Default Gateway Configuration Between ASA 5510 and Dell PowerConnect 6224

Answered Question
Sep 2nd, 2010
User Badges:

We have the following equipment, with a number of VLANs running on top:


ASA 5510

|

DellPowerConnect 6224 (acting as a layer 3 device to route traffic between vlans and act as switch for servers etc.)

|

Catalyst 2960 (acting as layer 2 switch for desktops etc.)


I am trying to confirm that we'e not doing anything "unusual" with our general network configuration, as we're having difficulty with a  VPN and receving a number of "Routing failed to locate next hop for TCP from Outside" messges.


We have established a trunk link between the 6224 and the ASA.  This carries a number of VLANs up to the ASA.


Each VLAN trunked up to the ASA gets an IP address ending in .254 as the interface on the ASA (e.g. 10.0.0.254)

Each VLAN that is routed by the 6624 gets an IP address ending in .1 as the interface on the 6224 (e.g. 10.0.0.1)

Devices conneted inside each VLAN use the .1 address on the 6224 as their default gateway.

Our thinking here is that we don't want the ASA burdened with internal inter-vlan routing, and wish to leave this to the 6224.


On the 6224, we need to set a default gateway to get traffic up to the ASA when it needs to get out onto the internet or a VPN.


Would I be correct in assuming that we could just assing any of the .254 IP addresses within any of the VLANs to act as the default gateway for the 6224?


While I feel this would work OK, it seems a little "messy" - i.e. why should the default gateway reside on that particular VLAN?


To make things a little "cleaner" (IMO) we have created another VLAN, which is to be used as a "Firewall Uplink" VLAN.  There will be nothing more in this VLAN other than an IP on the 6224 (10.10.10.1) and the ASA (10.10.10.254).


We would then set the default gateway on the 6224 to 10.10.10.254.


While this seems to me to be "cleaner" than picking a random VLAN to act as the default gateway, I'm wondering if it introduces some unnecessary complexities.


Any comments would be greatfully received.

Correct Answer by Jon Marshall about 6 years 7 months ago

To make things a little "cleaner" (IMO) we have created another VLAN, which is to be used as a "Firewall Uplink" VLAN.  There will be nothing more in this VLAN other than an IP on the 6224 (10.10.10.1) and the ASA (10.10.10.254).

We would then set the default gateway on the 6224 to 10.10.10.254.

While this seems to me to be "cleaner" than picking a random VLAN to act as the default gateway, I'm wondering if it introduces some unnecessary complexities.

Any comments would be greatfully received.


Ideally you just want the one vlan between the switch and the ASA. It's not clear what the existing vlans on the trunk link between the ASA and 6224 are for. If they are the same vlans as are routed on the 6224 then simply change the link between the 6224 and the ASA to an access link ie. not a trunk port and use the dedicated firewall uplink vlan 10.10.10.x.


Make sure you have a default-route on the 6224 pointing to the ASA 10.10.10.254 address.

Make sure you add routes to the ASA for each internal subnet pointing to the 10.10.10.1 address on the 6224.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 09/02/2010 - 12:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

To make things a little "cleaner" (IMO) we have created another VLAN, which is to be used as a "Firewall Uplink" VLAN.  There will be nothing more in this VLAN other than an IP on the 6224 (10.10.10.1) and the ASA (10.10.10.254).

We would then set the default gateway on the 6224 to 10.10.10.254.

While this seems to me to be "cleaner" than picking a random VLAN to act as the default gateway, I'm wondering if it introduces some unnecessary complexities.

Any comments would be greatfully received.


Ideally you just want the one vlan between the switch and the ASA. It's not clear what the existing vlans on the trunk link between the ASA and 6224 are for. If they are the same vlans as are routed on the 6224 then simply change the link between the 6224 and the ASA to an access link ie. not a trunk port and use the dedicated firewall uplink vlan 10.10.10.x.


Make sure you have a default-route on the 6224 pointing to the ASA 10.10.10.254 address.

Make sure you add routes to the ASA for each internal subnet pointing to the 10.10.10.1 address on the 6224.


Jon

rdlafleur Thu, 10/25/2012 - 21:16
User Badges:

Is there any way to get an example running config of both the ASA and Dell for this config? We currently have a flat network on a single VLAN (172.16.1.0/24) with layer2 switches hanging off the ASA. I'd like to configure the ASA as an uplink to a Dell 6248 which would serve as the core switch for our existing VLAN (172.16.1.0/24) to make migrating the existing layer2 switches simple. I would also stand up a new VLAN (172.16.200.0/24) dedicated to shared storage. The idea is the use the Dell 6248 to route between these two VLAN's, and use the ASA to route out to the internet. Our current ASA has an IP of 172.16.1.1/24. The Dell's IP info follows:


ip address 172.16.1.2 255.255.255.0

ip default-gateway 172.16.1.1

ip domain-name foo.com

ip name-server 172.16.1.241

Actions

This Discussion

Related Content