11-02-2021 03:50 PM
Hi all,
I am trying to build a new network at home based around a 5506-X and a 3560CX, I have got as far as allowing access for a device connected to the switch to the internet. The DHCP pools are on the ASA and are providing leases to clients on all VLANs, what I am trying to do is communicate between VLAN 10 and VLAN 30.
Could someone guide me in the direction to understand how to complete this, is the routing between the VLANs completed within the switch or the firewall? Is there anything standing out that really shouldn't be there, or really needs to be there that I am missing.
Cheers in advance.
5506-X Config:
interface GigabitEthernet1/8 no nameif no security-level no ip address ! interface GigabitEthernet1/8.2 vlan 2 nameif inside_2 security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface GigabitEthernet1/8.10 vlan 10 nameif inside_10 security-level 100 ip address 10.0.10.1 255.255.255.0 ! interface GigabitEthernet1/8.20 vlan 20 nameif inside_20 security-level 50 ip address 10.0.20.1 255.255.255.0 ! interface GigabitEthernet1/8.30 vlan 30 nameif inside_30 security-level 100 ip address 10.0.30.1 255.255.255.0 ! interface GigabitEthernet1/8.100 vlan 100 nameif BCU_OEAP security-level 20 ip address 10.0.100.1 255.255.255.0 ! object network inside_10 subnet 10.0.10.0 255.255.255.0 description Trusted Subnet object network inside_20 subnet 10.0.20.0 255.255.255.0 description Media Subnet object network inside_30 subnet 10.0.30.0 255.255.255.0 description Servers Subnet object-group network inside_1030 description Trusted and Servers Subnets network-object object inside_10 network-object object inside_30 ! object network inside_10 nat (inside_10,outside) dynamic interface object network inside_20 nat (inside_20,outside) dynamic interface object network inside_30 nat (inside_30,outside) dynamic interface ! dhcpd address 10.0.99.100-10.0.99.200 IoT dhcpd dns 8.8.8.8 8.8.4.4 interface IoT dhcpd option 3 ip 10.0.99.1 interface IoT dhcpd enable IoT ! dhcpd address 10.0.0.2-10.0.0.100 inside_2 dhcpd dns 8.8.8.8 8.8.4.4 interface inside_2 dhcpd option 3 ip 10.0.0.1 interface inside_2 dhcpd enable inside_2 ! dhcpd address 10.0.10.100-10.0.10.200 inside_10 dhcpd dns 8.8.8.8 8.8.4.4 interface inside_10 dhcpd option 3 ip 10.0.10.1 interface inside_10 dhcpd enable inside_10 ! dhcpd address 10.0.20.100-10.0.20.200 inside_20 dhcpd dns 8.8.8.8 8.8.4.4 interface inside_20 dhcpd option 3 ip 10.0.20.1 interface inside_20 dhcpd enable inside_20 ! dhcpd address 10.0.30.100-10.0.30.200 inside_30 dhcpd dns 8.8.8.8 8.8.4.4 interface inside_30 dhcpd option 3 ip 10.0.30.1 interface inside_30 dhcpd enable inside_30 ! dhcpd address 10.0.100.100-10.0.100.200 BCU_OEAP dhcpd dns 8.8.8.8 8.8.4.4 interface BCU_OEAP dhcpd option 3 ip 10.0.100.1 interface BCU_OEAP dhcpd enable BCU_OEAP !
3560CX Config:
hostname Cisco_3560CX ! boot-start-marker boot-end-marker ! no aaa new-model system mtu routing 1500 ip routing ! object-group network servers 10.0.30.0 255.255.255.0 ! object-group network trusted 10.0.10.0 255.255.255.0 ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! interface GigabitEthernet0/1 description Trusted VLAN switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/2 description Media VLAN switchport access vlan 20 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/3 description Server VLAN switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/4 description OEAP switchport access vlan 100 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/14 description Trunk to ASA switchport trunk native vlan 2 switchport trunk allowed vlan 1,2,10,20,30,100 switchport mode trunk no keepalive ! interface Vlan1 no ip address shutdown ! interface Vlan2 description New Native VLAN ip address 10.0.0.254 255.255.255.0 ip helper-address 10.0.0.1 ! interface Vlan10 description Trusted VLAN ip address 10.0.10.254 255.255.255.0 ip access-group ACL_10_30 in ip helper-address 10.0.10.1 ! interface Vlan20 description Media VLAN ip address 10.0.20.254 255.255.255.0 ip helper-address 10.0.20.1 ! interface Vlan30 description Server VLAN ip address 10.0.30.254 255.255.255.0 ip access-group ACL_30_10 in ip helper-address 10.0.30.1 ! interface Vlan100 description BCU_OEAP VLAN ip address 10.0.100.254 255.255.255.0 ip helper-address 10.0.100.1 ! ip forward-protocol nd ip http server ip http secure-server ! ip route 10.0.10.0 255.255.255.0 10.0.10.1 ip route 10.0.30.0 255.255.255.0 10.0.30.1 ! ip access-list extended ACL_10_30 permit ip any any log ip access-list extended ACL_30_10 permit ip any any log
11-02-2021 09:35 PM
Hello @blinkydamo ,
the default gateway for each VLAN according to the DHCP pools are the ASA interfaces.
The ASA being a stateful firewall will not allow all communications between VLANs by default.
You have two options here:
a) change the DHCP pools configurations to provide a default gateway = switch SVI interface ip address
dhcpd option 3 ip 10.0.10.1 interface inside_10
you change it in :
dhcpd option 3 10.0.10.254 interface inside_10
and you do this for all VLANs
b) you define extended ACLs to be applied inbound on ASA interface.
access-list ACL_inside_10_in permit extended ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.0.0
please note : ACLs on ASA are different from ACLs on routers they do not use wildcard masks but subnet masks
access-group ACL_inside_10_in in inside_10
similarly for all other ACLs.
To be noted ASA uses the security level concept traffic from a more trusted interface ( higher security level) can go to a destination reachable out of a less trusted interface ( lower security level ) by default.
So without adding an ACL from inside_30 you can ping all the other VLAN subnets because it has the highest secuity level.
Hope to help
Giuseppe
11-03-2021 11:06 AM - edited 11-03-2021 11:09 AM
I agree with Giuseppe that is would be better to change DHCP pools to make the switch to be the default gateway for hosts in each vlan. There are several issues with having the ASA to do the inter vlan routing. Among the issues are that both vlan 10 and 30 have security level 100. Even with an ACL to permit the traffic the ASA, by default, will not allow traffic between interfaces with the same security level. You would need to add same-security inter-interface. You would be better off to do any inter vlan routing on the switch and only forward traffic to the ASA that is going outside.
You ask about commands that should not be there. I believe that these commands should not be used in the switch configuration:
1) ip route 10.0.10.0 255.255.255.0 10.0.10.1
ip route 10.0.30.0 255.255.255.0 10.0.30.1
subnets 10 and 30 are locally connected and do not need static routes.
2) You have helper-address configured on multiple vlan interfaces like this one
ip helper-address 10.0.0.1
In each case the helper address is in the local subnet. Any DHCP request is automatically forwarded within the local subnet. You only need helper address is the DHCP server is in a remote subnet.
11-07-2021 08:32 AM
Thanks guys. Sorry for the late reply.
The info above was really helpful, I now have a functioning network.
11-07-2021 10:29 AM
Hello
Just like to add you could allow vlan to vlan commuincation from the ASA by enabling instead
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
11-08-2021 09:47 AM
Thanks for the update. Glad that you now have a functioning network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide