Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
5
Replies

L3 switch with VLAN-s, IP routing disabled and ASA

tibi01
Level 1
Level 1

‎11-17-2022 04:31 AM

I have a layer 3 switch (Cisco Catalyst 3560) with multiple vlans configured on it, and connect to this switch to the inside interface of ASA 5510 (default VLAN IP) All vlan have L3 interface with IP address, and for the clients the default gateway is the IP address of the VLAN interface.
My goal is make all vlans can go through firewall and asa route beetween VLAN-s not Layer3 switch.
Inside interface of firewall can access only one vlan (default). I don't want to create subinterfaces on asa.
I want to keep all L3 vlan interfaces on switch because off the default gateway of the clients and just route traffic on asa for Internet access (deafult route) and create policies for traffic beetween vlan-s.
If I create static routes for the VLAN-s beetween switch and asa and back and create the policies beetween subnets (vlans) is this topology can work? If the ip routing will be disabled on the L3 switch, the default route to the ASA will work for the VLAN (not default VLAN) clients?

0 Helpful
5 Replies 5

Kasun Bandara
VIP
VIP

‎11-17-2022 04:49 AM

if you want to do filtering between VLANs, that traffic should go though the ASA. if switch doing the routing part, traffic will not reach the ASA (because  preference goes to directly connected interfaces). if you disabled switch routing, default route also will not work.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

tibi01
Level 1
Level 1
In response to Kasun Bandara

‎11-17-2022 05:49 AM

Okay, That means I need to create subinterfaces for VLAN-s on ASA, eliminate the L3 interfaces on switch (except default VLAN). But what about default gateway of the clients of the VLAN-s? Do I have to set the IP address of the subinterfaces to same as it was on the vlan interfaces of the switch?

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tibi01

‎11-17-2022 07:35 AM

Correct - no SVIs on the switch (except for management). All default gateway addresses are on the ASA subinterfaces. The physical interface is a trunk on the switch side and the ASA will tag the VLANs according to the VLAN IDs on the subinterface configurations.

0 Helpful

Kasun Bandara
VIP
VIP
In response to tibi01

‎11-17-2022 08:54 AM

yes thats right.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-17-2022 05:11 AM

Agree with @Kasun Bandara . You need to either use subinterfaces or a physical interface per VLAN to achieve what you want.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card