I have an ASA 5510 appliance we've had for a while now. Previously I had it connected to our switch from the int Eth0/1 to the switch lan port. No Vlans, no layer 3 routing, just unmanaged switching. Now I have 2 vlans configured on my switch (it's an extreme switch, configured with 2 vlans). The only way I could get communication between the 2 vlans was by calling cisco and having them help me setup a sub interface for the second VLAN. This means that the ASA 5510 is now handling routing and dhcp relay. The switch is in layer 2 mode. I'd really like to get the switch handling routing and dhcp relay. I know how to configure the switch to do this, but I'm struggling with the ASA 5510. The way the interface is configured now is as such:
interface Ethernet0/1
description Inside LAN interface
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/1.10
vlan 10
nameif nutanix
security-level 100
ip address 10.1.10.1 255.255.255.0
As you can see, it is 1 interface for my default vlan (not tagged) and one sub interface tagged for my second vlan.
This interface and sub-interface is trunked to a port on my switch with both vlans. DHCP is enabled on the cisco too:
dhcprelay server 192.168.200.6 inside
dhcprelay enable nutanix
dhcprelay timeout 60
I'm still having problems with certain windows server services on the nutanix vlan reaching my domain controller on my default vlan. I think the answer to this, and to prevent a lot more problems down the road, is to make my switch the layer 3 and have it handle routing and dhcp relaying (again, I can do this no problem on the switch). Here's the vlan config on my switch:
Name VID Protocol Addr Flags Proto Ports Virtual
Active router
/Total
---------------------------------------------------------------------------------------------
Default 1 192.168.200.2 /24 ------------T--------------- ANY 87/146 VR-Default
Nutanix 10 10.1.10.2 /24 ---------------------------- ANY 10/11 VR-Default
Port 1 of the switch is tagged on each VLAN, and Eth0/1 port of my firewall is connected to it. Here's the port config in my switch:
Slot-1 Stack.4 # show vlan ports 1:1
---------------------------------------------------------------------------------------------
Name VID Protocol Addr Flags Proto Ports Virtual
Active router
/Total
---------------------------------------------------------------------------------------------
Default 1 192.168.200.2 /24 ------------T--------------- ANY 87/146 VR-Default
Nutanix 10 10.1.10.2 /24 ---------------------------- ANY 10/11 VR-Default
I opened a case for this request but they are having problems understanding the issue I think. They suggested I setup my interfaces like this:
interface Ethernet0/1
no nameif
no ip add
!
interface Ethernet0/1.10
vlan 10
nameif nutanix
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/1.200
description Inside LAN interface
vlan 200
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
As you can see this suggestion creates 2 sub interfaces (one for each vlan), but I think this still handles routing on the ASA 5510 and not my switch.
What is my ideal configuration for an interface if I want my switch to handle layer 3 routing? Based on my very amateurish knowledge of cisco routing/firewalls I think I need a single Eth0/1 interface that is trunked on the switch. I don't want the firewall doing any routing or relaying, just passing traffic that has been approved by ACL and NAT. I've been struggling with this for almost 2 weeks and it's the source of a lot of stress.
I'm attaching a basic diagram I made showing the vlans.
