cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
283
Views
0
Helpful
5
Replies
skywalker_007
Beginner

Move of vlan interface from switch to Firewall

Hello , 

We have a Switch ( 2 stack)  and Firewall is directly connected to one of the Gig ports .

 

We have below VLAN interfaces configured on the switch 

 

interface Vlan10
description management
ip address 172.23.7.1 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan20
description servers
ip address 172.23.7.33 255.255.255.224
!
interface Vlan30
description Wireless
ip address 172.23.7.65 255.255.255.192
ip helper-address 172.20.1.130
!
interface Vlan40
description Wired Clients
ip address 172.23.7.129 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan50
description voip
ip address 172.23.7.161 255.255.255.224
ip helper-address 172.20.1.130
!
interface Vlan70
description Routing
ip address 172.23.7.244 255.255.255.248
!
interface Vlan226
description mgmt_new
ip address 172.23.7.222 255.255.255.224
!

 

So default gateway configured on the machines in each vlan is the vlan interfaces IP address which is OK

 

We need to move the Layer 3 interface to ASA , 

 

My question is does this mean that currently traffic between above vlans is moving through switch . Is there any command which is responsible to route the traffic between VLANs ? the internal traffic is currently not going to firewall

 

How do i move there interfaces to ASA which is connected on VLAN 70 / the ASA IP address is 172.23.7.241

 

Also i dont see the commands to create the VLAN 

 

like vlan 10
name management

 

This means that Vlan is automatically created when creating a vlan interface ?

 

Also , when i move the vlan interfaces to ASA

 

do i have to do like below , and then create the same interface L3 on ASA

interface Vlan10
no ip address 172.23.7.1 255.255.255.224
no ip helper-address 172.20.1.130

5 REPLIES 5
Georg Pauwen
VIP Expert

Hello,

 

with your current configuration, all inter-Vlan (between Vlans) traffic is processed by the switch. Is the plan to move ALL Vlans to the firewall ? In that case, you have to make the interface connecting the switch stack to the firewall a trunk, and, as you already said yourself, create Vlan interfaces on the firewall.

 

On the switch, configure:

 

no ip routing

 

and remove all Vlan interfaces, e.g.:

 

no interface Vlan 10

skywalker_007
Beginner

Hi @Georg Pauwen  Thanks

 

Yes plan is to move vlans 4 vlans initially on ASA

 

i have 2 questions ; does the command

 

no ip routing will impact the remaining vlans which we will move later ?

 

does the command no interface Vlan 10   also delete the vlan 10 because in the configuration ( show runn) i dont see below

 

vlan 10
name management

 

 

Hi ,

 

 

one more thing in addition to above 2 queries ,  i have below two commands configured 

 

What is the difference between ip default gateway and ip route 0.0.0.0  . This is confusing for me  / Do i need both 

 

172.23.7.241 is ASA IP address 

 

ip default-gateway 172.23.7.241
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 172.23.7.241

!

Hello

Dont disable ip routing until ALL svis ha e been migrated onto the ASA 

 

ip default-gateway is used for a host device which at present your switch isn’t as it enabled for ip routing 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

OK Thanks Paul

 

The Management  IP addresss of Switch is VLAN 10 interface 172.23.7.1 

 

So i am not going to touch vlan 10 .