Move of vlan interface from switch to Firewall

skywalker_007 · ‎09-22-2021

Hello ,

We have a Switch ( 2 stack) and Firewall is directly connected to one of the Gig ports .

We have below VLAN interfaces configured on the switch

interface Vlan10
description management
ip address 172.23.7.1 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan20
description servers
ip address 172.23.7.33 255.255.255.224
!
interface Vlan30
description Wireless
ip address 172.23.7.65 255.255.255.192
ip helper-address 172.20.1.130
!
interface Vlan40
description Wired Clients
ip address 172.23.7.129 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan50
description voip
ip address 172.23.7.161 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan70
description Routing
ip address 172.23.7.244 255.255.255.248
!
interface Vlan226
description mgmt_new
ip address 172.23.7.222 255.255.255.224
!

So default gateway configured on the machines in each vlan is the vlan interfaces IP address which is OK

We need to move the Layer 3 interface to ASA ,

My question is does this mean that currently traffic between above vlans is moving through switch . Is there any command which is responsible to route the traffic between VLANs ? the internal traffic is currently not going to firewall

How do i move there interfaces to ASA which is connected on VLAN 70 / the ASA IP address is 172.23.7.241

Also i dont see the commands to create the VLAN

like vlan 10
name management

This means that Vlan is automatically created when creating a vlan interface ?

Also , when i move the vlan interfaces to ASA

do i have to do like below , and then create the same interface L3 on ASA

interface Vlan10
no ip address 172.23.7.1 255.255.255.224
no ip helper-address 172.20.1.130

Georg Pauwen · ‎09-22-2021

Hello,

with your current configuration, all inter-Vlan (between Vlans) traffic is processed by the switch. Is the plan to move ALL Vlans to the firewall ? In that case, you have to make the interface connecting the switch stack to the firewall a trunk, and, as you already said yourself, create Vlan interfaces on the firewall.

On the switch, configure:

no ip routing

and remove all Vlan interfaces, e.g.:

no interface Vlan 10

skywalker_007 · ‎09-22-2021

Hi @Georg Pauwen Thanks

Yes plan is to move vlans 4 vlans initially on ASA

i have 2 questions ; does the command

no ip routing will impact the remaining vlans which we will move later ?

does the command no interface Vlan 10 also delete the vlan 10 because in the configuration ( show runn) i dont see below

vlan 10
name management

skywalker_007 · ‎09-22-2021

Hi ,

one more thing in addition to above 2 queries , i have below two commands configured

What is the difference between ip default gateway and ip route 0.0.0.0 . This is confusing for me / Do i need both

172.23.7.241 is ASA IP address

ip default-gateway 172.23.7.241
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 172.23.7.241

!

paul driver · ‎09-22-2021

Hello

Dont disable ip routing until ALL svis ha e been migrated onto the ASA

ip default-gateway is used for a host device which at present your switch isn’t as it enabled for ip routing

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

skywalker_007 · ‎09-22-2021

OK Thanks Paul

The Management IP addresss of Switch is VLAN 10 interface 172.23.7.1

So i am not going to touch vlan 10 .

skywalker_007 · ‎10-19-2021

Hello @paul driver @Georg Pauwen

We have the migration now this Friday ;

I will be cutting all the vlans to ASA except VLAN 10 which is management and VLAN 70 which is our original Interco between switch and firewall

So i will run below command

no interface vlan X ( where X is all the SVI which i will be moving to ASA)

I will not do no ip routing

So after the cut ,when traffic from VLAN 10 tries to go to Wired vlan say VLAN 40 it goes to ASA ?? and vice versa ?

I am still confused does this traffic not take into account the statement ip route 0.0.0.0 0.0.0.0 172.23.7.241 ?

Or Because VLAN40 is now Layer 2 on core switch and request will directly go to Layer3 on FW ?

paul driver · ‎10-19-2021

Hello

vlan 10 will reside on the ASA also won’t it?
If so you can disable ip routing on the old l3 switch however before you do this if all the other switches on your network need to still point to their original mgt default-gateway of vlan 10 and if that resides on the old L3 switch then I would swap that ip address with the vlan 10 ip address of the ASA then disable ip routing on the old l3 switch.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

skywalker_007 · ‎10-19-2021

VLAN 10 and VLAN70 SVI will remain on Core switch . This is because there are devices in VLAN 10 which we cant disrupt this month .

Rest all SVI vlan20,30,40,50,60,80 will be deleted from Core and moved to ASA(as subinterfaces on ASA)

so i cant delete ip routing

but i am concerned about communication between VLAN 10 and VLAN20 for example . Will it still work .?

also the default route 0.0.0.0.00 point to VLAN70 subinterface on FW

skywalker_007 · ‎10-20-2021

@paul driver @Georg Pauwen Hi can you provide your feedback ?

Out of 8 SVI , we will be moving 6 SVI to ASA , but 2 will remain on Core switch .

So cross communication will work ?

Jon Marshall · ‎10-20-2021

Routing should work fine from the switch for vlan 10 to the ASA vlans because you have a default route on the switch but you also need to add a route to the ASA for the vlan 10 subnet so the ASA knows how to send traffic back ie.

route inside 172.23.7.0 255.255.255.224 172.237.244

that should sort out all the routing.

Note your question is about the routing but you also need to make sure traffic is allowed between the subnets you are migrating to the ASA but that is a different issue.

Jon

skywalker_007 · ‎10-20-2021

Hi @Jon Marshall Yes there is a return route on ASA for 172.23.7.0/24 pointing towards VLAN 70 SVI of Core

the ACLS are already added to allow inter vlan traffic.

Is that sufficient ?

Jon Marshall · ‎10-20-2021

No idea, been a while since I did a setup like that but I would recommend you know for sure before migrating.

Jon

paul driver · ‎10-21-2021

Hello

@skywalker_007 wrote:

VLAN 10 and VLAN70 SVI will remain on Core switch
also the default route 0.0.0.0.00 point to VLAN70 subinterface on FW

You mention vlan 10/70 is to remain on the core but then you state vlan 70 on the fw?

Post the configuration of the core switch and ASA and confirm exaclty what svis you want to keep on the old core and migrate to the ASA, just bare in mind you need at least a single L2/l3 connection between both old core/asa for allow communication to continue, if you keeping some routing on the old core.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul