Hi again!
let me give you some information.
First of all, the L3 switch, is doing VLAN Routing, and as default gateway, has IP address of Interface Fa0/1 of Cicso ASA 5510 (inside interface).
All the servers will be running as virtual machines...as in diagram.
Servers will run on VLAN 5.
Now, one of the server that is a virtual machine, will be on DMZ (with yellow).

And here my quesiton comes?
have i to create another VLAN (vlan 10 for example on L3 switch), with no IP address, and connect ASA 5510 fa0/2 to one of its interfaces on VLAN 10, also, the server for dmz?
Regards!

Hi,

I am not quite sure how the connection between the actual virtual server and the L3 switch is done but the main thing here is that the connection from the DMZ server all the way to the ASA interface Fa0/2 has to be L2. You wont be configuring any "interface Vlan10" on the L3 switch.

If we take for example a situation where you would connect a DMZ Server directly to some port on the L3 switch then you would configure that physical interface as an Access Mode port for Vlan10 and you would also configure another port that will be connected to the ASA Fa0/2 as an Access Mode port for Vlan10. This should pretty much be it. This will mean that the traffic from the DMZ server will go to the ASA which is its default gateway effectively isolating the server from the rest of the internal Vlans.

I am not sure but I guess it might even be that your virtual machines are connected by Trunk to your L3 switch? In that case naturally Vlan10 would be on that Trunk but the interface leading to the ASA Fa0/2 would still be an Access Mode port for Vlan10.

Hope this made sense and helped

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

Why i don't have to configure another VLAN 10 on L3 Switch?

put some ports on it as access ports, and put these ports to VLAN 10.
Then, the fa0/2 from Cisco ASA 5510 connect to one of these ports on VLAN 10 and put some the server on DMZ to another port of this VLAN 10.
What is wrong with this design?
Regards!

Hi,

As I said, you wont configure "interface Vlan10" as this would only be required for L3 purposes which is not the goal here.

You will however naturally create the L2 Vlan10. I was talking about the L3 interface as the thing you wont need to configure. If you configured a L3 Vlan interface with an IP address then traffic flow from the DMZ would be affected.

You just have to make sure that the L2 Vlan10 is created on the switch and its configured all the way from the interface connected to the server to the interface which connects to the ASA.

- Jouni

I'll create VLAN 10 on Switch L3, but i will not put any IP Address to it.
Is this correct?

Hi,

You wont need the "interface Vlan10" as its only for L3 purposes. Your actual L2 Vlan10 wont need the interface and without and IP address I dont think it really serves any purpose in this situation.

So for example in a Cisco switch where you have Vlan10 and 2 Access Mode ports

vlan 10

  name DMZ

interface GigabitEthernet0/10

  description DMZ Server

  switchport mode access

  switchport access vlan 10

  switchport nonegotiate

  spanning-tree portfast

interface GigabitEthernet0/10

  description DMZ link to ASA

  switchport mode access

  switchport access vlan 10

  switchport nonegotiate

  spanning-tree portfast

Or something like the above. As you can see we didnt configure any "interface Vlan10" as its not needed.

Naturally the actual interface configurations depends on the device you are using and how the server is connected to that device.

- Jouni

Yes, i mean only to create the VLAN (as you have done in description)

NO IP Address to it.

So the question is...
Will be any issues with this scenario?
Or everything is good.
Regards!

Hi,

Well you wont configure IP address anywhere as we are not configuring anything related to L3 on the switch.

What I have done above is create the L2 Vlan10 and assigned 2 switchports to this Vlan10.

Naturally the actual configurations you should enter depend on how the new DMZ server is connected to the switch? Is the Vlan10 perhaps added to some trunk interface that is connected to some server hardware which runs the virtual servers or will the DMZ server actually have its own physical access port.

This setup should work. Naturally I have not seen your actual configurations but the basic idea is to have the DMZ server on Vlan10 and have a connection from Vlan10 to the interface Fa0/2 of ASA where the actual gateway IP address is configured.

All traffic from the DMZ network to any other network OR any traffic destined to the DMZ network has to go through the ASA so you will be able to control traffic from and to the DMZ network as was the idea to my understanding.

- Jouni

Thank you Jouni,

• You can configure the new interface on the ASA and connect it to the L3 switch on an Access Mode port that belongs to a new DMZ Vlan. If your L3 switch is doing routing then you cannot configure any Vlan interface with IP address on the L3 switch for this new DMZ Vlan.

I had a DMZ vlan interface on my L3 switch. I'm glad I ran into your post. Wiped the DMZ SVI and everything worked as I expected.