ā10-06-2015 04:50 AM - edited ā03-11-2019 11:42 PM
Hi,
I have nexus core with multiple vlans configured on it. Cisco asa firewall is connected with core using port-channel and trunk.
How can I make all vlans traffic routable on firewall? I will use IP address at port-channel interface? how firewall will handle vlan tags?
Solved! Go to Solution.
ā10-06-2015 07:43 AM
Are you running HSRP on the Nexus side ?
If so can you ping the VIP or either of the physical IPs from the ASA ?
Jon
ā10-06-2015 05:03 AM
You will require a sub interface for each VLAN on the firewall, e.g.:
config term
interface portchannel 1.100 >> for vlan 100
encapsulation dot1q 100 >> for vlan 100
ip address [ip address] [mask]
exit
The following document has a more in depth explanation:
http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html
ā10-06-2015 05:09 AM
My core switch is layer-3 then and all inter-vlan routing is done by core. Is there any way to make
to just route traffic to firewall instead of making sub-interface for each vlan at firewall?
ā10-06-2015 05:13 AM
Yes, if your core switch is a layer 3 device you could create SVIs on the switch like so:
config term
interface vlan 100 >> for vlan 100
ip address [IP address] [mask]
then apply a default route up to the firewall from the core switch:
ip route 0.0.0.0 0.0.0.0 [interface towards firewall] [firewalls inside IP address]
SVI documentation:
http://www.cisco.com/c/en/us/products/collateral/routers/1800-series-integrated-services-routers-isr/prod_white_paper0900aecd8064c9f4.html
ā10-06-2015 06:00 AM
One more question please, if at core I have port-channel configure with firewall then in default route i will mention port-channel number or physical port interface number [interface towards firewall] ?
ā10-06-2015 06:04 AM
I'm confident in saying the port channel interface.
ā10-06-2015 06:08 AM
I am facing following error while configuring default route towards firewall with port-channel interface and physical interface both
% Pin-Interface cannot be a switchport
ā10-06-2015 06:09 AM
I will configure it on some lab equipment and let you know... give me some time please.
ā10-06-2015 07:22 AM
Hi Chris
Waiting for your response
ā10-06-2015 07:28 AM
If you are routing the vlans on the Nexus switch then you don't need subinterfaces or vlan tags on the firewall.
In which case your default route should use the IP address of the interface on the firewall as the next hop IP.
Jon
ā10-06-2015 07:37 AM
Hi Jon,
I have port-channel (vPC) between nexus and asa, similarly port-channel on firewall side.
I make port-channel interface as inside interface of firewall and assigned IP on it.
Now I make default route on nexus pointing to inside interface of firewall.
ip route 0.0.0.0 0.0.0.0 192.168.200.1
But I am unable to ping 192.168.200.1 from nexus
ā10-06-2015 07:43 AM
Are you running HSRP on the Nexus side ?
If so can you ping the VIP or either of the physical IPs from the ASA ?
Jon
ā10-06-2015 08:11 AM
yep, you are right Jon. I am running HSRP on nexus side and unable to ping any IP address VIP or physical IP on nexus from ASA.
How to configure this?
ā10-06-2015 08:52 AM
Hi Jon,
I'm waiting for your response. Thanks
ā10-06-2015 09:00 AM
Sorry, thought you had sorted it.
What troubleshooting have you done ie. are the HSRP interfaces up, are the physical interfaces up on all devices, what do the mac address tables show when you try to ping etc.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide