3750 we will create ACL for controlling traffic only between the VLANs-is this OK?
  3. For connecting ASA 5510 with L3 3750:


-using physical interfaces as routed ports on ASA (10.1.1.1/30) with default route to ISP (and static routes to each vlan towards 10.1.1.2) and L3 3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?

-creating subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet 0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750 allowing all vlans? In this case we will have on ASA def route towards ISP and on what about def route on 3750?


  4. Access-list on ASA: in which scenario we need access list for vlans from inside network?

  5. NAT: ASA 5510 is ver 8.3- are we creating nat for different network-object (network VLAN 100.101,102) and translating from interface where is configured 10.1.1.1 address to outside interface with ISP address in first scenario, and the same network-object translating from ether 0/1.1... to outside interface.


Any help is appreciated.

Correct Answer by Kureli Sankar about 6 years 10 months ago

Good questions.


1. Dhcp server on 3750  (for example):interface Vlan 100 (LAN) ip address 10.1.100.1, ip dhcp  pool LAN, network 10.1.100.0 255.255.255.0, default-router 10.1.100.1,  dns server 10.1.100.1 - the question is about DNS server-to leave like  this or to configure dns parameters from our ISP (ASA 5510)


ANS: I would leave the DNS server as your inside dns server. But, this inside DNS server should have forwards configured to go out to the ISP provided ones for names that it doesn't have in its cache. All internal names it should be able to provide to the clients.


2. Access-list: on L3 3750 we will create ACL for controlling traffic only between the VLANs-is this OK?


ANS: sure that seems ok.


3. For connecting ASA 5510 with L3 3750:

-using  physical interfaces as routed ports on ASA (10.1.1.1/30) with default  route to ISP (and static routes to each vlan towards 10.1.1.2) and L3  3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?

-creating  subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet  0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750  allowing all vlans? In this case we will have on ASA def route towards  ISP and on what about def route on 3750?


ANS: It depends.  Are all the inside networks considered safe? Each one can access the other freely? No restirction required? If so you can leave them all on the inside and point the default route on the switch to the ASA and point the ASA's def. route to the ISP.


If you need to firewall the traffic between the vlans then go with the sub  inerfaces on the ASA.


Where the ASA will have an interface in each of the VLANS. All VLANS will point to the ASA's correspoding vlan interface  for their default GW. ASA's default route will point to the ISP route.


I think that answers it all. I hope it helps.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kureli Sankar Sat, 08/21/2010 - 15:41
User Badges:
  • Cisco Employee,

Good questions.


1. Dhcp server on 3750  (for example):interface Vlan 100 (LAN) ip address 10.1.100.1, ip dhcp  pool LAN, network 10.1.100.0 255.255.255.0, default-router 10.1.100.1,  dns server 10.1.100.1 - the question is about DNS server-to leave like  this or to configure dns parameters from our ISP (ASA 5510)


ANS: I would leave the DNS server as your inside dns server. But, this inside DNS server should have forwards configured to go out to the ISP provided ones for names that it doesn't have in its cache. All internal names it should be able to provide to the clients.


2. Access-list: on L3 3750 we will create ACL for controlling traffic only between the VLANs-is this OK?


ANS: sure that seems ok.


3. For connecting ASA 5510 with L3 3750:

-using  physical interfaces as routed ports on ASA (10.1.1.1/30) with default  route to ISP (and static routes to each vlan towards 10.1.1.2) and L3  3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?

-creating  subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet  0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750  allowing all vlans? In this case we will have on ASA def route towards  ISP and on what about def route on 3750?


ANS: It depends.  Are all the inside networks considered safe? Each one can access the other freely? No restirction required? If so you can leave them all on the inside and point the default route on the switch to the ASA and point the ASA's def. route to the ISP.


If you need to firewall the traffic between the vlans then go with the sub  inerfaces on the ASA.


Where the ASA will have an interface in each of the VLANS. All VLANS will point to the ASA's correspoding vlan interface  for their default GW. ASA's default route will point to the ISP route.


I think that answers it all. I hope it helps.


-KS

mundusrector Thu, 12/15/2011 - 08:42
User Badges:

I am working on the exact same configuration that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).


My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.


The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.



The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.


I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.


Please assist.

Kureli Sankar Thu, 12/15/2011 - 09:34
User Badges:
  • Cisco Employee,

Your topology will be something like this right?



                            hosts

                              |

                           vlan200

                              |

hosts--vlan100---ASA--outside-RTR--Internet

                              |

                         vlan300

                               |

                          Hosts



So long as the swtich doesn't have to go out to the internet you don't have to configure a default GW on the switch.

All hosts will have their respective ASA's interface that belongs on their vlan as their GW. If hosts from vlan100 need to go to vlan200, then they send the packets to the ASA's G0/2.100 and the ASA will send it out off of g0/2.200 interface.



-Kureli

mundusrector Thu, 12/15/2011 - 09:45
User Badges:

Pretty much, the 3750 will be used as my "core" switch. Breaking off of each VLAN will be a separate switch. To Clarifiy:




                           Private Network

                               I                          

                           Router

                               I

                            ASA (Primary and Secondary)

                               I

                        3750 Stack (Primary and Secondary, really just one virtual switch but physical layout creates redundancy)

                       I        I        I

                Switch Switch    Switch

                I               I                  I  

VLAN100 Hosts  VLAN200 Hosts  VLAN300 Hosts



Also I need to perform firewalling between these VLANs, so that is another reason why I can't do the level 3 at the core.


This is all a private network except for the internet access handled by a proxy. Traffic needs to flow in both directions to and from the DMZ's.

Actions

This Discussion