Doubt regarding Cisco 3560 Catalyst to ASA 5510 communication >>
I have 1 Cisco ASA 5510 with security Plus licenses & 1 Cisco Catalyst 3560 24-TS switch.
I am done with vlan configuration in Cisco 3560 Catalyst switch. I have assigned eth 0/3 to vlan10 , eth 0/4 to vlan 20. eth 0/23 is trunk. I am able to ping PC's in both vlan's via L2 switches connected to Cisco 3560 switch. Gateway assigned to PC's is IP of each vlan I configured on Cisco L3 switch
Now, I want to connect Cisco 3560 switch to Cisco ASA 5510. I have ACL's, site to site IPSec tunnels defined already on ASA. My ISP link terminates on ASA itself. I have created vlans on ASA on eth 0/0 ISP link is terminated on eth 0/4 Static route in ASA is 0.0.0.0 0.0.0.0 <ISP_IP> NATing between subnets is done on ASA
In above scenario how can I enable communication between Cisco L3 switch to ASA? As of now DHCP server from vlans on ASA isn't issuing IP to pc's after putting Cisco switch. In existing scenario I am having 3Com SuperStack 3 Switch 4500 26-Port below ASA and everything working fine.
If you are routing the vlans on the L3 switch then you don't use a trunk to the ASA and you don't also create the vlans on the ASA inside interface. Basically you need to route between the L3 switch and the ASA so as an example -
the above means that you are not firewalling between vlan 10 and vlan 20 only to and from the internet so if that isn't what you want please clarify.
In terms if DHCP you may need to move the DHCP scopes to the L3 switch. You can try using the "ip helper-address x.x.x.x" command under the L3 vlan interfaces on the switch where x.x.x.x is the ASA inside IP address.
However the last time i looked at this the ASA did not hand out IPs for non directly connected networks and the vlan 10 and vlan 20 subnets are no longer directly connected.
If that is the case you can use the L3 switch to hand out vlan 10 and vlan 20 IPs.
As i say if you actually want to firewall between the internal vlans then the above does not apply.
Usually a default route from the 3560 to the ASA will be sufficient. Now from a best practices and design standpoint, you should be running all inter-vlan traffic through the ASA for the best security practices, and in this case you would create a trunk from 3560 to ASA and create sub interfaces on the ASA.
Now from a best practices and design standpoint, you should be running all inter-vlan traffic through the ASA for the best security practices, and in this case you would create a trunk from 3560 to ASA and create sub interfaces on the ASA.
Do you mean for this specific setup or as a more general point ?
If your security requirements are that you must firewall between internal vlans then yes i agree with what you say but for a lot of companies there is no real need for this.
The main issue with using the ASA for routing between internal vlans is that it can become a bottleneck compared with L3 switches. Not only that, it significantly complicates the configuration because the ASA is not really a router as such.
In addition if that was best practice there would be little need for L3 switches if you were routing everything off the firewall.
In a large office or campus environment, unless you have very strict security requirements, there is rarely a need to firewall between client vlans and it would impractical to do so.
For smaller environments where you don't have a L3 switch and only a few vlans it can be a valid choice.
Finally, as with a lot of other things, the rules for a DC are different and here it may well be desirable to firewall between vlans so yes it could well make sense in that environment.
Just my opinion though, so not saying i am necessarily right.
Yes I want to replace 3COM switch with Cisco 3560 switch. Yes I have 2 ASA 5510's with Security plus bundle.
But like I said if I do this major change & if my old Cisco 3560 switch goes off some day I have no dedundant/fail over L3 switch.
Existing 3COM 4500 SuperStack3 is just a partial L3 switch.
If I decide to buy additional Cisco L3 switch, my rough network would be like this? = 1) All vlans & DHCP server on L3 switch. DNS would be of my Active Directory servers. 2) Gateway of PC's would be IP of each VLAN on L3 3) Now the main concern is about IPSec site to site vpn tunnels. What changes are required for this?
I tried that. Few issues I encountered as follows. [ inc I beleive some mistakes of mine ]
1) I done with labelling eth interfaces on 3560, enabled port access mode, no shut etc [ names as per defined on ASA ] 2) Done with creation of 2 trunk ports, enabled 802.1q,trunk mechanism etc 3) Now I put cable from ASA to trunk port 4) And laptops to vlan access ports on 3560
-Laptop was unable to get IP from ASA which is also acting as DHCP server for all vlan's. - Laptops connected to different ports of 3560 were unable to communicate to each other.
I have most subnets from 10.100.x range with /24 subnet. What I am missing?
Now I udnerstood that I need to do some major changes in ASA before I put Cisco 3560 switch. Unfortunately I don't have redundant Cisco L3 switch as of now.
1 additional doubt :- My existing 3COM 4500 switch is doing dynamic vlan routing/splitting as per my understanding. All I have done in 3COM switch is create a vlan with label, tag it to specific eth port & make member of trunk port. Nothing else.
Is it possible to use above scenario in Cisco 3560 switch by keeping vlan's as it is on ASA? The problem is I have redundant ASA appliance but not pure L3 switch.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...