Re: configure ASR Interface in VLAN

ambivert skill · ‎04-23-2013

Hi ,

Actually I am new to this ASR , in my environment my 6513 is connected ASR , I want to know how can we access and configure VLAN on Gigabit interface which is connected to 6513.

Thank you

Bilal Nawaz · ‎04-23-2013

Hello Ambivert, what will this interface be providing? What will it be used for?

Layer 2 or layer 3?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ambivert skill · ‎04-24-2013

Hi Bilal actually for the deployment of FWSM I need to clear the configuration part of ASR .Is it necessary to put the interface of ASR into a VLAN or not actually in my opinion I don't think that we have to put it interface in VLAN because in my current configuration(without FWSM) on 6513 the Gi9/44 is in VLAN 170 in L2 mode and traffic is moving fine to Internet.

For your reference the configuration on this interface of ASR also don't have any VLAN info mentioned

interface GigabitEthernet0/0/4

description "My Network -Local"

ip vrf forwarding ABC-PUB

ip address 192.168.1.20 255.255.255.0

ip access-group ABC in

ip access-group ABC out

load-interval 30

negotiation auto

actually the scenario is like this

proxy(external int.)[IP:192.168.1.30] --> Gi9/45[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi9/44[In VLAN 170] -->ASR[IP:192.168.1.20] -->Internet

##################################################################################################

As in part of my configuration on 6513 ,PBR is define like this .

interface Vlan170

description "PUBLIC IP VLAN"

ip address 192.168.1.10. 255.255.255.0

ip policy route-map NAT

route-map NAT permit 10

match ip address 101

set ip next-hop 192.168.1.20

Also please have a scenario of Network Infrastructure that I have in PDF.

Regards

Ambivert SKill

Bilal Nawaz · ‎04-24-2013

Hello Ambivert, this is extremely confusing since you have two SVI's that are in the same address range? You will not be able to do this.

Could you please clarify further what you want to try and achieve please?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ambivert skill · ‎04-24-2013

My apologies for the confusion I will try to clear doubt.

Want I want to try ?

I want to deploy FWSM ver 3.2 in Tranparent mode in my 6513 chassis so regarding this deployment I have some doubts for the movement of traffic through which I need to clear.

My current scenarion [without any FWSM] is like this.

7613 router --> 6513 --> proxy Internal int -->proxy External Int -->Gi9/45(of 6513 ,This Int. is in VLAN 170) --> SVI Int.(170) --> Gi9/44(of 6513 ,This Int. is in VLAN 170) --> ASR --> Internet.

Want to deploy FWSM in Transparent mode like this manner

7613 router --> 6513 --> proxy Internal int -->proxy External Int -->Gi9/45(of 6513 ,This Int. is in VLAN 170) --> SVI Int.(170) -->Inside Interface of Firewall ---- Outside Interface of Firewall -->Gi9/44(of 6513 ,This Int. is in VLAN 120) --> ASR --> Internet.

want to make changes like this :

1.Inside Interface of Firewall : Put this in VLAN 170 , so it make the traffic to come into firewall through SVI Interface 170

2.Create new VLAN suppose VLAN 120 on 6513 and put inside interface of firewall and Gi9/44 into it.so that traffic will move out of Gi9/44 and will reach to Internet through ASR.

Bilal I don't mentioned two SVI interface in my diagram there is only one SVI i.e for VLAN 170.

Please let me know will the scenario is clear then I will ask my query regarding this deployment.

Regards

Ambivert Skill

Bilal Nawaz · ‎04-25-2013

Hello Ambivert, I think I understand but I find the diagram very confusing.

Does this look like the traffic flow you want?

Please let me know if this is correct.

I'm also interested to know if you have any default routes and how your routing is set up. It's very un-natural to be doing policy based routing in this kind of scenario. Normally you would have routing taking care of any outbound traffic. Unless its for special circumstances.

Thank you

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ambivert skill · ‎04-25-2013

Thanks bilal for your help for your reference please go through the diagrams in PDF which are as follows:

1.6513 Initial running configuration without any FWSM

2.6513 with FWSM deployment Planning.

I hope this will give more clear picture of my scenario,please have a look on them the first one represent my current architecture and the second one represent the plan by which I want to deploy my FWSM on 6513 chassis.

The points you want to know :

1.Do you have any default routes ?

Yes I have a default route in my config and which is as follows "ip route 0.0.0.0 0.0.0.0 192.168.2.10"

2.How your routing is set up ?

I have all static routes define and all traffic from them goes to 192.168.2.10 as mentioned in my default route which is Inside Interface of my proxy server and after nating comes to PUBLIC VLAN 170 SVI interface this flow can be seen in PDF name as "6513 Initial running configuration without any FWSM"

3.Explaination of Policy based routing in my environment.

As you can see below my PBR and the configuration is define like this

# We define route map name NAT and match it with Extended ACL 101 and define the next hop address which is my ASR IP for all traffic that match with ACL 101 and put this PBR on my SVI Interface VLAN 170

!

route-map NAT permit 10

match ip address 101

set ip next-hop 192.168.1.20

!

interface Vlan170

description "PUBLIC IP VLAN"

ip address 192.168.1.10. 255.255.255.0

ip policy route-map NAT

!

Please let me know for any point that I have to clear from my end and again thank you for your help.

Regards

Ambivert Skill

Bilal Nawaz · ‎04-25-2013

Okay I see! Everything gets routed to your ISA which does the NAT. Does it have a default route then of 192.168.1.10?

And then the FWSM will have two interfaces coming in and going out, but because its in transparent mode, its just a 'bump in the wire'.

The FWSM is bridging from vlan 170 to vlan 120? (Im not sure how to do this)
You will have 'double NAT' on the ISA and the ASR I assume.

In principle it will work.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal Nawaz · ‎04-25-2013

Hello Ambivert,
After doing some reading your solution can work.

All you need is a basic layer 3 interface on the asr that can route traffic to and from your ISA.

Conf t
!
Interface gi0/0/2
Description ## Vlan 120 FWSM ##
IP address 192.168.1.20 255.255.255.0

These documents should be able to help you with regards to FWSM.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/switch_f.html#wpxref34592

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1047426

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080959e83.shtml#configs

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961

Transparent Firewall Guidelines

Follow these guidelines when planning your transparent firewall network:
•The transparent FWSM uses an inside interface and an outside interface only.
•Each directly connected network must be on the same subnet.
•A management IP address is required for each context, even if you do not intend to use Telnet to the context.
The FWSM uses this IP address as the source address for packets originating on the FWSM, such as system messages or AAA communications.
The management IP address must be on the same subnet as the connected network.
•Do not specify the FWSM management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the FWSM as the default gateway.
•Each interface must be a different VLAN interface.
•For multiple context mode, each context must use different VLANs; you cannot share a VLAN across contexts.
•For multiple context mode, each context can use the same (overlapping) subnet or different subnets. Make sure that the upstream router performs NAT if you use overlapping subnets.
•Dynamic routing protocols are neither required nor supported.
You can, however, add static routes.
•NAT is not supported.
NAT is performed on the upstream router. However, you can configure some parameters available only in the static command. See the "Configuring Connection Limits for Non-NAT Configurations" section for more information.
•You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the FWSM.
You can also optionally use an EtherType ACL to allow non-IP traffic through.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ambivert skill · ‎04-27-2013

Thanks Bilal for your all support regarding this deployment and now I think that I got the solution how to implementFWSM in my environment and I am working on it and let you know and also it's my humble request to guide me in the future issues where I need your valuable feedback.

Regards

Ambivert Skill