Sorry in advance if this is in the wrong section. First time posting, and I am hopelessly lost. I am fairly new to layer 3 switching and intervlan routing, and have unfortunately been handed a pretty complex task to solve.   Anyway, here is the setup: ASA 5545X <Etherchannel> Catalyst 3850 (24XS) <trunk> Catalyst 3850 (x2 48XS backup failover) <trunk> Catalyst 3850 (x2 48XS backup failover)   I will refer to them as follows:  Firewall <EC1> ADM Switch <T1> TopOfRack1 (1&2) <T2> TopOfRack2 (1&2)   each Top of Rack set of switches then has redundant trunks down to our hyperconverged server stack, and Rack 1 has access ports to workstations and the other vlan. Rack 2 just has access ports to some workstations.   To spare confusion, all Catalyst 3850 switches are setup with redundant trunks carrying all relevant tagged vlan traffic and the spanning tree is configured properly.   Vlan layout looks like this: Vlan 10: Admin traffic stuff *also default vlan* Network: 192.168.10.0/24 Vlan 20: Server "A" traffic Network: 7.0.10.0/26 Vlan 30: Other traffic Network: 7.0.10.64/26 Vlan 40: Server "B" traffic Network: 7.0.10.128/26 Vlan 50: Workstation traffic Network: 7.0.10.192/27 Vlan 60: Server "C" traffic Network 7.0.11.0 /24 I also have a Vlan 99 that I was trying out, Not sure if it's right though:   Vlan 99: Gateway? Network 7.0.10.224/27   I know that the easy solution would be to create sub-interfaces for each network on EC1 to the firewall, however, I do not want to route all that traffic through the firewall, as I have 10G trunks between all the switches and 40G uplinks from the servers, but only a total throughput of 3gbps on the firewall. I only have a requirement to perform stateful packet inspection between Vlan 10 to all, and between Vlan 20 to Vlan 60. Additionally, Vlan 40 should not really be able to see any network other than Vlan 10, and it needs to go through the firewall to do so.   Here is the scenario I am trying to build: Vlan 20 (Server "A" traffic) should be able to access its domain controller up in Vlan 10 (ADM), It should also be able to access Vlan 30, and Vlan 50, but not Vlan 40. Additionally, Vlan 20 should be able to reach Vlan 60, but traverse the firewall to do so.I am required to go through the firewall for Vlan 10 to Vlan 20, but I want to take advantage of intervlan routing for Vlan 20-50 since those are all connected via 10+Gbps connections.    Presently, the ip routes on one of the switches look like this: S* 0.0.0.0/0 [1/0] via 7.0.10.241 7.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 7.0.10.0/26 is directly connected, Vlan 20 L 7.0.10.2/32 is directly connected, Vlan 20 C 7.0.10.64/26 is directly connected, Vlan 30 L 7.0.10.66/32 is directly connected, Vlan 30 C 7.0.10.192/27 is directly connected, Vlan 50 L 7.0.10.194/32 is directly connected, Vlan 50 C 7.0.10.224/27 is directly connected, Vlan 99 L 7.0.10.244/32 is directly connected, Vlan 99 S 192.168.0.0/16 via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, Vlan 10 L 192.168.0.8/32 is directly connected, Vlan 10 I was trying to see if having a /27 network with a gateway on the firewall and setting the GOLR to that would do anything... But it didnt.    The networks are setup with the following gateways, that were configured as a virtual address from configuring the standby adapters in the layer 3 interfaces:   Vlan 20:  7.0.10.1 Vlan 30:  7.0.10.65 Vlan 40:  7.0.10.129 Vlan 50: 7.0.10.193   The firewall presently has all networks configured to allow any -> any    The interfaces I have configured on the firewall are as follows, and I am pretty sure I am wrong here: PortChannel1 (EC1) 192.168.0.1 255.255.255.0 PortChannel1.60 ("C" Servers) 7.0.11.1 255.255.255.0 PortChannel1.99 (Gty) 7.0.10.241 255.255.255.0   I think I am supposed to configure some static routes on the firewall, but I dont know where I need to start.     The first step I would like to achieve is getting a VM running on Vlan 20 to be able to see the domain controller up in vlan 10. I think once I have that, the rest will be easier to figure out.   I guess what I am unsure of, is the following: what I should configure the GOLR on each switch to? Should it be an interface like 192.168.0.1 or should I create another vlan with an address that resides within 7.0.x.x like what im doing with Vlan 99 how should I setup the static routes on both the switch and the ASA? What needs to be configured on the ASA to make this work? Right now its just an etherchannel with a Vlan 99 interface on it that all of the switches have configured as the GOLR. I assume I need to setup access-lists for preventing Vlan 40 from having access to stuff. But I think first I would like to just get my VMs pinging the DC. The intervlan routes for a 7.x.x.x network always pull a /8 network, which means that by default VLAN 60 becomes available. I again assume access lists will solve this. But this is further down the line. I cant easily get the running configs up here, so ask me for what you need, and I will post the relevant content.    Regards, -Andrew         ... View more