thanks.

so assume i build an interface on the asa as below;

int gig0/0

nameif MGT

security-level 50

ip address 192.168.100.1 255.255.255.0

now the edge & core switches will be assigned an ip from this range, eg, 192.168.100.5 for core switch.

the link between firewall and core switch will be a layer 3 port channel.

if i have to define the mgmt ip on the core and edge switches, what vlan should i be using for them on the switches.

can i use following configs on the core & edge switch for mgmt interface;

( using vlan 100 for mgmt interface on the switches)

int vlan 100

ip addr 192.168.100.5 255.255.255.0

is this correct. appreciate all help.

Hello Suthomas,

All that matters is that the Vlan you will set on this devices is a dedicated vlan for managment purposes where if a user on a different user wants to reach that vlan it must be routed through a L3 device where you can filter the traffic,etc.

You can use vlan 100 or whatever vlan you want That will not affect anything, just remember to use a dedicated vlan just for the managment traffic.

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

thanks, the ASA is a 5585X with about 8 gig ports & 4 10gig ports.

So,can i please request how to actually configure this in my network with a small sample configuration for my understanding.

Thanks in advance.

Assuming you want your ASA to be the gateway for your management VLAN and assuming you want the same management network for your managed devices and management systems, you would most likely use a subinterface on the ASA-core switch.

Working from those assumptions, currently ASA - inside interface - core switch is a plain routed interface on the ASA. It would change to:

int gi0/0

  description Trunk interface for Inside and management

  no nameif

  no ip address

  no security-level

int gi0/0.1

  nameif inside

  description Inside VLAN subinterface

  vlan

  ip address

  security level 0

  no shut

int gi0/0.2

  nameif management

  description Management VLAN subinterface

  vlan 100

  ip address 192.168.100.1 255.255.255.0

  security level 10

  no shut

Your core switch would change it's interface facing the ASA from an access port to a trunk. You would ensure that VLANs for production (VLAN of current traffic) and management traffic (VLAN 100) were allowed on the trunk.

If you want non-management network devices and systems to talk to the management network, you'll need to add routing and potentially access-list bits to accomodate that.

Thanks Marvin.

How should i configure the core switch interface with ASA. will a Portchannel be ok between them ? i was thinking of using  a Layer3 Portchannel for routing purpose.

if i use trunk , how would the configuration look like, as we intend to use two ports on either side of ASA & Core switch to interface this link.

Appreciate all help.