cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
4
Replies

Setting up L3 Switch for Devices and Internet

Rob Pettigrew
Level 1
Level 1

I have a question regarding setting up our 3750X switch to handle both internet uplink and all end devices.  My thoughts are as follows:

We currently have Internet -> L2 Switch -> (2) ASA Active/Passive -> L2 Switch (All Devices Plugin Here)

I would like to utilize our new 3750X switch to do Internet -> L3 Switch -> (2) ASA Active/Passive (BUT ALL devices plugin to L3 Switch)

New switch would have ip routing enabled and static default route.

Gi 0/1 could have L3 routing enabled with an IP Address to talk with the internet.

Here is where I am still a little confused.  Do I need to utilize VLAN's in this situation to secure my internal servers/management since I am directly connected to the internet?  Is my management at risk since it is still on VLAN 1 and the switch is now directly connected to the internet?  How should I configure the ASA devices/switch ports so that they can talk to the internet and the internal network?  Do I need to keep my default routes on my ASA devices or will the switch handle this.  Is this a viable solution or should I keep a dedicated switch for the "DMZ" area where the Internet drop is.  Any input would be greatly appreciated.  Thanks Cisco Community!

-Rob

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Rob,

Since you want to use your new 3750 to connected to your service provider, you also need a layer-2 switch behind your firewalls to connect your users to.

So it would be Internet -> L3 Switch-3750X -> (2) ASA Active/Passive -> L2 Switch (All Devices Plugin Here).

On your L-2 switch, you just need a default route for the management vlan and default gateways for your users vlans would be the firewall. .  Also, use any other vlan but vlan 1 for management, as vlan 1 is the native vlan and it is used for controll traffic. Depending on the number of devices you have, you also need to indentify 1 or 2 vlans/subnets for all your end user devices. You then need a layer-3 link between the fw and the 3750 with default route pointing towards the 3750.

HTH

Reza

View solution in original post

Rob,

Even if it possible, I would stay away from designing it that way.  You need to have a router/switch in front and behind the firewall to protect your resources and your network from the Internet.

Good Luck

Reza

View solution in original post

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Rob,

Since you want to use your new 3750 to connected to your service provider, you also need a layer-2 switch behind your firewalls to connect your users to.

So it would be Internet -> L3 Switch-3750X -> (2) ASA Active/Passive -> L2 Switch (All Devices Plugin Here).

On your L-2 switch, you just need a default route for the management vlan and default gateways for your users vlans would be the firewall. .  Also, use any other vlan but vlan 1 for management, as vlan 1 is the native vlan and it is used for controll traffic. Depending on the number of devices you have, you also need to indentify 1 or 2 vlans/subnets for all your end user devices. You then need a layer-3 link between the fw and the 3750 with default route pointing towards the 3750.

HTH

Reza

Reza,

Thank you very much for the reply but just to clarify.  The situation I described would not be possible correct?  To have a single layer 3 device connecting external, internal, and firewalls.  It sounded silly to me but I thought perhaps there was a way to configure it but after going through some mock environments I am hitting a lot of walls

Rob,

Even if it possible, I would stay away from designing it that way.  You need to have a router/switch in front and behind the firewall to protect your resources and your network from the Internet.

Good Luck

Reza

Thanks Reza.  That is how I feel too.  Thanks for you input it is valued greatly.  Cheers!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: