Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2957
Views
15
Helpful
5
Replies

SVI communication through ASA

Go to solution
suthomas1
Level 6
Level 6

‎02-01-2018 05:31 PM - edited ‎02-21-2020 07:16 AM

Hello,

  

Following is the scenario;

ASA interface gi0/2 connects to a 3750 switch on gi1/0/9,gi1/0/9 on 3750x is trunked to permit all. 
gi2/0/11 on 3750x links to a 6500 switch on Te5/11 & is trunked to allow all.
This 6500 has an SVI 15 which needs to go out via the ASA.
(ASA has links to other switches which take it to outside world)
The goal is to ensure this SVI 15 on 6500 switch needs to go outside.

 

ASA :-

 

gi0/2 is sub-interface on ASA with vlan 25 being in security level 10.

interface GigabitEthernet0/2.25 
vlan 25 
nameif local 
security-level 10 
ip address 192.168.25.1 255.255.255.0

NAT rule > nat (local,outside) static 10.112.112.115
route outside 0.0.0.0 0.0.0.0 10.112.112.1

interface GigabitEthernet0/0 
description outside 
nameif outside 
security-level 0 
ip address 10.112.112.21 255.255.255.0

 

3750-x switch:-

interface GigabitEthernet1/0/9 
description ASA 
switchport trunk encapsulation dot1q 
switchport mode trunk

interface GigabitEthernet2/0/11 
description to Cisco C6500 Te5/11 
switchport trunk encapsulation dot1q 
switchport mode trunk 
spanning-tree bpduguard disable

 

6500 switch :-

 

interface TenGigabitEthernet5/11 
switchport 
switchport mode trunk 
switchport trunk allowed vlan 15

interface Vlan15 
description checks 
ip address 192.168.15.1 255.255.255.0

 

 

 Is there anything else i need to do so this subnet 192.168.15.x can communicate outside.

If i need a default route on the 6500, where should it be pointing to ?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to suthomas1

‎02-03-2018 07:39 AM

The SVI serving that subnet and the VLAN itself can indeed be present only the 6500. You don't need to trunk it to your upstream switch or to the ASA. You're confusing L2 (VLANs and trunking) and L3 (IP addresses, subnets and routing)

 

A route (default or otherwise) does not ever point to a L2 interface. It needs to point to a L3 gateway. That gateway needs to be external to the 6500 and reachable from the ASA.

 

Assuming you don't extend the subnet and associated VLAN beyond the 6500 you need some other VLAN with associated SVI that can reach the target routing address. 

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-01-2018 06:17 PM

The SVI on the 6500 needs to talk to a gateway on the same subnet or else a connected interface on the same switch needs to point to the outbound route (default or otherwise).

 

Does the 6500 also have an interface on 192.168.25.x (probably not since you are only allowing VLAN 15 up the trunk)? If so, a default route to the ASA's 192.168.25.1 would be needed. 

 

The ASA would also need to know how to route traffic to VLAN 15. So a route statement on the ASA is also necessary.

Go to solution
suthomas1
Level 6
Level 6
In response to Marvin Rhoads

‎02-01-2018 07:23 PM - edited ‎02-01-2018 07:48 PM

 

Sorry, i have just edited my earlier reply which was incorrect.

No, the 6500 doesn't have an interface on 192.168.25.x.

 

Should the default route on 6500 be:- ip route 0.0.0.0 0.0.0.0 192.168.25.1 

 

Let me know please. thanks.

 

 

  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to suthomas1

‎02-01-2018 07:52 PM

It won't be able to reach that gateway unless it has an interface (SVI) in that subnet and the associated VLAN is allowed up the link to the 3750X. Right now that is restricted by this:

 

switchport trunk allowed vlan 15

The route on the ASA would then point to that new SVI for reachability to the 192.168.15.x subnet.

Go to solution
suthomas1
Level 6
Level 6
In response to Marvin Rhoads

‎02-03-2018 07:28 AM

Sorry, i am unable to get further on this.

I want the SVI 15 on 6500 to be only present on 6500, so it becomes the gateway for few devices within that vlan 15. Is it possible to route this vlan 15 segment from 6500 across to the ASA (via the trunks), so it can communicate out. 

is putting a default route on 6500 pointing to te5/11 as exit interface workable, so it reaches out?

please help.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to suthomas1

‎02-03-2018 07:39 AM

The SVI serving that subnet and the VLAN itself can indeed be present only the 6500. You don't need to trunk it to your upstream switch or to the ASA. You're confusing L2 (VLANs and trunking) and L3 (IP addresses, subnets and routing)

 

A route (default or otherwise) does not ever point to a L2 interface. It needs to point to a L3 gateway. That gateway needs to be external to the 6500 and reachable from the ASA.

 

Assuming you don't extend the subnet and associated VLAN beyond the 6500 you need some other VLAN with associated SVI that can reach the target routing address. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card