Solved: VLAN over Wireless Bridge

Oscar Martinez · ‎04-06-2017

I currently have the following scenario:

Our corporate HQ has a Cisco ASA 5512 connected to a 3524XL switch in default (stock) config, switch has a PIDU Plus connected to it that bridges over to our remote site a few miles away. On the remote site we have the slave radio (Motorola PTP 600) connected to a 3560 switch. This switch interconnects to another 3560. The network is currently flat but past admin failed to account for future growth so no VLANs were implemented. We are currently running out of IP address on this subnet (192.168.0.1/24) and therefore need to create a VLANs to accomodate future growth. What I want to do is create VLAN 15 with subnet 192.168.15.1/24 on the second switch and have this VLAN get out to the internet through our ASA. Am I right in thinking that I must set trunk ports from second 3560 to first 3560 and then a trunk port from first 3560 to 3524 to allow VLAN traffic? Additionally I must also configure a subinterface on the ASA interface (0/1) to allow VLAN 15? I have included a network topology for assistance.

Jon Marshall · ‎04-06-2017

So what you can do is on the new 3560 in the main site you do all the routing between any vlans. In your case you would have two SVIs and yes the IPs assigned to the SVIs would be the default gateways for the clients.

As for the firewall to switch connection you don't really want that in your existing vlan so you will need to readdress the inside interface of your firewall. The current IP will be a 192.168.1.x IP and you can reassign this IP to the SVI for your current vlan on the new 3560.

Then you need a new unused subnet eg. 192.168.3.0/30. This gives you two IPs, 192.168.3.1 and 192.168.3.2 and you allocate one for the inside interface of the firewall and the other you assign to an interface on the 3560 ie.

int gi<x/y> <-- this connects to firewall
no switchport
ip address 192.168.3.x 255.255.255.252

then on the 3560 you add a default route pointing to the firewall inside IP eg. -

ip route 0.0.0.0 0.0.0.0 192.168.3.y

and on the firewall you would need to add routes for both your internal subnets eg -

route inside 192.168.1.0 255.255.255.0 192.168.3.x
route inside 192.168.15.0 255.255.255.0 192.168.3.x

Does all that make sense ?

Jon

View solution in original post

Jon Marshall · ‎04-06-2017

You are correct in your thinking however you may want to consider a small redesign of your network.

At the moment both 3560 switches are in the remote site. These switches are L3 capable meaning if you moved one of them to the primary site and replaced the 3524XL you could use the 3560 to route between your vlans which means your firewall only receives traffic destined for the internet.

The 3524XL could go the other site as you only need a basic L2 switch there.

If you did this and created trunks between the switches then this would allow you to expand quite easily in the future. You would need to setup routing between the 3560 and the firewall but this could be done with static routes.

All that said, it is just an option to consider. If you want to stick with what you have then I totally understand.

Jon

Oscar Martinez · ‎04-06-2017

Hi John thank you so much for the fast response. Actually we are going to be replacing that old 3524 to a 3560 as well. So then I have to setup SVI's on the switches with IPs which would be the defacto default gateways for the VLANs correct?

As for setting up static routes, which of the devices would I have to setup these routes on? Can you give an example based on the topology I provided please?

Jon Marshall · ‎04-06-2017

So what you can do is on the new 3560 in the main site you do all the routing between any vlans. In your case you would have two SVIs and yes the IPs assigned to the SVIs would be the default gateways for the clients.

As for the firewall to switch connection you don't really want that in your existing vlan so you will need to readdress the inside interface of your firewall. The current IP will be a 192.168.1.x IP and you can reassign this IP to the SVI for your current vlan on the new 3560.

Then you need a new unused subnet eg. 192.168.3.0/30. This gives you two IPs, 192.168.3.1 and 192.168.3.2 and you allocate one for the inside interface of the firewall and the other you assign to an interface on the 3560 ie.

int gi<x/y> <-- this connects to firewall
no switchport
ip address 192.168.3.x 255.255.255.252

then on the 3560 you add a default route pointing to the firewall inside IP eg. -

ip route 0.0.0.0 0.0.0.0 192.168.3.y

and on the firewall you would need to add routes for both your internal subnets eg -

route inside 192.168.1.0 255.255.255.0 192.168.3.x
route inside 192.168.15.0 255.255.255.0 192.168.3.x

Does all that make sense ?

Jon

Oscar Martinez · ‎04-06-2017

yes it makes sense but unfortunately i'm unable to change the subnet to 192.168.1.0/24 becacuse we have a boatload of pcs and servers already tied to the 192.168.0.0/24 subnet. I inherited this flat network design :(

The reason I want to add VLANs is for security and scalability so we don't run out of IPs like we have with this existing subnet.

Jon Marshall · ‎04-06-2017

You don't need to change the subnet, I just misread the subnet as 192.168.1.0/24 in your original post :)

So you just need new subnets, one for the new client vlan and the other for the firewall to switch connection.

Jon

Oscar Martinez · ‎04-06-2017

Thank you Jon. I appreciate your help very much. I will implement these settings and hope all goes well!

Jon Marshall · ‎04-06-2017

No problem and if you have any issues let me know.

Jon

Oscar Martinez · ‎04-07-2017

Sorry I couldn't get back to you yesterday. I actually have a doubt regarding the two ethernet ports on the 3560s where the wireless bridge connects. Do those ports need to be configured as a trunk or just as a regular access port?

Jon Marshall · ‎04-07-2017

They need to be trunks if in the remote site you want to have both vlans. I am assuming that they can be trunks across the wireless connection but can't say for sure.

Jon