Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
5
Helpful
3
Replies

Move routing from Cisco ASA 5510 to my Layer 3 Switches

kmacdonald
Level 1
Level 1

‎11-07-2017 12:23 PM - edited ‎03-08-2019 12:39 PM

I have an ASA 5510 appliance we've had for a while now.  Previously I had it connected to our switch from the int Eth0/1 to the switch lan port.  No Vlans, no layer 3 routing, just unmanaged switching.  Now I have 2 vlans configured on my switch (it's an extreme switch, configured with 2 vlans).  The only way I could get communication between the 2 vlans was by calling cisco and having them help me setup a sub interface for the second VLAN.  This means that the ASA 5510 is now handling routing and dhcp relay.  The switch is in layer 2 mode.  I'd really like to get the switch handling routing and dhcp relay.  I know how to configure the switch to do this, but I'm struggling with the ASA 5510.  The way the interface is configured now is as such:

interface Ethernet0/1
description Inside LAN interface
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0 
!
interface Ethernet0/1.10
vlan 10
nameif nutanix
security-level 100
ip address 10.1.10.1 255.255.255.0

As you can see, it is 1 interface for my default vlan (not tagged) and one sub interface tagged for my second vlan.

 

This interface and sub-interface is trunked to a port on my switch with both vlans.   DHCP is enabled on the cisco too:

dhcprelay server 192.168.200.6 inside
dhcprelay enable nutanix
dhcprelay timeout 60

 

I'm still having problems with certain windows server services on the nutanix vlan reaching my domain controller on my default vlan.  I think the answer to this, and to prevent a lot more problems down the road, is to make my switch the layer 3 and have it handle routing and dhcp relaying (again, I can do this no problem on the switch).  Here's the vlan config on my switch:

Name            VID  Protocol Addr       Flags                       Proto  Ports  Virtual
                                                                            Active router
                                                                            /Total
---------------------------------------------------------------------------------------------
Default         1    192.168.200.2  /24  ------------T--------------- ANY    87/146 VR-Default
Nutanix         10   10.1.10.2      /24  ---------------------------- ANY    10/11  VR-Default

 

 

Port 1 of the switch is tagged on each VLAN, and Eth0/1 port of my firewall is connected to it.  Here's the port config in my switch:

Slot-1 Stack.4 # show vlan ports 1:1
---------------------------------------------------------------------------------------------
Name            VID  Protocol Addr       Flags                       Proto  Ports  Virtual
                                                                            Active router
                                                                            /Total
---------------------------------------------------------------------------------------------
Default         1    192.168.200.2  /24  ------------T--------------- ANY    87/146 VR-Default
Nutanix         10   10.1.10.2      /24  ---------------------------- ANY    10/11  VR-Default

 

I opened a case for this request but they are having problems understanding the issue I think.   They suggested I setup my interfaces like this:

interface Ethernet0/1
no nameif
no ip add 
!
interface Ethernet0/1.10
vlan 10
nameif nutanix
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/1.200
description Inside LAN interface
vlan 200
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0

As you can see  this suggestion creates 2 sub interfaces (one for each vlan), but I think this still handles routing on the ASA 5510 and not my switch.

 

What is my ideal configuration for an interface if I want my switch to handle layer 3 routing?  Based on my very amateurish knowledge of cisco routing/firewalls I think I need a single Eth0/1 interface that is trunked on the switch.  I don't want the firewall doing any routing or relaying, just passing traffic that has been approved by ACL and NAT.  I've been struggling with this for almost 2 weeks and it's the source of a lot of stress.

 

I'm attaching a basic diagram I made showing the vlans.

Labels:
Preview file
277 KB
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎11-07-2017 12:49 PM

The configuration below is the correct config on the firewall but as you already know with this config the firewall is still doing the routing between your vlans.  Sine you only have a very limited number of vlans (2), I suggest leaving the config as it is (firewall doing the routing) and work on fixing in inter-vlan connectivity issue you may have.  If you really want to move the routing down to the Extreme switch, you would have to delete all the sub-interfaces on the firewall as well as the config and create to SVIs for both vlans on the switch and have the switch do the routing as well as DHCP, etc.. With this option, you than need a layer-3 link (a /30 or /29)between the firewall and Extreme switch. So, interface 0/1 on the firewall will have one IP and the Extreme on switch will have the other IP. You than have a default route or default network on the Extreme pointing to the IP address on the firewall (0/1 interface). On the firewall you need to have 2 static routes for network 192.168.200.0/24 and 10.1.10.0/24 pointing to the IP address on the Extreme switch.

HTH

interface Ethernet0/1
no nameif
no ip add 
!
interface Ethernet0/1.10
vlan 10
nameif nutanix
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/1.200
description Inside LAN interface
vlan 200
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0

 

 

0 Helpful

kmacdonald
Level 1
Level 1
In response to Reza Sharifi

‎11-07-2017 12:59 PM

Thank you for the response.  The way the config on the firewall is now, there is no tagging on Eth0/1 (default vlan)

 

interface Ethernet0/1
 description Inside LAN interface
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Ethernet0/1.10
 vlan 10
 nameif nutanix
 security-level 100
 ip address 10.1.10.1 255.255.255.0 
!

So you think by adding another sub interface tagging it with 200 that would fix some connectivity issues?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to kmacdonald

‎11-07-2017 01:06 PM

So you think by adding another sub interface tagging it with 200 that would fix some connectivity issues?

I think so. 

So, the final config should look like this with no IP under the main interface and creating a second sub-interface (200).

interface Ethernet0/1.200
 description Inside LAN interface
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Ethernet0/1.10
 vlan 10
 nameif nutanix
 security-level 100
 ip address 10.1.10.1 255.255.255.0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card