Currently we have a layer 2 network hanging off a Cisco ASA which is doing all the routing between the vlans on this network. This network is grown to large and now we need to convert it to a layer 3 network. The only problem I have is how will this affect the ASA config?
Obviously we need to remove the routing for the vlans from the ASA but not sure how the ACL's would work. We would still want the ASA to filter traffic between the newly created subnets on the layer 3 switches.
If someone can let me know how this can be done I'd appreciate it.
P.S. I've attached the network diagram.
If you really want ASA to filter the Traffic between VLAN's.then it shouldnt be a problem having more subnets on ASA, unless if you are not exceeding the Limit of VLAN count.
Create a Vlan of new subnets in ASA, the gateway for the hosts of newly created subnet should be the SVI (Lets say VLanA)or Physical IP of the ASA not L3 switch (If you have created an L3 int on L3 switch for Management purpose). As when the traffic destined out of the subnet of VLanA would reach the default gateway i.e ASA and then it will route the traffic based on the destination(routing table).
and Obviously the ACL's between Vlans should be under ASA SVI or Phy.Int.
Whats the Point of Having L3 switch in your network if the Inter Vlan routing is done by ASA:
My option would be Moving all the VLans to L3 switch as the switch can do routing between all the VLan's and we can filter the traffic By ACL .
Note: Point default route to ASA Interface(Next hop of L3 switch), as when the packets destined to other subnets/Internet would move to the ASA.
We want each main Car Park switch thats connected to the main loop (ie has an in and out connection) to be layer 3 switch and anything thats connected behind that switch will be layer 2. So the subnets/vlans will stay local to each Car Park on the network. We want fast convergence in case one of the car park fails, traffic will still route quickly and not be
I suppose I could implement ACL's on each L3 switch but then this gets a bit messy.
Yes you can go with creating VLan's in ASA.
If you expect a business growth furtheer, the best solution would be having L3 switch handling the routing in Lan or Intranets.
If at all you are looking to move the Vlan's to switch, can i know the switch model, quantity and make you have .
Reason: The Cisco Catalyst 3550 switches support up to 1,000 vlans and higher model can supoort more than that. and i you wont even experience any interruption unless you have failover method in core switches.
If you see a latency between VLans then we should consider in many asp:-
1. the design of your network
2. Interconnection between the switches (Distribution, core and acccess switches) ... etc