How to configure VLAN with 3 cisco swicthes, core switch and ASA5510

petermikula · ‎05-08-2011

I have a big network that requires separation on 3 switches to be used for another group of users in one building to access internet but be completely separated from the internal network. There three switchers in the building and some of the ports on these switches need to have their own VLANs that the traffic will go over thru the core switch to ASA and out to the internet. I'm looking for general design idea how to approach this project. I have attached the core switch config. The ASA firewall has one unused port that I will connect to the core switch, I would like the traffic that would go over the new VLAN, to be passed thru the core switch to that unused port on the ASA

------------------ show version ------------------

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 24-Jan-07 14:38 by pwade
Image text-base: 0x10000000, data-base: 0x114EECF0

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 4

Core-Switch uptime is 25 weeks, 5 days, 23 hours, 28 minutes
System returned to ROM by power-on
System restarted at 10:56:59 PDT Mon Oct 18 2010
System image file is "bootflash:"

cisco WS-C4503 (MPC8245) processor (revision 4) with 262144K bytes of memory.
Processor board ID FOX11050KFJ
MPC8245 CPU at 267Mhz, Supervisor II+TS
Last reset from PowerUp
8 Virtual Ethernet interfaces
38 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2101


------------------ show running-config ------------------


Building configuration...

Current configuration : 7571 bytes
!
! Last configuration change at 11:24:09 PDT Mon Oct 25 2010 by admin
! NVRAM config last updated at 10:10:04 PDT Sun Apr 17 2011 by admin
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Core-Switch
!
boot-start-marker
boot-end-marker
!
!
username monitor password 7 <removed>
username admin privilege 15 password 7 <removed>
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local 
aaa authorization commands 1 default local 
aaa authorization commands 15 default local 
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip domain-name xxx
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
power redundancy-mode redundant
!
!
!
vlan internal allocation policy ascending
!
interface FastEthernet1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface GigabitEthernet1/1
 description EquiLogic1 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/2
 description device1 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 duplex full
!
interface GigabitEthernet1/3
 description device1 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 speed 1000
!
interface GigabitEthernet1/4
 description device3
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 speed 1000
!
interface GigabitEthernet1/5
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
!
interface GigabitEthernet1/6
 description device4
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 speed 1000
!
interface GigabitEthernet1/7
 description WirelessController 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 speed 100
!
interface GigabitEthernet1/8
 description APC UPS 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
!
interface GigabitEthernet1/9
 description dev5
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
!
interface GigabitEthernet1/10
 description EquiLogic2 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
!
interface GigabitEthernet1/11
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
 speed 100
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/12
 description VOICEMAIL 
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 201
!
interface GigabitEthernet1/13
 description SERVERROOM 
 switchport access vlan 201
 switchport trunk native vlan 201
 switchport mode access
 switchport voice vlan 200
!
interface GigabitEthernet1/14
 description Corporate Voice-Data Port
 switchport access vlan 201
 switchport trunk native vlan 201
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/15
 description Corporate Voice-Data Port
 switchport access vlan 201
 switchport trunk native vlan 201
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/16
 description dev7
 switchport access vlan 201
 switchport trunk native vlan 201
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/17
 description dev8
 switchport access vlan 201
 switchport trunk encapsulation dot1q
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/18
 description Corporate Voice-Data Port
 switchport access vlan 201
 switchport trunk encapsulation dot1q
 switchport mode access
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/19
 description B&G Switch Uplink 
 switchport access vlan 201
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/20
 description Corporate Voice-Data Port
 switchport access vlan 201
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport voice vlan 200
 spanning-tree portfast
!
interface GigabitEthernet2/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/3
 description Fiber to buikding 5
 switchport mode trunk
!
interface GigabitEthernet2/4
 switchport mode trunk
!
interface GigabitEthernet2/5
 switchport mode trunk
!
interface GigabitEthernet2/6
 switchport mode trunk
!
interface GigabitEthernet2/7
 switchport mode trunk
!
interface GigabitEthernet2/8
 switchport mode trunk
!
interface GigabitEthernet2/9
 switchport mode trunk
!
interface GigabitEthernet2/10
 switchport mode trunk
!
interface GigabitEthernet2/11
 switchport mode trunk
!
interface GigabitEthernet2/12
 description Library HP 6108 
 switchport mode trunk
!
interface GigabitEthernet2/13
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet2/14
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet2/15
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet2/16
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet2/17
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet2/18
 description vmHost02 
 switchport access vlan 201
 switchport mode access
!
interface Vlan1
 no ip address
!
interface Vlan200
 description device9
 ip address 10.2.0.20 255.255.0.0
!
interface Vlan201
 description dev10
 ip address 10.0.0.20 255.255.0.0
!
interface Vlan300
 description dev11
 ip address 10.78.0.20 255.255.255.0
 ip rip send version 1 2
 ip rip receive version 1 2
!
interface Vlan400
 description dev12
 ip address 10.4.0.20 255.255.0.0
!
interface Vlan500
 description dev13
 ip address 10.5.0.20 255.255.0.0
!
interface Vlan600
 description dev14
 ip address 10.6.0.20 255.255.0.0
!
interface Vlan700
 description dev15
 ip address 10.7.0.20 255.255.0.0
!
router rip
 version 2
 network 0.0.0.0
 no auto-summary
!
ip default-gateway 10.0.0.25
ip route 0.0.0.0 0.0.0.0 10.0.0.25
ip http server
ip http authentication local
ip http max-connections 16
ip http timeout-policy idle 180 life 180 requests 25
!
!
access-list 10 permit 10.0.0.9
access-list 10 permit any
access-list 11 permit 10.0.0.16
access-list 11 permit any
access-list 100 permit ip any any
!
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location "MDF"
snmp-server contact Site Admin
snmp-server chassis-id "Core-Switch"
!
radius-server source-ports 1645-1646
alias exec crs copy run start
alias exec sib show ip int brie
alias exec shr show run
alias exec c config t
!
line con 0
 exec-timeout 15 0
 password 7 <removed>
 stopbits 1
line vty 0 4
 exec-timeout 15 0
 password 7 <removed>
 transport input telnet
 transport output telnet
line vty 5 15
!
ntp clock-period 17179368
ntp access-group peer 10
ntp access-group serve-only 11
ntp master 6
ntp server 10.0.0.16 prefer
!
end

Roman Rodichev · ‎05-08-2011

A simple way to do it is to extend your isolated VLAN via layer 2 all the way to he ASA and deliver these VLANs over a 802.1q trunk to the unused port on the ASA. You can then configure firewall rules to prevent communication between the "isolated" interfaces and the rest of the network, allowing access only to the Internet.

If you can't extend those VLANs layer 2 and need to route through somewhere before getting to the ASA, then you will need to use VRFs on that router.

If you want to go even further, you can configure virtual contexts on the ASA to create complete isolation.

Your three methods for isolation are:

Layer 2 - VLANs

Layer 3 - VRFs

Firewall - Virtual Contexts