Our firewall is an ASA 5510, so yes, it does support 802.1q trunking. Will I have to create a subinterface of the inside interface of the ASA given it has the ip address of 172.20.4.1, and then apply the new subnet for the new vlan to the subinterface?

On a side note, am I incorrect in thinking that the 3750 does any routing, meaning the firewall is actually doing all the routing here?

Yes i believe you are right when you say that the 3750 is not doing any routing in your scenario. It could if you wanted it to but it doesn't look like it is at the moment.

Yes on the ASA you would need to create a subinterface for your existing vlan and one for the new vlan + you need to make the connection from the ASA to 3750 an 802.1q trunk link on the 3750.

Jon

I'm finding more pieces as we go here. There is a cat. 2948 switch between the firewall and the 3750. sh ip route shows Destination = 172.20.0.0 / Gateway = 172.20.5.253 / RouteMask = 0xffff0000 / Flags = U / Use = 9524 / Inerface = sc0. sc0 connects to the 3750 on GigabitEthernet 2/0/2 with the attributes of Switchport trunk encapsulation dot1q, duplex full, speed 1000. So, given this, will anything that needs configured be changed, and if so, what?

Okay 2948 is not L3 capable so that is purely a L2 switch only. What address is 172.20.5.253 ?

If it is connected the 3750 with a trunk what vlans are carried on that trunk.

It's difficult now to recommend what to do, you need to work out what this switch is doing. It might be for DMZ's and the vlans on it are routed off the ASA but that is just guess work. Best thing you can do is draw out the network concentrating on vlans, IP subnets, and which ports on the switches are in which vlan.

Edit - actually what is the exact model of the 2948 as i think some versions could route traffic.

Jon

sh int on the 2948G-GE-TX shows under sc0, vlan 1, inet 172.20.5.253 netmask 255.255.0.0 broadcast 172.20.255.255. 172.20.5.253 is the address I use to telnet into the switch. We do not utilize DMZs.

Okay, that is a L2 switch only so you need to understand why it is trunking to the 3750.

Is the connection to the firewall an access port ie. not a trunk link.

It almost sounds like the 3750 has been bought to either

a) route for all internal vlans

b) replace the 2948 but it depends on how many ports are already in use on the 3750 and the 2948.

Without drawing this out properly i would want to suggest a course of action.

Jon

I think I have everything mapped out correctly, but I will need to wait until users leave for lunch to verify the route of one cable.

Let me know if this sounds correct, the interface on the 2948, with the ip address of 172.20.5.253, is there because that switch does not support ip routing? Given it is a layer 2 switch, my next assumption is that layer 2 switches are not capable of ip routing because that cannot build an ip table to use with a routing protocol?

I am 98% certain this is how I network is laid out:

-Lines come in to a multilink on our router, 2800, and then go out FastEthernet 0/0 to the firewall.

-Line comes in on Ethernet 0/0, with a public IP, and then goes out on Ethernet 0/1, with a private IP, *to the 3750 (which are actually 2 3750's stacked)

-Line comes in at port 34 on the non-master 3750.

-Lines go out from the master 3750 to our other layer two switches**.

It seems as though our network was not setup with growth in mind, but instead as simple as possible, no trunks because everything is in the same default vlan, vlan 1.

*I physically traced the cable to the 3750, and then checked the 5 minute averages on all ports and noted that this port, 34, had the highest input average by far.

**The line that goes to the 2948 comes in at interface sc0 mentioned above. The other switches are not connected to the 3750 by an interface because they all have ip routing enabled.

Okay that makes sense.

To return to your issue you can either

1) route your new vlan off the firewall which is where you route vlan 1 at the moment. You would need to

i) change the link between the firewall and the 3750 to a trunk

ii) create subinterfaces for vlan 1 and your new vlan.

2) Move the inter-vlan routing to the 3750. To do this you would need to

i) make sure ip routing is enabled on the 3750.

ii) Assuming that all your clients in vlan have the default-gateway set to the firewall inside interface i would transfer this address to the vlan 1 interface on your 3750.

iii) I would then create another vlan purely for connecting your 3750 to the firewall.

iv) Add a default-route on the 3750 pointing to the firewall inside interface ie.

ip route 0.0.0.0 0.0.0.0

v) On the firewall add routes for vlan 1 and your new vlan pointing to the 3750 vlan interface you created for communication between your 3750 and the firewall.

Both will involve downtime.

1) requires less config but i would personally go for option 2) which gives you more flexibility in the future.

If you do go option 2 you need to make sure that migrating the inside interface IP address of the firewall to the 3750 will not affect any of the firewall functionality. It shouldn't really but you need to check.

It sounds like your network has evolved. There may be a reason why the firewall was used for vlan 1 routing and if these are security reasons then you may want option 1).

As i said though, all things being equal i would go with option 2.

Jon