Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3097
Views
4
Helpful
8
Replies

split switch for dmz

Go to solution
n14nguyen
Level 1
Level 1

‎10-13-2014 10:13 PM - edited ‎03-07-2019 09:05 PM

I got a layer3 switch cat2960xr that connected behind the firewall for inside network.  Is it possible if I can use part of the switch (few ports) for the dmz zone or I have to purchase separate switch for that?  Please see attachment.

Thanks,

Labels:
Preview file
25 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7
In response to n14nguyen

‎03-04-2015 05:23 PM

I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0".  I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"

 

interface vlan2

ip address 192.168.1.2 255.255.255.0

 

Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.

 

thanks

 

 

View solution in original post

8 Replies 8

Go to solution
rizwanr74
Level 7
Level 7

‎10-14-2014 08:38 AM

Hi n14nguyen,

 

Yes you can, as long as your 2960-switch hosts only later2 vlan for your dmz, and your DMZ interface on ASA is being gateway for DMZ hosts.

 

thanks

Rizwan Rafeek

 

0 Helpful

Go to solution
n14nguyen
Level 1
Level 1
In response to rizwanr74

‎10-14-2014 11:29 AM

So you mean create a vlan for dmz.  How am I ensure the separate between of inside vlan and dmz vlan in the same switch?

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to n14nguyen

‎10-14-2014 12:07 PM

Hi n14nguyen,

 

Lets assume that your dmz interface on your ASA is "192.168.11.1 255.255.255.0" and is connected to FastEthernet24 on your 2960-switch and similarly your inside address of your ASA is "10.10.10.1 255.255.255.0" and is connected to FastEthernet1 on your 2960-switch.

 

Now on your 2960-switch you create a SVI interface for your inside network of your ASA and layer2 definition as vlan 10 and for DMZ you only create a layer2 definition only as vlan 11. 

- - - - - - - - - - - - - - - - - - - - - - - - -

interface vlan10

10.10.10.2 255.255.255.0

no shut

 

vlan 10

 name asa-inside

 

vlan 11

 name asa-dmz

 

interface FastEthernet1

 switchport access vlan 10
 switchport mode access
 

 

 

interface FastEthernet24

 switchport access vlan 11
 switchport mode access

- - - - - - - - - - - - - - - - - - - - - - - - -

 

Note that I do not have a SVI created for vlan 11.

 

I hope this make sense.

Thanks

Rizwan Rafeek. 

0 Helpful

Go to solution
n14nguyen
Level 1
Level 1
In response to rizwanr74

‎10-14-2014 01:21 PM

thanks guys,  I will try

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to n14nguyen

‎03-04-2015 05:23 PM

I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0".  I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"

 

interface vlan2

ip address 192.168.1.2 255.255.255.0

 

Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.

 

thanks

 

 

Go to solution
n14nguyen
Level 1
Level 1
In response to rizwanr74

‎03-05-2015 08:42 AM

yes, correct IP adddress and addded ip route for inside network address resolve the problem.  Thanks

0 Helpful

Go to solution
n14nguyen
Level 1
Level 1
In response to rizwanr74

‎03-04-2015 08:02 AM

I've tried yesterday,  only machine on dmz1 port (interface GigabitEthernet 1/0/24) can access to the internet but the inside port (interface GigabitEthernet 1/0/2) can't .  Am i missing anything?  I attach the current running-configure

Thanks,

 

Preview file
22 KB
0 Helpful

Go to solution
Justin DeVaughn
Level 1
Level 1
In response to n14nguyen

‎10-14-2014 12:09 PM

If you had the following it would work:

Switch:

VLAN 1 - inside

VLAN 2 - dmz

switchport 1 (inside) - access mode vlan 1

switchport 2 (dmz) - access mode vlan 2

 

Firewall:

port 1 (inside) - (ip address + plugged into switchport 1)

port 2 (dmz) - (ip address + plugged into switchport 2)

 

Then configure any switchport as vlan 2 if you want the attached device to be on the dmz network or vlan 1 if you want them to be on the inside network.  You could use the firewall for DHCP for that vlan 2 dmz subnet and set the default gateway to the IP address of the firewall's port 2.

This will create LAN separation between the two networks.  You will literally have two networks using the same switch...a.k.a. Virtual Local Area Network (VLANs).

 

Like Rizwan mentioned, this works in a layer 2 switch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card