×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

split switch for dmz

Answered Question

I got a layer3 switch cat2960xr that connected behind the firewall for inside network.  Is it possible if I can use part of the switch (few ports) for the dmz zone or I have to purchase separate switch for that?  Please see attachment.

Thanks,

Attachment: 
Correct Answer by rizwanr74 about 2 years 5 months ago

I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0".  I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"

 

interface vlan2

ip address 192.168.1.2 255.255.255.0

 

Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.

 

thanks

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
rizwanr74 Tue, 10/14/2014 - 08:38
User Badges:
  • Gold, 750 points or more

Hi n14nguyen,

 

Yes you can, as long as your 2960-switch hosts only later2 vlan for your dmz, and your DMZ interface on ASA is being gateway for DMZ hosts.

 

thanks

Rizwan Rafeek

 

rizwanr74 Tue, 10/14/2014 - 12:07
User Badges:
  • Gold, 750 points or more

Hi n14nguyen,

 

Lets assume that your dmz interface on your ASA is "192.168.11.1 255.255.255.0" and is connected to FastEthernet24 on your 2960-switch and similarly your inside address of your ASA is "10.10.10.1 255.255.255.0" and is connected to FastEthernet1 on your 2960-switch.

 

Now on your 2960-switch you create a SVI interface for your inside network of your ASA and layer2 definition as vlan 10 and for DMZ you only create a layer2 definition only as vlan 11. 

- - - - - - - - - - - - - - - - - - - - - - - - -

interface vlan10

10.10.10.2 255.255.255.0

no shut

 

vlan 10

 name asa-inside

 

vlan 11

 name asa-dmz

 

interface FastEthernet1

 switchport access vlan 10
 switchport mode access
 

 

 

interface FastEthernet24

 switchport access vlan 11
 switchport mode access

- - - - - - - - - - - - - - - - - - - - - - - - -

 

Note that I do not have a SVI created for vlan 11.

 

I hope this make sense.

Thanks

Rizwan Rafeek. 

Correct Answer
rizwanr74 Wed, 03/04/2015 - 17:23
User Badges:
  • Gold, 750 points or more

I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0".  I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"

 

interface vlan2

ip address 192.168.1.2 255.255.255.0

 

Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.

 

thanks

 

 

Justin DeVaughn Tue, 10/14/2014 - 12:09
User Badges:

If you had the following it would work:

Switch:

VLAN 1 - inside

VLAN 2 - dmz

switchport 1 (inside) - access mode vlan 1

switchport 2 (dmz) - access mode vlan 2

 

Firewall:

port 1 (inside) - (ip address + plugged into switchport 1)

port 2 (dmz) - (ip address + plugged into switchport 2)

 

Then configure any switchport as vlan 2 if you want the attached device to be on the dmz network or vlan 1 if you want them to be on the inside network.  You could use the firewall for DHCP for that vlan 2 dmz subnet and set the default gateway to the IP address of the firewall's port 2.

This will create LAN separation between the two networks.  You will literally have two networks using the same switch...a.k.a. Virtual Local Area Network (VLANs).

 

Like Rizwan mentioned, this works in a layer 2 switch.

Actions

This Discussion

Related Content