Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
5
Replies

Questions with network design

Todd Willoughby
Level 1
Level 1

‎03-20-2012 10:58 AM - edited ‎03-07-2019 05:41 AM

Hey folks, Im working on designing a new network and am looking to get a proof of concept working here, although i do have a few questions. I have attached a screen shot of the network below.


#1 The uplink going from the layer 3 switch to the ASA this needs to be a trunk line correct? In order for all the other vlans to have access to the internet? Dose this trunk need to be in its own separate vlan?


#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS inspection. Do I I need a separate uplink to the ASA for this or can I use the existing trunk to the ASA from #1 and just using a sub interface on the ASA for the routing in this vlan?

network.jpg

Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎03-20-2012 11:08 AM 

#1 The uplink going from the layer 3 switch to the ASA this needs to be a  trunk line correct? In order for all the other vlans to have access to  the internet? Dose this trunk need to be in its own separate vlan?

No. It can be an access port or a routed port from the Layer3 switch. I will prefer if you go with the routed port approach to eliminate STP.

The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.

#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS  inspection. Do I I need a separate uplink to the ASA for this or can I  use the existing trunk to the ASA from #1 and just using a sub interface  on the ASA for the routing in this vlan?

If you are planning to use the same Layer3 switch for the DMZ, you can create a Layer2 Vlan on the Layer3 switch and have the ASA connected to a dedicated port configured as access port. The ASA will be the Layer3 device for this Vlan so you have to manage your IP addressing accordingly.

Regards,

Edison

0 Helpful

Todd Willoughby
Level 1
Level 1
In response to Edison Ortiz

‎03-20-2012 11:39 AM

Edison, thanks for the reply. How to I designate the port on the layer 3 switch to be a routed port?

The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.

I already have the inter-vlan ruoting setup and working correctly. Where dose one go to specifiy the routes if inter-vlan routing is already setup?

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to Todd Willoughby

‎03-20-2012 12:45 PM 

Edison, thanks for the reply. How to I designate the port on the layer 3 switch to be a routed port?

interface x/x

no switchport

ip address y.y.y.y x.x.x.x

I already have the inter-vlan ruoting setup and working correctly. Where  dose one go to specifiy the routes if inter-vlan routing is already  setup?

Inter-Vlan routing in the switch? This is done by default as long as you have 'ip routing' globally enabled.

The switch's default gateway will be the ASA but the ASA needs to know about the layer3 Vlans you have in the switch.

This is where the static routes in the ASA will come into place.

0 Helpful

boulest
Level 1
Level 1
In response to Edison Ortiz

‎03-20-2012 12:52 PM

The ASA will need to learn about all the Vlans you are configuring on the switch, that is the only way to route them to the Internet useing the routed uplink as Edison mentioned.

I am not sure what type of switch you have but you may want to use SFP for vlan routing. just an idea

0 Helpful

Todd Willoughby
Level 1
Level 1
In response to Edison Ortiz

‎03-20-2012 01:33 PM 

Edison Ortiz wrote:
#1 The uplink going from the layer 3 switch to the ASA this needs to be a  trunk line correct? In order for all the other vlans to have access to  the internet? Dose this trunk need to be in its own separate vlan?
No. It can be an access port or a routed port from the Layer3 switch. I will prefer if you go with the routed port approach to eliminate STP.
The ASA will need route(s) to the other Vlans residing in the Layer3 switch with the directly connected routed port being its default gateway.
#2 This is a DMZ vlan that needs routed though the ASA firewall for IPS  inspection. Do I I need a separate uplink to the ASA for this or can I  use the existing trunk to the ASA from #1 and just using a sub interface  on the ASA for the routing in this vlan?
If you are planning to use the same Layer3 switch for the DMZ, you can create a Layer2 Vlan on the Layer3 switch and have the ASA connected to a dedicated port configured as access port. The ASA will be the Layer3 device for this Vlan so you have to manage your IP addressing accordingly.
Regards,
Edison

Edison thanks for the CLI command, I do remember this command now.

Boulest the ASA is going to be a new 5520 with the IPS module and the switch is going to be a 3560X (WS-C3560X-48PF-S)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card