11-17-2022 04:31 AM
I have a layer 3 switch (Cisco Catalyst 3560) with multiple vlans configured on it, and connect to this switch to the inside interface of ASA 5510 (default VLAN IP) All vlan have L3 interface with IP address, and for the clients the default gateway is the IP address of the VLAN interface.
My goal is make all vlans can go through firewall and asa route beetween VLAN-s not Layer3 switch.
Inside interface of firewall can access only one vlan (default). I don't want to create subinterfaces on asa.
I want to keep all L3 vlan interfaces on switch because off the default gateway of the clients and just route traffic on asa for Internet access (deafult route) and create policies for traffic beetween vlan-s.
If I create static routes for the VLAN-s beetween switch and asa and back and create the policies beetween subnets (vlans) is this topology can work? If the ip routing will be disabled on the L3 switch, the default route to the ASA will work for the VLAN (not default VLAN) clients?
11-17-2022 04:49 AM
if you want to do filtering between VLANs, that traffic should go though the ASA. if switch doing the routing part, traffic will not reach the ASA (because preference goes to directly connected interfaces). if you disabled switch routing, default route also will not work.
11-17-2022 05:49 AM
Okay, That means I need to create subinterfaces for VLAN-s on ASA, eliminate the L3 interfaces on switch (except default VLAN). But what about default gateway of the clients of the VLAN-s? Do I have to set the IP address of the subinterfaces to same as it was on the vlan interfaces of the switch?
11-17-2022 07:35 AM
Correct - no SVIs on the switch (except for management). All default gateway addresses are on the ASA subinterfaces. The physical interface is a trunk on the switch side and the ASA will tag the VLANs according to the VLAN IDs on the subinterface configurations.
11-17-2022 08:54 AM
yes thats right.
11-17-2022 05:11 AM
Agree with @Kasun Bandara . You need to either use subinterfaces or a physical interface per VLAN to achieve what you want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide