cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
10
Helpful
11
Replies

ASA control traffic with VLAN-s

tibi01
Level 1
Level 1

Hello guys,

 

I have a problem with ASA. I attached the topology of the network. Now we have 2 core switches which are route within VLAN-s. Now I have to insert in these topology 2 ASA (active/standby). The goal is that the 2 ASA control the traffic beetween the VLAN-s instead of core switches (eliminate IP routing in the core switches) but ASA allow all traffic from and to the internet (The ASA doesnt have to filter the traffic of internet, only filter traffic beetween VLAN-s) . The question is what is the best choice to insert the two ASA in the topology with minimal modification of the topology and the configuration of the 2 core switches and how configure the interfaces of the ASA. Please help me.

11 Replies 11

W-ALI
Level 1
Level 1

I thing the best of logical connection ,
the ASA  be between the router & Core

in core the default route to ASA , or you can create the VLANs on ASA (Sub-interface)

on ASA you can control the traffic between VLANs & internet by QOS of service policy

Thank you for your reply. What do you think what is the better solution?  Route all VLAN subnets from core to ASA, on ASA control the traffic beetween VLAN-s and route back the VLAN-s to core, or create VLAN-s on ASA?

On ASA more security and more centralized with control,

but however that depends on business need and importance.

for example in my Co we created almost VLAN on ASA as I.T, finance , Guest , Management ...etc   

but we create some VLAN on Core as internal machine likes printer , fingerprint , Cameras & some Departments.

 

Okay, but you also control the traffic of printer, fingerprint, cameras. etc on ASA ?

that's depends on the destination ,

the internet & VLAN created on ASA , the Packets will pass through ASA.

from any VLAN created on Core to any VLAN created on Core , the packets not pass through ASA.

 

 

@W-ALI 


@W-ALI wrote:

on ASA you can control the traffic between VLANs & internet by QOS of service policy


Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul


@paul driver wrote:
Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy

yes, that's what I mean, control the traffic by service policy rule

rule.png

 

config the Edge SW have two three interface 
ONE Connect to ISP 
two other connect one for Active other for standby ASA
finally you will get two OUT for active ASA you can use load by PBR or use primary/backup ISP

for ASA OUT we talk about for IN 
config all VLAN with default GW point to Active ASA IN interface, 
make L2 SW connect to IN of both ASA 
and that it.

Hello

  • Create the asa cluster, with all the same L3 vlans thats on the 3650 stack but have them in a shutdown state,
  • Attach asa cluster to the 3650 stack via a L2/L3 EtherChannel and run all vlans across it, enabling just one l3 interface (mgt) on the for L3 routing between asa and L3 3650 stack, at this point all l3 is running on the 3650 and the ASA has full routing table providing you are running dynamic routing (OSPF)
  • Migrate each L3 svi off the 3650 by shutting that SVI down and enabling it on the ASA, once all l3 is on the asa, migrate any static routes and remove them from 3650
  • Finally disable ip routing on the 3650 stack, leaving just he MGT svi and L2/L3 EtherChannel trunk

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul,

Thank you for your reply, I understand this solution. I try to find a solution which require the minimal change of the current configuration of the core switches because these network has to work continously. So what is your opinion about this solution? WIll it work?

1. disable all VLAN3 interface on the core stack, except the default LAN.

2. attach the ASA cluster to the core stack via default LAN L3 interface

3. disable IP routing on core stack

4. route all traffic to ASA cluster

5. control traffic beetween VLAN-s on ASA by access policies

6. Route back the VLAN subnets from ASA to core stack

7. Route all other traffic from ASA to internet router

Tibor

 

 

Hello Paul

Any response?

Tibor

Review Cisco Networking for a $25 gift card