03-04-2019 10:14 AM
Sorry in advance if this is in the wrong section. First time posting, and I am hopelessly lost. I am fairly new to layer 3 switching and intervlan routing, and have unfortunately been handed a pretty complex task to solve.
Anyway, here is the setup:
ASA 5545X <Etherchannel> Catalyst 3850 (24XS) <trunk> Catalyst 3850 (x2 48XS backup failover) <trunk> Catalyst 3850 (x2 48XS backup failover)
I will refer to them as follows:
Firewall <EC1> ADM Switch <T1> TopOfRack1 (1&2) <T2> TopOfRack2 (1&2)
each Top of Rack set of switches then has redundant trunks down to our hyperconverged server stack, and Rack 1 has access ports to workstations and the other vlan. Rack 2 just has access ports to some workstations.
To spare confusion, all Catalyst 3850 switches are setup with redundant trunks carrying all relevant tagged vlan traffic and the spanning tree is configured properly.
Vlan layout looks like this:
Vlan 10: Admin traffic stuff *also default vlan*
Network: 192.168.10.0/24
Vlan 20: Server "A" traffic
Network: 7.0.10.0/26
Vlan 30: Other traffic
Network: 7.0.10.64/26
Vlan 40: Server "B" traffic
Network: 7.0.10.128/26
Vlan 50: Workstation traffic
Network: 7.0.10.192/27
Vlan 60: Server "C" traffic
Network 7.0.11.0 /24
I also have a Vlan 99 that I was trying out, Not sure if it's right though:
Vlan 99: Gateway?
Network 7.0.10.224/27
I know that the easy solution would be to create sub-interfaces for each network on EC1 to the firewall, however, I do not want to route all that traffic through the firewall, as I have 10G trunks between all the switches and 40G uplinks from the servers, but only a total throughput of 3gbps on the firewall. I only have a requirement to perform stateful packet inspection between Vlan 10 to all, and between Vlan 20 to Vlan 60. Additionally, Vlan 40 should not really be able to see any network other than Vlan 10, and it needs to go through the firewall to do so.
Here is the scenario I am trying to build:
Vlan 20 (Server "A" traffic) should be able to access its domain controller up in Vlan 10 (ADM), It should also be able to access Vlan 30, and Vlan 50, but not Vlan 40. Additionally, Vlan 20 should be able to reach Vlan 60, but traverse the firewall to do so.I am required to go through the firewall for Vlan 10 to Vlan 20, but I want to take advantage of intervlan routing for Vlan 20-50 since those are all connected via 10+Gbps connections.
Presently, the ip routes on one of the switches look like this:
S* 0.0.0.0/0 [1/0] via 7.0.10.241 7.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 7.0.10.0/26 is directly connected, Vlan 20 L 7.0.10.2/32 is directly connected, Vlan 20 C 7.0.10.64/26 is directly connected, Vlan 30 L 7.0.10.66/32 is directly connected, Vlan 30 C 7.0.10.192/27 is directly connected, Vlan 50 L 7.0.10.194/32 is directly connected, Vlan 50 C 7.0.10.224/27 is directly connected, Vlan 99 L 7.0.10.244/32 is directly connected, Vlan 99 S 192.168.0.0/16 via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, Vlan 10 L 192.168.0.8/32 is directly connected, Vlan 10
I was trying to see if having a /27 network with a gateway on the firewall and setting the GOLR to that would do anything... But it didnt.
The networks are setup with the following gateways, that were configured as a virtual address from configuring the standby adapters in the layer 3 interfaces:
Vlan 20:
7.0.10.1
Vlan 30:
7.0.10.65
Vlan 40:
7.0.10.129
Vlan 50:
7.0.10.193
The firewall presently has all networks configured to allow any -> any
The interfaces I have configured on the firewall are as follows, and I am pretty sure I am wrong here:
PortChannel1 (EC1) 192.168.0.1 255.255.255.0
PortChannel1.60 ("C" Servers) 7.0.11.1 255.255.255.0
PortChannel1.99 (Gty) 7.0.10.241 255.255.255.0
I think I am supposed to configure some static routes on the firewall, but I dont know where I need to start.
The first step I would like to achieve is getting a VM running on Vlan 20 to be able to see the domain controller up in vlan 10. I think once I have that, the rest will be easier to figure out.
I guess what I am unsure of, is the following:
I cant easily get the running configs up here, so ask me for what you need, and I will post the relevant content.
Regards,
-Andrew
03-04-2019 12:36 PM
Im also thinking that setting up primary and secondary vlans may help alleviate some of these issues. Again, super new to this stuff.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide