Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
4
Replies

Multiple VLANs and Gateways

Go to solution
pvameluso
Level 1
Level 1

‎02-10-2013 10:47 AM - edited ‎03-12-2019 06:04 PM

Sorry for this question but my knowlege of switching and router is still growing.

We have a HP Procurve 5412zl switch as our default  gateway for all our VLANs from there the traffic will be going to a  Cisco ASA 5515 and then to a Cisco 3800 Router then to our ISP.

We have yet to purchase the ASA but my question is  about my future configuration.  I will have the router of last resort on  the 5412zl setup to point to the ASA inside interface, how does that  work with multiple VLANs?  For instance the ASA inside interface would  be 10.0.0.1 but traffic could come from another VLAN via the switch with  a 192.168.1.x address.  Would the ASA just pass it on to the router?   Or would it conside this spoofing and drop the packet?

Lastely, if we have WCCP set for the ASA's inside  interface, how would it handle the redirect for multiple VLANs ip adresses? Would I  use GRE for the redirect to my web filter?

If this is the wrong forum for this question please help me find the right one lol.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to pvameluso

‎02-10-2013 11:52 AM

Hi,

Should be no problem with the setup mention above.

The configuration format for ASA routing is a bit different than the IOS Routers.

route

I guess Vlan1 would be your link between the L3 Switch and ASA? If so avoid using any other devices on that network (other than possibly Websense). This is because if you attach hosts on that link network you might run into some problematic situations with the ASA.

If the Vlan1 network already has some hosts on it I would suggest creating a new Vlan/network just to be used between the ASA and the L3 Switch.

Sadly I dont have that much expirience with the Websense/Ironport/etc but I do remember that with ASA you can only have one interface with WCCP and therefore all the hosts which traffic you want to control need to be behind that interface.

If you havent dealt with ASA before I would suggest getting the Configuration Guide and Command Reference for the software of your device (when you get it). Those documents help alot with the configurations.

Heres example links to the software version 8.6 (This should be the starting software for the new ASA5500-X series)

Configuration Guide (8.4 and 8.6 Software)

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html

Command Reference (8.4 8.5 8.6 8.7 Softwares)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/cli.html

Please do rate if you have found the information helpfull and naturally ask more and I'll try to answer as I can.

Naturally when and if you get the ASA dont hesitate to ask for help on the forums. Most configurations are usually gone in the CLI format so I would suggest getting used to it also. The other option is the ASDM which is a graphical user interface for the ASA firewall.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-10-2013 11:10 AM

Hi,

If I understood you correctly the situation is this (or will be this)

  • You have  L3 Switch behind the ASA that will be the default gateway for all your different local Vlans
  • You will attach the ASA between the L3 Switch and your Internet router in routed mode
  • You will have a link network between the L3 Switch and the ASA and will have a default route forwarding all the local Vlan network traffic to the ASA through that link network.

If the above is the case then there should be no problem whatever the source network is behind the ASA. You simply need a route for each of the LAN networks on the ASA pointing to the L3 Switch (Switches IP address on that link network). The ASA doesnt really care what the Vlan on the HP Switch is as the Vlans arent trunked to the ASA.

Alteast in Irontports case where you use WCCP, to be able to control traffic for all of the Vlan/LAN networks behind the ASA then the Ironport device should be (to my understanding) connected to the link network between the ASA and the L3 switch.

Ofcourse the downside to this setup is that you cant use the ASA to control the traffic between the Vlans as the Vlan gateways are not on the ASA.

Otherwise things should be ok.

- Jouni

0 Helpful

Go to solution
pvameluso
Level 1
Level 1
In response to Jouni Forss

‎02-10-2013 11:38 AM

Ok. Thanks. Based on what you mentioned does this make sense?

My L3 Switch configuration look like this:

VLAN 1 : 10.0.1.1 - Link Network conneted to my ASA

VLAN 2 : 172.16.10.1

VLAN 3: 192.168.1.1

Those address are all the default gateways for each VLAN. 

The ASA will sit on the 10.0.x.x network with the inside address set to 10.0.1.2.  I have the router of last resort on the L3 switch setup as 0.0.0.0 0/0 10.0.1.2

On the ASA I would create routes like this:

For VLAN 2: ip route 172.16.10.0 255.255.255.0 10.0.1.1

For VLAN 3: ip route 192.168.1.0 255.255.255.0 10.0.1.1

Does that make sense? Did I write those command right?  I always mess up route commands.

As for the WCCP you mentioned:

"To be able to control traffic for all of the Vlan/LAN networks behind the  ASA then the Ironport device should be (to my understanding) connected  to the link network between the ASA and the L3 switch."

So the 10.0.x.x network?  I'm going with a WebSense applicance and will set its WCCP interface to 10.0.1.3.  Is that what you meant there?

I'm currently useing ACLs to control traffic between VLANs on the switch. It sucks but works fine.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to pvameluso

‎02-10-2013 11:52 AM

Hi,

Should be no problem with the setup mention above.

The configuration format for ASA routing is a bit different than the IOS Routers.

route

I guess Vlan1 would be your link between the L3 Switch and ASA? If so avoid using any other devices on that network (other than possibly Websense). This is because if you attach hosts on that link network you might run into some problematic situations with the ASA.

If the Vlan1 network already has some hosts on it I would suggest creating a new Vlan/network just to be used between the ASA and the L3 Switch.

Sadly I dont have that much expirience with the Websense/Ironport/etc but I do remember that with ASA you can only have one interface with WCCP and therefore all the hosts which traffic you want to control need to be behind that interface.

If you havent dealt with ASA before I would suggest getting the Configuration Guide and Command Reference for the software of your device (when you get it). Those documents help alot with the configurations.

Heres example links to the software version 8.6 (This should be the starting software for the new ASA5500-X series)

Configuration Guide (8.4 and 8.6 Software)

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html

Command Reference (8.4 8.5 8.6 8.7 Softwares)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/cli.html

Please do rate if you have found the information helpfull and naturally ask more and I'll try to answer as I can.

Naturally when and if you get the ASA dont hesitate to ask for help on the forums. Most configurations are usually gone in the CLI format so I would suggest getting used to it also. The other option is the ASDM which is a graphical user interface for the ASA firewall.

- Jouni

0 Helpful

Go to solution
pvameluso
Level 1
Level 1
In response to pvameluso

‎02-10-2013 12:08 PM

Thanks again. Sadly I do have many hosts on Vlan1. But I think I will create a new Vlan between L3 Switch and the ASA.  I would also throw my WebSense applicance on there. 

I read about that limitation with WCCP but with this configuration I think I will be OK.

Thanks for the suggestions, I'm really excited about moving up in the networking world.  I also love these forums.  Nice people willing to help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card