10-06-2015 04:50 AM - edited 03-11-2019 11:42 PM
Hi,
I have nexus core with multiple vlans configured on it. Cisco asa firewall is connected with core using port-channel and trunk.
How can I make all vlans traffic routable on firewall? I will use IP address at port-channel interface? how firewall will handle vlan tags?
Solved! Go to Solution.
10-06-2015 07:43 AM
Are you running HSRP on the Nexus side ?
If so can you ping the VIP or either of the physical IPs from the ASA ?
Jon
10-06-2015 05:03 AM
You will require a sub interface for each VLAN on the firewall, e.g.:
config term
interface portchannel 1.100 >> for vlan 100
encapsulation dot1q 100 >> for vlan 100
ip address [ip address] [mask]
exit
The following document has a more in depth explanation:
http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html
10-06-2015 05:09 AM
My core switch is layer-3 then and all inter-vlan routing is done by core. Is there any way to make
to just route traffic to firewall instead of making sub-interface for each vlan at firewall?
10-06-2015 05:13 AM
Yes, if your core switch is a layer 3 device you could create SVIs on the switch like so:
config term
interface vlan 100 >> for vlan 100
ip address [IP address] [mask]
then apply a default route up to the firewall from the core switch:
ip route 0.0.0.0 0.0.0.0 [interface towards firewall] [firewalls inside IP address]
SVI documentation:
http://www.cisco.com/c/en/us/products/collateral/routers/1800-series-integrated-services-routers-isr/prod_white_paper0900aecd8064c9f4.html
10-06-2015 06:00 AM
One more question please, if at core I have port-channel configure with firewall then in default route i will mention port-channel number or physical port interface number [interface towards firewall] ?
10-06-2015 06:04 AM
I'm confident in saying the port channel interface.
10-06-2015 06:08 AM
I am facing following error while configuring default route towards firewall with port-channel interface and physical interface both
% Pin-Interface cannot be a switchport
10-06-2015 06:09 AM
I will configure it on some lab equipment and let you know... give me some time please.
10-06-2015 07:22 AM
Hi Chris
Waiting for your response
10-06-2015 07:28 AM
If you are routing the vlans on the Nexus switch then you don't need subinterfaces or vlan tags on the firewall.
In which case your default route should use the IP address of the interface on the firewall as the next hop IP.
Jon
10-06-2015 07:37 AM
Hi Jon,
I have port-channel (vPC) between nexus and asa, similarly port-channel on firewall side.
I make port-channel interface as inside interface of firewall and assigned IP on it.
Now I make default route on nexus pointing to inside interface of firewall.
ip route 0.0.0.0 0.0.0.0 192.168.200.1
But I am unable to ping 192.168.200.1 from nexus
10-06-2015 07:43 AM
Are you running HSRP on the Nexus side ?
If so can you ping the VIP or either of the physical IPs from the ASA ?
Jon
10-06-2015 08:11 AM
yep, you are right Jon. I am running HSRP on nexus side and unable to ping any IP address VIP or physical IP on nexus from ASA.
How to configure this?
10-06-2015 08:52 AM
Hi Jon,
I'm waiting for your response. Thanks
10-06-2015 09:00 AM
Sorry, thought you had sorted it.
What troubleshooting have you done ie. are the HSRP interfaces up, are the physical interfaces up on all devices, what do the mac address tables show when you try to ping etc.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide