ASA 5506-x OSPF with L3 switch

anthonyg10 · ‎08-11-2020

Working with a lab 5506-x and c3560cx and throwing some OSPF at it to see what sticks.

I want the ASA to route to the internet, but I have three Vlans on the switch with SVIs for each subnet. I have NAT working on the ASA out to the internet, but only if I use the ASA subinterface IP as the gateway for the client. I would like to use the SVI interfaces on the switch for the clients so local traffic can be routed through the switch and not have to hit the ASA.

I have basic OSPF running on both for all three subnets and I have neighborships created plus a "default-information originate" command on the ASA so it injects a default route to the internet.

So the question is can I use OSPF between the ASA and the SVIs on the switch to help route outbound traffic to the correct gateways on the ASA? I started adding "ospf network point-to-point non-broadcast" under each of the three subinterfaces on the ASA thinking I could create a separate routing instance for each subnet, but I am not sure where to make this change on the switch since the port between the ASA and the 3560 is trunked.

Anybody have any advice on if anything like this would work and if I'm going about it correctly?

Thanks!

Rob Ingram · ‎08-11-2020

Hi,
If you want the switch to be the default gateway for the client computers, reconfigure the trunk link between the ASA and the switch to be a routed link, then advertise the VLANs networks over that link.

HTH

anthonyg10 · ‎08-11-2020

I'm familiar with that setup, and I've done that before. But in this lab scenario, I was wondering if I could OSPF to help advertise multiple gateways for multiple subnets coming from the switch.

Changing over to a routed port would be easy, but it doesn't tell me if I can use OSPF in this fashion.

balaji.bandi · ‎08-11-2020

If i understand correctly What i see here, you have only 1 default outgoing interface that is ASA FW, so it not make any sense for you to run IGP between ASA and Switch,

between Switches you have OSPF peering, but ASA is pure FW, so we treat is as FW, rather make complicated here, that to you have only 1 ingress and 1 egress point.

forgive me if i misunderstood the requirement here,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

anthonyg10 · ‎08-11-2020

The part I left out is that eventually I want to add a second switch to peer with the first switch and have another router connected to the second switch to allow another gateway.

I would have the same subnets across both switches and use OSPF across the entire network. Then I would use cost to route certain vlans out one gateway or the other as well as have redundancy in case of an Internet outage.

I see what you mean about having just one egress, but I'm trying to dig deeper into OSPF here and see what I can do with it.

anthonyg10 · ‎08-11-2020

Another thing I forgot to mention is the switches don't do VRF. I just have IPBase on them, in case anyone was going to suggest that option.

balaji.bandi · ‎08-11-2020

Not sure 3560 is your switch model then here is the limitation :

IP Base is basic routing (Static / RIP etc) no VRF capabilities and several other restrictions.

IP Services opens up Advanced Dyanmic routing (OSPF / EIGRP / BGP / IS-IS), VRF-Lite etc.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

anthonyg10 · ‎08-11-2020

"lab 5506-x and c3560cx"

Thanks, I was aware of the IPBase limitation already, although it's odd that I can actually do OSPF with15.2(6)E1 even though the notes say it's not supported.

balaji.bandi · ‎08-12-2020

Some of them Limited to 1K Routes on OSPF, but if small network you are lucky to work (shhhhhhhhhhhh dont tell Cisco).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help