Solved: Re: basic vlan communication

suthomas1 · ‎04-01-2013

Hi,

We have a cisco 3750 as core device. This has SVI vlans; VLAN10 - 10.10.10.1/24 , VLAN15 - 10.10.15.1/24.

I understand that if 10.10.10.21 and 10.10.10.51 has to communicate, it will be within the same vlan.

What happens, if the same servers have to communicate, but their SVI is removed from the 3750 and configured on a ASA firewall.

This ASA is connected to the switch. The switch has a route ; ip route 10.10.10.0 255.255.255.0 192.168.100.2

( where 192.168.100.0/30 is the interface connecting the 3750 to the ASA , so the ASA interface connecting to the switch has 192.168.100.2 IP address )

With this route in place, if a host 10.10.10.21 from VLAN10 needs to talk to host 10.10.10.51 , will it go the ASA as its SVI is now on the firewall or will it still be switched locally on the 3750.

Appreciate all help!

Steve Fuller · ‎04-01-2013

Hi,

The traffic should still go directly between 10.10.10.21/24 and 10.10.10.51/24 as the SVI, whether it's configured as part of the Catalyst 3750 or the ASA, should have nothing to do with that conversation.

When a system wants to send traffic to another, the first thing it will do is check to see if the destination IP address is part of the same IP subnet as its own address. In this case it is, so 10.10.10.21 will ARP for the MAC address of 10.10.10.51 and, once it has received a response and knows the MAC address for 10.10.10.51, will use that MAC as the destination MAC in the frames. The result is that the traffic will not touch the ASA.

By contrast, if 10.10.10.21/24 wanted to send traffic to 10.10.51.x/24, it would see that the destination IP address was part of a different subnet, and would therefore ARP for the end systems default gateway. Assuming this was the IP address assigned to the SVI on the ASA, the traffic would be sent via the ASA.

Regards

View solution in original post

Steve Fuller · ‎04-01-2013

Hi,

The traffic should still go directly between 10.10.10.21/24 and 10.10.10.51/24 as the SVI, whether it's configured as part of the Catalyst 3750 or the ASA, should have nothing to do with that conversation.

When a system wants to send traffic to another, the first thing it will do is check to see if the destination IP address is part of the same IP subnet as its own address. In this case it is, so 10.10.10.21 will ARP for the MAC address of 10.10.10.51 and, once it has received a response and knows the MAC address for 10.10.10.51, will use that MAC as the destination MAC in the frames. The result is that the traffic will not touch the ASA.

By contrast, if 10.10.10.21/24 wanted to send traffic to 10.10.51.x/24, it would see that the destination IP address was part of a different subnet, and would therefore ARP for the end systems default gateway. Assuming this was the IP address assigned to the SVI on the ASA, the traffic would be sent via the ASA.

Regards