08-16-2010 02:35 PM - edited 03-11-2019 11:26 AM
We created following network configuration:
-central L3 3750 stack acting as VTP server for VLANs (all vlans are created here), enabled vlan routing, dhcp server for some VLANs, trunked ports connecting L2 2960 switches.
-several L2 2960 as VTP client with default gateway and to trunked ports to 3750.
In this scenario all VLANs are seeing each other, for now there are no ACL on 3750. We got ASA 5510 as firewall to connect to Internet.
We need your suggestions and help for next few questions:
-using physical interfaces as routed ports on ASA (10.1.1.1/30) with default route to ISP (and static routes to each vlan towards 10.1.1.2) and L3 3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?
-creating subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet 0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750 allowing all vlans? In this case we will have on ASA def route towards ISP and on what about def route on 3750?
4. Access-list on ASA: in which scenario we need access list for vlans from inside network?
5. NAT: ASA 5510 is ver 8.3- are we creating nat for different network-object (network VLAN 100.101,102) and translating from interface where is configured 10.1.1.1 address to outside interface with ISP address in first scenario, and the same network-object translating from ether 0/1.1... to outside interface.
Any help is appreciated.
Solved! Go to Solution.
08-21-2010 03:41 PM
Good questions.
1. Dhcp server on 3750 (for example):interface Vlan 100 (LAN) ip address 10.1.100.1, ip dhcp pool LAN, network 10.1.100.0 255.255.255.0, default-router 10.1.100.1, dns server 10.1.100.1 - the question is about DNS server-to leave like this or to configure dns parameters from our ISP (ASA 5510)
ANS: I would leave the DNS server as your inside dns server. But, this inside DNS server should have forwards configured to go out to the ISP provided ones for names that it doesn't have in its cache. All internal names it should be able to provide to the clients.
2. Access-list: on L3 3750 we will create ACL for controlling traffic only between the VLANs-is this OK?
ANS: sure that seems ok.
3. For connecting ASA 5510 with L3 3750:
-using physical interfaces as routed ports on ASA (10.1.1.1/30) with default route to ISP (and static routes to each vlan towards 10.1.1.2) and L3 3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?
-creating subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet 0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750 allowing all vlans? In this case we will have on ASA def route towards ISP and on what about def route on 3750?
ANS: It depends. Are all the inside networks considered safe? Each one can access the other freely? No restirction required? If so you can leave them all on the inside and point the default route on the switch to the ASA and point the ASA's def. route to the ISP.
If you need to firewall the traffic between the vlans then go with the sub inerfaces on the ASA.
Where the ASA will have an interface in each of the VLANS. All VLANS will point to the ASA's correspoding vlan interface for their default GW. ASA's default route will point to the ISP route.
I think that answers it all. I hope it helps.
-KS
08-21-2010 03:41 PM
Good questions.
1. Dhcp server on 3750 (for example):interface Vlan 100 (LAN) ip address 10.1.100.1, ip dhcp pool LAN, network 10.1.100.0 255.255.255.0, default-router 10.1.100.1, dns server 10.1.100.1 - the question is about DNS server-to leave like this or to configure dns parameters from our ISP (ASA 5510)
ANS: I would leave the DNS server as your inside dns server. But, this inside DNS server should have forwards configured to go out to the ISP provided ones for names that it doesn't have in its cache. All internal names it should be able to provide to the clients.
2. Access-list: on L3 3750 we will create ACL for controlling traffic only between the VLANs-is this OK?
ANS: sure that seems ok.
3. For connecting ASA 5510 with L3 3750:
-using physical interfaces as routed ports on ASA (10.1.1.1/30) with default route to ISP (and static routes to each vlan towards 10.1.1.2) and L3 3750 (10.1.1.2/30) with default route 0.0.0.0 0.0.0.0 10.1.1.1 to ASA?
-creating subinterfaces on ASA Ethernet 0/1 (example) for each VLAN (ethernet 0/1.1 ip add 10.1.100.254 vlan 100...) and connect to trunk port on 3750 allowing all vlans? In this case we will have on ASA def route towards ISP and on what about def route on 3750?
ANS: It depends. Are all the inside networks considered safe? Each one can access the other freely? No restirction required? If so you can leave them all on the inside and point the default route on the switch to the ASA and point the ASA's def. route to the ISP.
If you need to firewall the traffic between the vlans then go with the sub inerfaces on the ASA.
Where the ASA will have an interface in each of the VLANS. All VLANS will point to the ASA's correspoding vlan interface for their default GW. ASA's default route will point to the ISP route.
I think that answers it all. I hope it helps.
-KS
12-15-2011 08:42 AM
I am working on the exact same configuration that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.
I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
Please assist.
12-15-2011 09:34 AM
Your topology will be something like this right?
hosts
|
vlan200
|
hosts--vlan100---ASA--outside-RTR--Internet
|
vlan300
|
Hosts
So long as the swtich doesn't have to go out to the internet you don't have to configure a default GW on the switch.
All hosts will have their respective ASA's interface that belongs on their vlan as their GW. If hosts from vlan100 need to go to vlan200, then they send the packets to the ASA's G0/2.100 and the ASA will send it out off of g0/2.200 interface.
-Kureli
12-15-2011 09:45 AM
Pretty much, the 3750 will be used as my "core" switch. Breaking off of each VLAN will be a separate switch. To Clarifiy:
Private Network
I
Router
I
ASA (Primary and Secondary)
I
3750 Stack (Primary and Secondary, really just one virtual switch but physical layout creates redundancy)
I I I
Switch Switch Switch
I I I
VLAN100 Hosts VLAN200 Hosts VLAN300 Hosts
Also I need to perform firewalling between these VLANs, so that is another reason why I can't do the level 3 at the core.
This is all a private network except for the internet access handled by a proxy. Traffic needs to flow in both directions to and from the DMZ's.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: