cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7871
Views
10
Helpful
8
Replies

Gateway of last resort - layer 3 switch

jroberts.bn
Level 1
Level 1

Hi all,

I'm new to the Cisco forums; thanks in advance for your help!  I'm building the below network configuration:

WAN -------- ASA5505 ------<802.1q trunk>----- L3 switch -----<802.1q trunk>----- L2 switch w/ VLAN support

The following VLANs exist on the ASA and both switches: VLAN 10 (10.10.10.0/24), VLAN 11 (10.10.11.0/24), and VLAN 99 (10.10.99.0/24).

The ASA5505 performs the following functions: routing to/from the WAN, firewall, NAT, and DHCP for each VLAN.  It has an interface on each VLAN (10.10.x.2) for a DHCP server.

The L3 switch provides inter-VLAN routing and layer 2 switching.  The L2 switch provides layer 2 switching, with VLAN support.

What should the default gateway on the L3 switch be?  Should I set the IP of the physical interface connected the L3 switch to the ASA5505, and use that?  Any suggestions are welcomed.

Thanks in advance,

John R.

1 Accepted Solution

Accepted Solutions

Mitchell Dyer
Level 1
Level 1

John,

Thanks for clarifying, I see where you are hung up now.

I have setup something similar in the past but had used a windows server on one if the VLANs and i-helper statements on each VLAN interface.

I think in this scenario you could create another VLAN that is only used for transporting traffic to the ASA for internet bound traffic.

I.E. VLAN 999, making the address for VLAN999 on the switch a.a.a.a and the address on the ASA a.a.a.b. The next hop for the default route on the switch would be a.a.a.b.

Sent from Cisco Technical Support Android App

View solution in original post

8 Replies 8

smehrnia
Level 7
Level 7

Hi,

The default gateway for your network to reach out to the WAN, should be an ip address within ur exit point, in this case ur ASA.

I believe you have to put ur ASA in routed mode, create vlan interfaces for each VLAN and assign an ip add to them. then make that ip address the default gateway for the respected VLAN. also you need to specify a default route on ur ASA, pointing out to the WAN.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

plaza Rate if it helped.

Soroush.

Hope it Helps!

Soroush.

yes.

if you want strong security between vlan10 vlan11 and vlan99 so you dont need L3 switch at all.

all intervlan must be throu asa

Thanks for your reply.

For now, the different VLANs are used for logical segregation, but I'm not enforcing any ACLs between them (with the exception of VLAN 99, which is used for management).

- John

Hi Soroush,

Thanks for the reply.

The ASA is in routed firewall mode, and has per-VLAN virtual interfaces with the 10.10.x.2 IP address assigned to them (to distribute addresses via DHCP).  The ASA is performing WAN-bound routing, but is not performing inter-VLAN routing; this role is reserved for the L3 switch, which can route between VLANs at Gigabit speeds (the ASA5505 can only do 100mbps).

Ideally, I would prefer to use the L3 switch for DHCP address distribution, but the switch I'm using doesn't have this capability.

create vlan interfaces for each VLAN and assign an ip add to them. then make that ip address the default gateway for the respected VLAN

You mentioned that I could make a per-VLAN default gateway; how would I go about doing that?  My understanding is that the "ip route 0.0.0.0 0.0.0.0 " is applied in global config mode, and applies across VLANs.

The ASA has a default route (ip route 0.0.0.0 0.0.0.0 ).

- John

Mitchell Dyer
Level 1
Level 1

When you say "default gateway" are you referring to the "ip default-gateway" command? Or the gateway of last resort as the title of your discussion references (I.e. ip route 0.0.0.0)?

If the latter, then the ASA is going to be the next hop.

It sounds like you have both the ASA and the L3 switch doing inter-vlan routing. Are the nodes on each VLAN using the address of the L3 switch VLAN interfaces as their default gateway or the address of the ASA interfaces?

Sent from Cisco Technical Support Android App

Hi Mitchell,

Thanks for the reply.

When you say "default gateway" are you referring to the "ip default-gateway" command? Or the gateway of last resort as the title of your discussion references (I.e. ip route 0.0.0.0)?

From the perspective of the L3 switch, I'm referring to the ip route 0.0.0.0 0.0.0.0 command.

If the latter, then the ASA is going to be the next hop.

That's where I'm getting hung up; the ASA has a bunch of virtual per-VLAN interfaces with the 10.10.x.2 address assigned.  These .2 addresses are used for distributing DHCP addreses on each VLAN, but my understanding is that the ip route command applies globally (rather than per-VLAN).

What IP on the ASA5505 should be the next hop; any of the per-VLAN .2 addresses, maybe an IP assigned to the physical interface connecting the L3 switch to the ASA5505?

It sounds like you have both the ASA and the L3 switch doing inter-vlan routing.

The L3 switch is doing inter-VLAN routing, the ASA5505 is providing a per-VLAN DHCP server.  Ideally, I would used the L3 switch to provide DHCP, but unfortunately my switch doesn't support this (SG300-series switch).

Are the nodes on each VLAN using the address of the L3 switch VLAN interfaces as their default gateway or the address of the ASA interfaces?

The end-user nodes on each VLAN are using the virtual per-VLAN interfaces on the L3 switch for their default gateway.  I'm wondering how best to send WAN-bound traffic from the L3 switch to the ASA, which in turn sends it to the WAN.

Thanks for your help,

John

Mitchell Dyer
Level 1
Level 1

John,

Thanks for clarifying, I see where you are hung up now.

I have setup something similar in the past but had used a windows server on one if the VLANs and i-helper statements on each VLAN interface.

I think in this scenario you could create another VLAN that is only used for transporting traffic to the ASA for internet bound traffic.

I.E. VLAN 999, making the address for VLAN999 on the switch a.a.a.a and the address on the ASA a.a.a.b. The next hop for the default route on the switch would be a.a.a.b.

Sent from Cisco Technical Support Android App

I wound up running into another issue; when the ASA and L3 switch were configured with a WAN-bound traffic transport VLAN, and the switch was configured with ip route 0.0.0.0 0.0.0.0 , the L3 switch would forward self-generated WAN-bound traffic to the ASA (ex. DNS lookups to 8.8.8.8), but would NOT forward WAN-bound traffic from connected devices to the ASA.

To work around this, I implemented a different architecture, with the ASA performing the inter-VLAN routing.  I lose Gigabit speeds between VLANs, but gain additional security, ease-of-administration, and simplicity-of-configuration.

Thanks for your help!

- John