Re: where should i apply my subinterface for each vlan

tyr668 · ‎05-30-2023

should i apply my subinterface for each vlan on the firewall G1/3 or the right router (SG) ? really confuse how i should allow each vlan to access the web user located at the top (200.1.1.0/24 subnet)

Flavio Miranda · ‎05-30-2023

Hi

Why do you need subinterface?

tyr668 · ‎05-31-2023

i was instructed to do VLANs separation for each department

Flavio Miranda · ‎05-31-2023

On this case you can put it on the Layer3 switch. You can create 4 vlans , create interface vlans and put each access switch in one vlan.

You dont need subinterfaces. Just create vlans, then interface vlan and assign IP to it.

tyr668 · ‎05-31-2023

but i thought i need inter vlan routing or svi for each department to talk to one another?

Flavio Miranda · ‎05-31-2023

You do, but you can do it all on the Layer3 switch. The ASA on PacketTracer does not support subinterface.

If you prefer, attach your project here and I can help you. You just need to zip the file before attach.

tyr668 · ‎05-31-2023

Access Control Lists
1. Only HR and Finance Departments can communicate with each other. No one else can ping the Finance Department.

2. eBGP to dual home to 2 ISPs, two routers at the top right . both web user should be able to access the web server .
can't seem to figure out how i should design this parts. especially the vlans part . you can take a look at my pkt file here

Flavio Miranda · ‎05-31-2023

Hi @tyr668

Take a look on this file. As per your description, blocked access to vlan finance and both web user is able to access the http server

tyr668 · ‎06-02-2023

hi , i've just checked but it seems like all the finance departments aren't able to route to the Internet? seems stuck at the Layer 3 switch.

Flavio Miranda · ‎06-02-2023

Hi @tyr668

I though only web users would access the internet. But the solution is pretty simple in case you want to try

on the firewall, add the following route

route inside 10.10.0.128 255.255.255.240 10.10.1.22

I tested here and it works. I am attaching the file with the fix

EugeniuB · ‎05-30-2023

Hello,

It depends.

If the interface Fa 0/5 on the distribution switch is in TRUNK mode then the Firewall's interface Gi 1/3 also must be configured with sub-interfaces.
From the diagram I can see that the interface Gi 1/1 is connected with the router via a /30 transfer net. This gives me a hint that You don't have dot1Q (or trunk ) there. This means You should not apply subinterfaces on this segment.

A bit more details would help to provide a more accurate answer.

Cheers,

Eugene

tyr668 · ‎05-31-2023

let's say if i were to have VLANs . VLANs is a must , how should i configure it ? can't seem to input sub interface on 5506 for cisco packet tracer

EugeniuB · ‎05-31-2023

Hi,

to answer Your question more precise I need the config of the interface of Fa 0/5 of the switch.

But generally speaking, bellow I bring a example of how to configure subinterfaces on ASA 5506:

ASA#configure terminal
ASA(config)#interface GigabitEthernet1/3.10
ASA(config-if)#vlan 10
ASA(config-if)#nameif some-name
ASA(config-if)#security-level 95
ASA(config-if)#ip address x.x.x.x y.y.y.y

M02@rt37 · ‎05-30-2023

Hello @tyr668,

As @Flavio Miranda said why sub interfaces?

Just have to configure SVI for each vlan on your first L3 equipement after your L2 switch access.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

tyr668 · ‎05-31-2023

if i were to create a SVI , do i need ospf routing protocol to distribute each vlan to the transfer net (10.10.1.20/30)?