cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8004
Views
5
Helpful
10
Replies

Multiple VLAN's, multiple Gateways

Danny Cooke
Level 1
Level 1

Hi All

I don't know if this is possible or if I'm misunderstanding something but here goes

Catalyst 4500 Switch and ASA 5525-X

I have multiple VLAN's but essentially I have 1 172.16.0.0/16 network and a 10.0.0.0/16 network.

The switch has IP addresses of 172.16.1.240 and 10.10.0.1

The firewall has an interface configured on each VLAN - 172.16.1.200 and 10.10.0.200

The default-gateway on the switch is 172.16.1.200. Traffic from this 172 network can get to the internet but traffic from the 10 network doesn't get to the internet. Can I set outbound traffic from the 10 network to route via the 10.10.0.200 address on the firewall

Is this a switching issue or a firewall issue?

Thanks

1 Accepted Solution

Accepted Solutions

With this setup, the pc's will send traffic outside of thier local subnet to thier respective default gateways on the 4500's. The 4500 will then send all traffic out the 172.x.x.x interface as this is how your default gateway is defined. This is the outbound behaviour. However, when the traffic returns, the ASA will see that it has a local attached 10.x.x.x network and send the return traffic directly to the 10.x.x.x interface. This is asymmetric traffic. While not always desired, asymmetric traffic will flow. However, firewalls tend not to like assymetric traffic as they like to send traffic back the same interface they recieved it on, depending on where the NAT is done. If the NAT is on the Internet interface (not shown above I'm assuming) on the ASA, then the return traffic should be un-NAT'd before it's ready to return to the source subnets. I'm not an expert on the ASA but it might not like returning traffic via a different interface then it recieved. Try shutting down the 10.x.x.x interface (don't do this in a production environment unless you have change control, planning, etc...) and put a route on the ASA to tell it that 10.x.xx. is reachable via the 172.x.x.x interface on the 4500. This way, traffic will return via the same interface it was recieved. If you only have a single Internet facing interface on the ASA, it shouldn't really matter how the source subnets reach the Internet. Of course, you would need to apply the proper rules, etc...to the traffic.

If you really want complete seperation of traffic, you can create a vrf for one of the interfaces. A vrf logically seperates the two interfaces on the 4500 so that they don't know about each others routing tables. If you do this, then you can have a default route for the 172.x.x.x network and a default route for the 10.x.x.x network. Keep in mind, once you do the vrf, the 172.x.x.x and 10.x.x.x devices won't be able to talk to each other unless its through the ASA or you do vrf inport/export route targets, etc...(which kind of defeats the purpore of the vrf in the first place).

One question, by the way. If you are using a /16 mask for the two networks, the ASA interfaces and the 4500 interfaces would be on the same network so you could just the ASA as the default gateway for each device and avoid all the other stuff.

Once again, if this is your production environment, take the proper precautions and test in a lab environment if you can.

View solution in original post

10 Replies 10

devils_advocate
Level 7
Level 7

Can you provide a diagram as to the setup?

Is the ASA in Routed or transparent mode?

ASA is in routed mode, I'll get a diagram done ASAP

Thanks for the reply

Do you need each network to get to the ASA via seperate interfaces? Why not just let the 10.x.x.x traffic follow the default gateway and exit the switch to the firewall on the 172.x.x.x network. Then, just add a route on the firewall telling it that 10.x.x.x is reachable via the 172.x.x.x interface.

If you need the traffic to stay seperate, create a vrf on the 4500 seperating the 172.x.x.x network and the 10.x.x.x network. This way, the 4500 will have seperate routing tables for each network. At this point, you create a default route for 172.x.x.x network and a vrf default route for the 10.x.x.x network.

What is performing the Routing between the subnets? The Switch?

Or are the subnets not meant to be able to speak to each other?

Assuming the hosts inside each Vlan have a default gateway of the firewall interfaces, you should be able to setup routing to the internet on each interface seperately to allow both the 172 and 10 networks to reach the internet.

Is the ASA doing the Nat-ing?

Cheers

Well, if you created layer3 interfaces on the 4500 and ip routing is enabled, the two interfaces will share the same routing table unless you seperate the layer3 interfaces via a vrf. Therefore, without some extra work, such as policy based routing, the two networks will utilize the same routing table. If you had a pc on the 172.x.x.x network and another on the 10.x.x.x network, and set the pc's default gateway to the layer3 interfaces on the 4500, the 4500 would route the traffic back and forth since it knows about each network, regardless of the fact that the firewall also has an IP interface on each subnet.

