Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
10
Helpful
11
Replies

ASA control traffic with VLAN-s

tibi01
Level 1
Level 1

‎08-01-2022 01:59 AM

Hello guys,

 

I have a problem with ASA. I attached the topology of the network. Now we have 2 core switches which are route within VLAN-s. Now I have to insert in these topology 2 ASA (active/standby). The goal is that the 2 ASA control the traffic beetween the VLAN-s instead of core switches (eliminate IP routing in the core switches) but ASA allow all traffic from and to the internet (The ASA doesnt have to filter the traffic of internet, only filter traffic beetween VLAN-s) . The question is what is the best choice to insert the two ASA in the topology with minimal modification of the topology and the configuration of the 2 core switches and how configure the interfaces of the ASA. Please help me.

Preview file
52 KB
0 Helpful
11 Replies 11

W-ALI
Level 1
Level 1

‎08-01-2022 01:59 PM

I thing the best of logical connection ,
the ASA  be between the router & Core

in core the default route to ASA , or you can create the VLANs on ASA (Sub-interface)

on ASA you can control the traffic between VLANs & internet by QOS of service policy

0 Helpful

tibi01
Level 1
Level 1
In response to W-ALI

‎08-01-2022 11:46 PM

Thank you for your reply. What do you think what is the better solution?  Route all VLAN subnets from core to ASA, on ASA control the traffic beetween VLAN-s and route back the VLAN-s to core, or create VLAN-s on ASA?

0 Helpful

W-ALI
Level 1
Level 1
In response to tibi01

‎08-02-2022 04:31 AM

On ASA more security and more centralized with control,

but however that depends on business need and importance.

for example in my Co we created almost VLAN on ASA as I.T, finance , Guest , Management ...etc   

but we create some VLAN on Core as internal machine likes printer , fingerprint , Cameras & some Departments.

 

0 Helpful

tibi01
Level 1
Level 1
In response to W-ALI

‎08-02-2022 06:00 AM

Okay, but you also control the traffic of printer, fingerprint, cameras. etc on ASA ?

0 Helpful

W-ALI
Level 1
Level 1
In response to tibi01

‎08-02-2022 10:56 AM

that's depends on the destination ,

the internet & VLAN created on ASA , the Packets will pass through ASA.

from any VLAN created on Core to any VLAN created on Core , the packets not pass through ASA.

 

 

0 Helpful

paul driver
VIP
VIP
In response to W-ALI

‎08-02-2022 02:03 PM - edited ‎08-02-2022 02:03 PM

@W-ALI 

@W-ALI wrote:

on ASA you can control the traffic between VLANs & internet by QOS of service policy

Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

W-ALI
Level 1
Level 1
In response to paul driver

‎08-02-2022 02:32 PM

@paul driver wrote:
Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy

yes, that's what I mean, control the traffic by service policy rule

rule.png

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-02-2022 12:41 PM

config the Edge SW have two three interface 
ONE Connect to ISP 
two other connect one for Active other for standby ASA
finally you will get two OUT for active ASA you can use load by PBR or use primary/backup ISP

for ASA OUT we talk about for IN 
config all VLAN with default GW point to Active ASA IN interface, 
make L2 SW connect to IN of both ASA 
and that it.

paul driver
VIP
VIP

‎08-02-2022 02:06 PM

Hello

  • Create the asa cluster, with all the same L3 vlans thats on the 3650 stack but have them in a shutdown state,
  • Attach asa cluster to the 3650 stack via a L2/L3 EtherChannel and run all vlans across it, enabling just one l3 interface (mgt) on the for L3 routing between asa and L3 3650 stack, at this point all l3 is running on the 3650 and the ASA has full routing table providing you are running dynamic routing (OSPF)
  • Migrate each L3 svi off the 3650 by shutting that SVI down and enabling it on the ASA, once all l3 is on the asa, migrate any static routes and remove them from 3650
  • Finally disable ip routing on the 3650 stack, leaving just he MGT svi and L2/L3 EtherChannel trunk

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tibi01
Level 1
Level 1
In response to paul driver

‎08-04-2022 02:35 AM

Hello Paul,

Thank you for your reply, I understand this solution. I try to find a solution which require the minimal change of the current configuration of the core switches because these network has to work continously. So what is your opinion about this solution? WIll it work?

1. disable all VLAN3 interface on the core stack, except the default LAN.

2. attach the ASA cluster to the core stack via default LAN L3 interface

3. disable IP routing on core stack

4. route all traffic to ASA cluster

5. control traffic beetween VLAN-s on ASA by access policies

6. Route back the VLAN subnets from ASA to core stack

7. Route all other traffic from ASA to internet router

Tibor

 

 

0 Helpful

tibi01
Level 1
Level 1
In response to tibi01

‎08-10-2022 05:15 AM

Hello Paul

Any response?

Tibor

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card