Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Move of vlan interface from switch to Firewall

Hello , 

We have a Switch ( 2 stack)  and Firewall is directly connected to one of the Gig ports .


We have below VLAN interfaces configured on the switch 


interface Vlan10
description management
ip address
ip helper-address
interface Vlan20
description servers
ip address
interface Vlan30
description Wireless
ip address
ip helper-address
interface Vlan40
description Wired Clients
ip address
ip helper-address
interface Vlan50
description voip
ip address
ip helper-address
interface Vlan70
description Routing
ip address
interface Vlan226
description mgmt_new
ip address


So default gateway configured on the machines in each vlan is the vlan interfaces IP address which is OK


We need to move the Layer 3 interface to ASA , 


My question is does this mean that currently traffic between above vlans is moving through switch . Is there any command which is responsible to route the traffic between VLANs ? the internal traffic is currently not going to firewall


How do i move there interfaces to ASA which is connected on VLAN 70 / the ASA IP address is


Also i dont see the commands to create the VLAN 


like vlan 10
name management


This means that Vlan is automatically created when creating a vlan interface ?


Also , when i move the vlan interfaces to ASA


do i have to do like below , and then create the same interface L3 on ASA

interface Vlan10
no ip address
no ip helper-address

Georg Pauwen
VIP Expert



with your current configuration, all inter-Vlan (between Vlans) traffic is processed by the switch. Is the plan to move ALL Vlans to the firewall ? In that case, you have to make the interface connecting the switch stack to the firewall a trunk, and, as you already said yourself, create Vlan interfaces on the firewall.


On the switch, configure:


no ip routing


and remove all Vlan interfaces, e.g.:


no interface Vlan 10


Hi @Georg Pauwen  Thanks


Yes plan is to move vlans 4 vlans initially on ASA


i have 2 questions ; does the command


no ip routing will impact the remaining vlans which we will move later ?


does the command no interface Vlan 10   also delete the vlan 10 because in the configuration ( show runn) i dont see below


vlan 10
name management



Hi ,



one more thing in addition to above 2 queries ,  i have below two commands configured 


What is the difference between ip default gateway and ip route  . This is confusing for me  / Do i need both is ASA IP address 


ip default-gateway
ip forward-protocol nd
ip route



Dont disable ip routing until ALL svis ha e been migrated onto the ASA 


ip default-gateway is used for a host device which at present your switch isn’t as it enabled for ip routing 

kind regards

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

OK Thanks Paul


The Management  IP addresss of Switch is VLAN 10 interface 


So i am not going to touch vlan 10 .