Now, if you gave the pc's a gateway of the ASA for each subnet, then the firewall would do the routing (if you permit it). Since the firewall knows about both networks (and your rules permit it), it can do the routing. The 4500 layer3 interfaces would be just another IP in the subnet (make sure to turn off proxy arp and redirects for the 4500 layer3 interfaces just in case).

Since you mentioned the default gateway on the switch with the hyphen between the two words, I'm assuming your using the ip default-gateway command which means you probably have not enabled IP routing on the 4500. If this is the case (you're using the 4500 for pure layer2), then you will need to set the default gateway for devices in the 172.x.x.x network to the layer3 172.x.x.x interface on the ASA and set the default gateway for devices in the 10.x.x.x network to the 10.x.x.x address on the ASA. Once this is done, devices in each network will send any traffic not local to them (defined by thier ip and mask) to thier default gateway. The ASA will then send traffic to the Internet (of course, the ASA will need the rules and default route to permit this. Once traffic returns, the ASA will send it back to the source subnet it came from.

Hope this helps.

Hi All

Thanks for all the posts, see the (very crude) network diagram I've attached (hope its big enough)

@James - that was my bad, the 4500 is doing IP routing with IP route 0.0.0.0 0.0.0.0 172.16.1.200 the gateways of each host are the switch (on their respective VLAN). Subnets can all talk (switch is doing routing). ASA is doing the NATing. Never done a configuration like this before, the reason for it is a slow migration from the legacy 172 network to the 10 network - we're doing a full network (server/desktop) refresh and it will be easy to manage and understand at a glance what is "old" and what is "new"

Not sure what the deal is with vrf as I've never used it so not sure how it works etc...

Thanks

With this setup, the pc's will send traffic outside of thier local subnet to thier respective default gateways on the 4500's. The 4500 will then send all traffic out the 172.x.x.x interface as this is how your default gateway is defined. This is the outbound behaviour. However, when the traffic returns, the ASA will see that it has a local attached 10.x.x.x network and send the return traffic directly to the 10.x.x.x interface. This is asymmetric traffic. While not always desired, asymmetric traffic will flow. However, firewalls tend not to like assymetric traffic as they like to send traffic back the same interface they recieved it on, depending on where the NAT is done. If the NAT is on the Internet interface (not shown above I'm assuming) on the ASA, then the return traffic should be un-NAT'd before it's ready to return to the source subnets. I'm not an expert on the ASA but it might not like returning traffic via a different interface then it recieved. Try shutting down the 10.x.x.x interface (don't do this in a production environment unless you have change control, planning, etc...) and put a route on the ASA to tell it that 10.x.xx. is reachable via the 172.x.x.x interface on the 4500. This way, traffic will return via the same interface it was recieved. If you only have a single Internet facing interface on the ASA, it shouldn't really matter how the source subnets reach the Internet. Of course, you would need to apply the proper rules, etc...to the traffic.

If you really want complete seperation of traffic, you can create a vrf for one of the interfaces. A vrf logically seperates the two interfaces on the 4500 so that they don't know about each others routing tables. If you do this, then you can have a default route for the 172.x.x.x network and a default route for the 10.x.x.x network. Keep in mind, once you do the vrf, the 172.x.x.x and 10.x.x.x devices won't be able to talk to each other unless its through the ASA or you do vrf inport/export route targets, etc...(which kind of defeats the purpore of the vrf in the first place).

One question, by the way. If you are using a /16 mask for the two networks, the ASA interfaces and the 4500 interfaces would be on the same network so you could just the ASA as the default gateway for each device and avoid all the other stuff.

Once again, if this is your production environment, take the proper precautions and test in a lab environment if you can.

I'll need to look into the routing & rules on the firewall - I have a route for traffic on the 10.x.x.x interface that sends traffic to the 10.x.x.x IP of the switch, not the 172 address. I don't know why I didn't think of changing that earlier!

One thing I didn't mention (I was trying to simplify things for the purposes of my question) - I used the /16 mask but I'm actaully running lots of /24 networks on seperate VLANS (the 4500 does the inter-VLAN routing)

I'll see if that simple change makes a difference (or sends it haywire ) - I've got some downtime this evening so I may look at it then. Thanks for the pointers.

You were correct in that traffic back to the 10.x.x.x network from the firewall was going out the wrong way. I disabled the 10.x.x.x interface on the firewall and set a route for 10.0.0.0/16 back to the 172 address of the switch - problem solved!!!

Thanks for your help in spotting my mistake!

No problem. Glad its working now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco