Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing in layer3 and firewall

Hi Everybody.

I have question regarding the best practice design for my firewall and routing design. I need to create 30 new vlans that needs to be filtered in the firewall. So the traffic should pass through the firewall. These 30 new vlans will have their own subnets (/24). My question regarding the design: Should I create the VLAN´s on the router or as sub interfaces on firewall?  If I create the new vlans as layer3 on the router the clients will be connected as "directly connected" and that means that the traffic will only go through the router. Can I solve this by doing static IP routes that point to the firewall IP on the router or will that be overruled by the "directly connected" status?

Drawing attached.

ASA5550 model

Everyone's tags (3)
10 REPLIES
New Member

Routing in layer3 and firewall

looks like u answered your question...created the subinterfaces on the firewall and they will all be filtered from each other...the pain will be the access lists rules...good luck

Routing in layer3 and firewall

Definetly create subinterfaces on the FW. That should be simple and secure. Try and move as much L3 security to the FW. Let the router just route packets Dont burden the poor thing. Also , you said 30 vlans.that would be a lot of traffic then. Make sure you select the right HW (router, switch) etc. The FW 5550 is a good one

New Member

Routing in layer3 and firewall

Thanks for the reply. So basicly you are telling me that this is best practice: Create 30 vlans/subinterfaces spreaded on two physical interfaces on the ASA with 30 access-groups/lists. Create two trunk interfaces on the router (layer2) and route the specific traffic to the the firewall. Do I need to assigne IP address to router for the specific subnets?

New Member

Routing in layer3 and firewall

truck is correct, but u will need at least one subnet that is the same on the router and the firewall...this will allow you to route to the other subnets configured on the firewall..

New Member

Routing in layer3 and firewall

Will that mean that I need to assign 30 diffrent IP address on the router if I make 30 subnets for the 30 vlans? 

New Member

Routing in layer3 and firewall

no, just one....one with the highest security level....then on the router, route the other sub interfaces defined on the firewall to the interface connected on the firewall to the router....i know it sounds confusing...

New Member

Routing in layer3 and firewall

Thx for reply. Can I solve this by creating /30 subnet for routing reason between the router and firewall? But what about if I want to use two physical interfaces with 15 VLANS each. Do I need to create two IP´s on the router?

New Member

Routing in layer3 and firewall

yeah, u can create a /30....on the second, that is a good question....i havent tried that before but i would think you would route to a particular interface where the sub interfaces are on...so yeah, two IP on the router will have to be configured...this is kind of unique...let me know how it works out...

New Member

Routing in layer3 and firewall

I thing I can solve this by creating two /30 subnets for each phycial interface.

On the firewall

Interface1: Subinterfaces/VLAN 1 to 15 (All VLANS has there own /24 subnet) - VLAN 31 with /30 subnet with the higest sec level. VLAN 31 is created to communicate with VLAN 1 to 15 from the router

Interface2: Subinterfaces/VLAN 15 to 30 (All VLANS has there own /24 subnet) - VLAN 32 with /30 subnet with the higest sec level. VLAN 32 is created to communicate with VLAN 15 to 30 from the router.

I hope this will work :-)

New Member

Routing in layer3 and firewall

Please see at the attached drawing. Can I get some respons to that one? Will the traffic flow be like that?

1230
Views
0
Helpful
10
Replies