Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
0
Helpful
5
Replies

ASA Subinterfaces Design Scenario

Justin Westover
Level 1
Level 1

‎04-01-2011 09:20 PM - edited ‎03-11-2019 01:15 PM

I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVI

which perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.

I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.


ASA 5520 Config
(I realize that this isn't how it would look in CLI, I just don't remember all of the commands)

interface Gi 0/1

nameif Physical Interface

no ip address

interface Gi 0/1.10

nameif Prod_USERS

ip address 172.16.10.1 255.255.255.0

security-level 100

interface Gi 0/1.20

nameif Users

ip address 10.10.16.1 255.255.255.0

security-level 100

Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.

3560X config

interface VLAN 10

description PROD_USERS

ip address 172.16.10.2 255.255.255.0

no shut

interface VLAN 20

description USER-NET

ip address 10.10.16.2 255.255.255.0

no shut

Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.

So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. Could someone please explain to me the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2011 05:53 AM

Justin

This isn't really the way to use subinterfaces which may be causing some of the confusion. Subinterfaces are used when you want to route the traffic off the firewall. So you wouldn't create SVIs on the 3560 switch for the vlans, because the L3 interfaces for these vlans would be the subinterfaces on the firewall.

If you want to route off the 3560 for these vlans and only send traffic destined for the internet to the firewall then you do not need subinterfaces and it simply confuses the issue. This is why you are getting confused about the default-route ie.

route off the 3560 for these vlans then have a single default-route pointing to the firewall - no need to use subinterfaces, you simply use the physical interface on the firewall.

route off the firewall and then there is no need for any default-route (for these vlans) on the 3560.

From your description it sounds like you want these vlans to be able to route between each other. In which case i would recommend using the 3560 for that and not use subinterfaces on the firewall. If you need to restrict traffic between these vlans then either -

1) use acls on the L3 SVIs on the switch

or

2) route off the firewall for these vlans using subinterfaces. However if these vlans also need to talk to other vlans on the 3560 then it can be done but the config is messy and just adds complexity which it doesn't look like you need.

Jon

0 Helpful

Justin Westover
Level 1
Level 1
In response to Jon Marshall

‎04-02-2011 09:22 PM

So what would be the config for doing this with sub-interfaces on the Asa and routing on the 3560x? I am curious on how this would work.

If I were using sub-interfaces on the Asa then I would only need to create vlans on the switch, no SVIs, and static or dhcp assignments would have a default gateway that would point to the Asa sub-interfaces then right?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Justin Westover

‎04-03-2011 05:47 AM

Justin

If I were using sub-interfaces on the Asa then I would only need to create vlans on the switch, no SVIs, and static or dhcp assignments would have a default gateway that would point to the Asa sub-interfaces then right?

Correct. The problem you have with SVI's on the switch and subinterfaces is which default-gateway do you use for the clients ? So yes, you would have the vlans in the vlan database on the switch but no L3 SVI.

If you do this though, as i mentioned in previous thread, if you then need to route to other vlans with SVIs on the 3560 then the config on the ASA can get a bit messy. Unless you really have to firewall between vlans a general rule of thumb is use the L3 switch to route the vlans and the firewall to protect the internal LAN from the the internet.

Jon

0 Helpful

Justin Westover
Level 1
Level 1
In response to Jon Marshall

‎04-03-2011 07:34 PM

So in this scenario, using subinterfaces on the inside network of the ASA, the default gateways are going to be the SVIs on the ASA. That makes since to me now. Are there any other scenarios where you would use subinterfaces (excluding multiple contexts)?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Justin Westover

‎04-04-2011 03:48 AM 

justin.westover wrote:
So in this scenario, using subinterfaces on the inside network of the ASA, the default gateways are going to be the SVIs on the ASA. That makes since to me now. Are there any other scenarios where you would use subinterfaces (excluding multiple contexts)?

The only real reason to use subinterfaces is when you run out of physical interfaces on the firewall. That is the most important point. You generally run out of physical interfaces when -

1) you literally don't have enough physical interfaces for all the DMZs you want to use

or

2) you want to firewall all internal vlans on the inside interface and so you need to split up the physical interface. Bear in mind that this is only, IMO, a solution for a small network setup where you have maybe 2 or 3 vlans. Subinterfacing a physical interface like this means less bandwidth/througput per vlan. As already mentioned a much better solution when you get to certain number of vlans is simply to use a L3 switch for inter-vlan routing and the firewall to protect your LAN from the internet.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card