Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need a L3 connection?

Hi All,

I am attaching a diagram of a network. As per the diagram do i need a L3 connection from my switch to the Firewall? using no switchport command OR the current configuration will work or not? Please check


Hall of Fame Super Blue

Re: Need a L3 connection?


It looks from your diagram as though vlan 1 is being routed on the 6500 but also the ASA firewall inside interface is on vlan 1 as well. What is the default-gateway on your vlan 1 clients ie. internet users - is it the vlan 1 interface on the 6500 or the inside interface of the ASA.

I would have a dedicated vlan for communication between the 6500 and the ASA device and definitely not use vlan 1. The default-gateway for clients in vlan 1 should be the 6500 vlan 1 interface. Then use a vlan that only the ASA inside interface and the 6500 L3 SVI are in.

The advantage of a vlan is if you then want another ASA for redundancy you can just add the standby ASA inside interface into the same vlan - so allocate a /29 for the IP subnet just for future use.

Ideally vlan 1 shouldn't be used at all for client data but that's another issue :)


New Member

Re: Need a L3 connection?

Dear Jon,

Thanks for the input.

Gateway is the Vlan 1 Interface IP on 6500 and there is a default route to FW inside interface IP.

So i need an L3 SVI on the 6500 switch for the solution to work? in the current scenario it is not.

My main doubt is this .... the connection from the switch to the Firewall inside.

The interface configuration on 6500 is -

config-if#switchport mode access

config-if#switchport access vlan 1

How the port can be the memeber of a vlan that is connecting to the L3 physical interface (inside) of the firewall. As waht you have suggested It should be a L3 Interface right? I am confused about the L2 Vlan and the L3 physical Interface connection.

I need some clarity on this part please your kind update.


Hall of Fame Super Blue

Re: Need a L3 connection?


You need to use an unused vlan for the connectivity. So lets assume vlan 30 with an IP subnet of will be the 6500 end of the connection between the 6500 and ASA and will be the inside interface of the ASA.

On the 6500 switch

Create L2 vlan

6500(config)# vlan 30

6500(config-vlan)# name 6500_to_FW

6500(config)# interface vlan 30

6500(config-if)# ip address

On the interface on the 6500 that the ASA is connected into

int gix/xx

switchport access vlan 30

Change the default route to

ip route

On the ASA change the inside address to

ip address inside

and then you need to add static routes for any vlans on the 6500 that the ASA needs to send packets to eg.

route (inside)

Note that we could use a dynamic routing between the 6500 and the ASA but we'll keep it simple with statics :)


New Member

Re: Need a L3 connection?

Jon Thank you for the information.