07-12-2013 04:46 AM - edited 03-11-2019 07:11 PM
Hi,
the management vlan on a network needs to be created on the asa. is this feasible?
how easy would it be to do this?
the network topology is as;
WAN >> ASA >> Core Switch >> Edge Switches
V
V
DMZ
the DMZ is attached to ASA.
how should we go about creating our network management vlan on the firewall.
Appreciate all help. thanks.
Solved! Go to Solution.
07-12-2013 02:41 PM
If you give the management VLAN its own physical interface, then the ASA is the gateway for that VLAN and it must have a connected Layer 2 spanning tree to all the other hosts (or SVIs) on that same VLAN. If you are using a layer 3 portchannel from your switches to the ASA, that is not a setup in which you would use a dedicated interface.
You didn't mention - is your ASA a 5505 with built-in switch or higher model without that feature?
07-15-2013 06:40 AM
Your switch can use a simple Layer 2 trunk. If you want to add multiple links and use an Etherchannel, I'd still stick with Layer 2. If you go Etherchannel (Layer 2 or layer 3), your ASA configuration will have to take that into account.
The ASA configuration guide steps you through all of the various steps and considerations in setting up an Etherchannel here.
07-12-2013 06:25 AM
Just build a new zone off of its own interface. Assign it a security level and access-lists consistent with what you want it to be able to reach.
07-12-2013 08:29 AM
thanks.
so assume i build an interface on the asa as below;
int gig0/0
nameif MGT
security-level 50
ip address 192.168.100.1 255.255.255.0
now the edge & core switches will be assigned an ip from this range, eg, 192.168.100.5 for core switch.
the link between firewall and core switch will be a layer 3 port channel.
if i have to define the mgmt ip on the core and edge switches, what vlan should i be using for them on the switches.
can i use following configs on the core & edge switch for mgmt interface;
( using vlan 100 for mgmt interface on the switches)
int vlan 100
ip addr 192.168.100.5 255.255.255.0
is this correct. appreciate all help.
07-12-2013 10:56 AM
Hello Suthomas,
All that matters is that the Vlan you will set on this devices is a dedicated vlan for managment purposes where if a user on a different user wants to reach that vlan it must be routed through a L3 device where you can filter the traffic,etc.
You can use vlan 100 or whatever vlan you want That will not affect anything, just remember to use a dedicated vlan just for the managment traffic.
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-12-2013 02:41 PM
If you give the management VLAN its own physical interface, then the ASA is the gateway for that VLAN and it must have a connected Layer 2 spanning tree to all the other hosts (or SVIs) on that same VLAN. If you are using a layer 3 portchannel from your switches to the ASA, that is not a setup in which you would use a dedicated interface.
You didn't mention - is your ASA a 5505 with built-in switch or higher model without that feature?
07-13-2013 03:43 AM
thanks, the ASA is a 5585X with about 8 gig ports & 4 10gig ports.
So,can i please request how to actually configure this in my network with a small sample configuration for my understanding.
Thanks in advance.
07-13-2013 06:34 AM
Assuming you want your ASA to be the gateway for your management VLAN and assuming you want the same management network for your managed devices and management systems, you would most likely use a subinterface on the ASA-core switch.
Working from those assumptions, currently ASA - inside interface - core switch is a plain routed interface on the ASA. It would change to:
int gi0/0
description Trunk interface for Inside and management
no nameif
no ip address
no security-level
int gi0/0.1
nameif inside
description Inside VLAN subinterface
vlan
ip address
security level 0
no shut
int gi0/0.2
nameif management
description Management VLAN subinterface
vlan 100
ip address 192.168.100.1 255.255.255.0
security level 10
no shut
Your core switch would change it's interface facing the ASA from an access port to a trunk. You would ensure that VLANs for production (VLAN of current traffic) and management traffic (VLAN 100) were allowed on the trunk.
If you want non-management network devices and systems to talk to the management network, you'll need to add routing and potentially access-list bits to accomodate that.
07-14-2013 08:10 PM
Thanks Marvin.
How should i configure the core switch interface with ASA. will a Portchannel be ok between them ? i was thinking of using a Layer3 Portchannel for routing purpose.
if i use trunk , how would the configuration look like, as we intend to use two ports on either side of ASA & Core switch to interface this link.
Appreciate all help.
07-15-2013 06:40 AM
Your switch can use a simple Layer 2 trunk. If you want to add multiple links and use an Etherchannel, I'd still stick with Layer 2. If you go Etherchannel (Layer 2 or layer 3), your ASA configuration will have to take that into account.
The ASA configuration guide steps you through all of the various steps and considerations in setting up an Etherchannel here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide