Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Questions with network design

Hey folks, Im working on designing a new network and am looking to get a proof of concept working here, although i do have a few questions. I have attached a screen shot of the network below.


#1 The uplink going from the layer 3 switch to the ASA this needs to be a trunk line correct? In order for all the other vlans to have access to the internet? Dose this trunk need to be in its own separate vlan?


#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS inspection. Do I I need a separate uplink to the ASA for this or can I use the existing trunk to the ASA from #1 and just using a sub interface on the ASA for the routing in this vlan?

network.jpg

5 REPLIES
Hall of Fame Super Bronze

Re: Questions with network design

#1 The uplink going from the layer 3 switch to the ASA this needs to be a  trunk line correct? In order for all the other vlans to have access to  the internet? Dose this trunk need to be in its own separate vlan?

No. It can be an access port or a routed port from the Layer3 switch. I will prefer if you go with the routed port approach to eliminate STP.

The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.

#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS  inspection. Do I I need a separate uplink to the ASA for this or can I  use the existing trunk to the ASA from #1 and just using a sub interface  on the ASA for the routing in this vlan?

If you are planning to use the same Layer3 switch for the DMZ, you can create a Layer2 Vlan on the Layer3 switch and have the ASA connected to a dedicated port configured as access port. The ASA will be the Layer3 device for this Vlan so you have to manage your IP addressing accordingly.

Regards,

Edison

New Member

Questions with network design

Edison, thanks for the reply. How to I designate the port on the layer 3 switch to be a routed port?

The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.

I already have the inter-vlan ruoting setup and working correctly. Where dose one go to specifiy the routes if inter-vlan routing is already setup?

Hall of Fame Super Bronze

Re: Questions with network design

Edison, thanks for the reply. How to I designate the port on the layer 3 switch to be a routed port?

interface x/x

no switchport

ip address y.y.y.y x.x.x.x

I already have the inter-vlan ruoting setup and working correctly. Where  dose one go to specifiy the routes if inter-vlan routing is already  setup?

Inter-Vlan routing in the switch? This is done by default as long as you have 'ip routing' globally enabled.

The switch's default gateway will be the ASA but the ASA needs to know about the layer3 Vlans you have in the switch.

This is where the static routes in the ASA will come into place.

New Member

Re: Questions with network design

The ASA will need to learn about all the Vlans you are configuring on the switch, that is the only way to route them to the Internet useing the routed uplink as Edison mentioned.

I am not sure what type of switch you have but you may want to use SFP for vlan routing. just an idea

New Member

Re: Questions with network design

Edison Ortiz wrote:

#1 The uplink going from the layer 3 switch to the ASA this needs to be a  trunk line correct? In order for all the other vlans to have access to  the internet? Dose this trunk need to be in its own separate vlan?

No. It can be an access port or a routed port from the Layer3 switch. I will prefer if you go with the routed port approach to eliminate STP.

The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.

#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS  inspection. Do I I need a separate uplink to the ASA for this or can I  use the existing trunk to the ASA from #1 and just using a sub interface  on the ASA for the routing in this vlan?

If you are planning to use the same Layer3 switch for the DMZ, you can create a Layer2 Vlan on the Layer3 switch and have the ASA connected to a dedicated port configured as access port. The ASA will be the Layer3 device for this Vlan so you have to manage your IP addressing accordingly.

Regards,

Edison

Edison thanks for the CLI command, I do remember this command now.

Boulest the ASA is going to be a new 5520 with the IPS module and the switch is going to be a 3560X (WS-C3560X-48PF-S)

390
Views
0
Helpful
5
Replies