09-22-2021 02:49 AM
Hello ,
We have a Switch ( 2 stack) and Firewall is directly connected to one of the Gig ports .
We have below VLAN interfaces configured on the switch
interface Vlan10
description management
ip address 172.23.7.1 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan20
description servers
ip address 172.23.7.33 255.255.255.224
!
interface Vlan30
description Wireless
ip address 172.23.7.65 255.255.255.192
ip helper-address 172.20.1.130
!
interface Vlan40
description Wired Clients
ip address 172.23.7.129 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan50
description voip
ip address 172.23.7.161 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan70
description Routing
ip address 172.23.7.244 255.255.255.248
!
interface Vlan226
description mgmt_new
ip address 172.23.7.222 255.255.255.224
!
So default gateway configured on the machines in each vlan is the vlan interfaces IP address which is OK
We need to move the Layer 3 interface to ASA ,
My question is does this mean that currently traffic between above vlans is moving through switch . Is there any command which is responsible to route the traffic between VLANs ? the internal traffic is currently not going to firewall
How do i move there interfaces to ASA which is connected on VLAN 70 / the ASA IP address is 172.23.7.241
Also i dont see the commands to create the VLAN
like vlan 10
name management
This means that Vlan is automatically created when creating a vlan interface ?
Also , when i move the vlan interfaces to ASA
do i have to do like below , and then create the same interface L3 on ASA
interface Vlan10
no ip address 172.23.7.1 255.255.255.224
no ip helper-address 172.20.1.130
09-22-2021 03:16 AM
Hello,
with your current configuration, all inter-Vlan (between Vlans) traffic is processed by the switch. Is the plan to move ALL Vlans to the firewall ? In that case, you have to make the interface connecting the switch stack to the firewall a trunk, and, as you already said yourself, create Vlan interfaces on the firewall.
On the switch, configure:
no ip routing
and remove all Vlan interfaces, e.g.:
no interface Vlan 10
09-22-2021 03:21 AM
Hi @Georg Pauwen Thanks
Yes plan is to move vlans 4 vlans initially on ASA
i have 2 questions ; does the command
no ip routing will impact the remaining vlans which we will move later ?
does the command no interface Vlan 10 also delete the vlan 10 because in the configuration ( show runn) i dont see below
vlan 10
name management
09-22-2021 10:32 AM
Hi ,
one more thing in addition to above 2 queries , i have below two commands configured
What is the difference between ip default gateway and ip route 0.0.0.0 . This is confusing for me / Do i need both
172.23.7.241 is ASA IP address
ip default-gateway 172.23.7.241
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 172.23.7.241
!
09-22-2021 11:08 AM
Hello
Dont disable ip routing until ALL svis ha e been migrated onto the ASA
ip default-gateway is used for a host device which at present your switch isn’t as it enabled for ip routing
09-22-2021 11:15 AM
OK Thanks Paul
The Management IP addresss of Switch is VLAN 10 interface 172.23.7.1
So i am not going to touch vlan 10 .
10-19-2021 11:27 AM - edited 10-19-2021 11:29 AM
Hello @paul driver @Georg Pauwen
We have the migration now this Friday ;
I will be cutting all the vlans to ASA except VLAN 10 which is management and VLAN 70 which is our original Interco between switch and firewall
So i will run below command
no interface vlan X ( where X is all the SVI which i will be moving to ASA)
I will not do no ip routing
So after the cut ,when traffic from VLAN 10 tries to go to Wired vlan say VLAN 40 it goes to ASA ?? and vice versa ?
I am still confused does this traffic not take into account the statement ip route 0.0.0.0 0.0.0.0 172.23.7.241 ?
Or Because VLAN40 is now Layer 2 on core switch and request will directly go to Layer3 on FW ?
10-19-2021 07:15 PM
Hello
vlan 10 will reside on the ASA also won’t it?
If so you can disable ip routing on the old l3 switch however before you do this if all the other switches on your network need to still point to their original mgt default-gateway of vlan 10 and if that resides on the old L3 switch then I would swap that ip address with the vlan 10 ip address of the ASA then disable ip routing on the old l3 switch.
10-19-2021 11:50 PM
VLAN 10 and VLAN70 SVI will remain on Core switch . This is because there are devices in VLAN 10 which we cant disrupt this month .
Rest all SVI vlan20,30,40,50,60,80 will be deleted from Core and moved to ASA(as subinterfaces on ASA)
so i cant delete ip routing
but i am concerned about communication between VLAN 10 and VLAN20 for example . Will it still work .?
also the default route 0.0.0.0.00 point to VLAN70 subinterface on FW
10-20-2021 12:33 PM
@paul driver @Georg Pauwen Hi can you provide your feedback ?
Out of 8 SVI , we will be moving 6 SVI to ASA , but 2 will remain on Core switch .
So cross communication will work ?
10-20-2021 12:47 PM
Routing should work fine from the switch for vlan 10 to the ASA vlans because you have a default route on the switch but you also need to add a route to the ASA for the vlan 10 subnet so the ASA knows how to send traffic back ie.
route inside 172.23.7.0 255.255.255.224 172.237.244
that should sort out all the routing.
Note your question is about the routing but you also need to make sure traffic is allowed between the subnets you are migrating to the ASA but that is a different issue.
Jon
10-20-2021 12:51 PM
Hi @Jon Marshall Yes there is a return route on ASA for 172.23.7.0/24 pointing towards VLAN 70 SVI of Core
the ACLS are already added to allow inter vlan traffic.
Is that sufficient ?
10-20-2021 12:56 PM
No idea, been a while since I did a setup like that but I would recommend you know for sure before migrating.
Jon
10-21-2021 12:32 AM - edited 10-21-2021 12:33 AM
Hello
@skywalker_007 wrote:
VLAN 10 and VLAN70 SVI will remain on Core switch
also the default route 0.0.0.0.00 point to VLAN70 subinterface on FW
You mention vlan 10/70 is to remain on the core but then you state vlan 70 on the fw?
Post the configuration of the core switch and ASA and confirm exaclty what svis you want to keep on the old core and migrate to the ASA, just bare in mind you need at least a single L2/l3 connection between both old core/asa for allow communication to continue, if you keeping some routing on the old core.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide