Cisco ASA/3750 Multiple VLAN setup

Posted on 2006-06-03
Last Modified: 2012-08-13
Ok, here is my situation.  I am getting ready to purchase (2) Cisco 3750-24TS-S switches and use the stackwise cable for interconnect.  These switches will be used as my vlan/routing switches.  I want to have the following vlans configured on the switch:

1 - Outside Vlan (VLAN for outside public access)
2 - DMZ Vlan (For servers that are public facing EX:Public DNS Servers, Video Camera Servers, Vendor Inventory Servers)
3 - Server Vlan (For internal servers for the company)
4 - IT VLan
5 - Call Center Vlan
6 - Accouting Vlan
7 - Production Vlan
8 - Warehouse Vlan
9 - Catalog Vlan

We have two T1's that come in and are bonded into a single MLPPP Channel giving us 3Mbps bandwidth.  We use the Cisco 2821 Router for the DSU/CSU termination point for the T1's.  The Ethernet interface off of the Router will plug into the Outside Vlan and have an IP address of 206.132.X.X /27.  The next device to plug into the Outside VLan is the Cisco ASA 5510.  It also has an public facing IP address in the 206.132.X.X /27 range.  The next Ethernet Interface on the ASA will plug into the DMZ Vlan and have an IP address of 172.16.X.1 /24.  The DNS Servers etc., will also plug into that same vlan and use 172.16.X.1 /24 on the ASA interface as their default gateway.  I then take the third ASA interface and plug it into the Server Vlan with the third Ethernet Interface IP address as 10.1.X.1 /24.  I then plug our internal company servers as well into that Server Vlan.  Here is when I get a little confused.  I want another firewall interface barrier to sit in between the internal servers and the rest of the companies vlans.  The only thing is, is that IT & Production need access to the file servers on the Server Vlan without going through the ASA.  The rest of company however I want to have them go through another ASA interface to get to the Servers on the Server Vlan.  This would create some internal security as well since I now have a firewall between the inside company and the inside internal servers.  Does this sound like a smart thing to do?  And more specifically how would I go about accomplishing this setup.    
Question by:icarus2256
    LVL 79

    Expert Comment

    Couple of comments.
    1. Not the best idea to have the outside vlan on the same physical switch. Suggest just using a crossover cable between the 2821 router and the ASA outside interface, else use a dedicated 10/100 switch. Reason is potential bleed over between vlans and the security of the entire system.
    2. Not the best idea to separate the servers from the users. In the best scenario the servers are in the same vlan as the majority of its users. Reason is efficiency. Too many ports/protocols to open up through the firewall for user authentication, browsing, AD functions, etc. Since you have a full L3 capable switch with high-speed backplane you can put the servers on a different vlan than the users and route between them. Use the security inherent in the Microsoft products.

    What parts of the config do you need help with?
    Once you stack the two swiches, they appear as one. Use the latest Cisco Network Assistant software to set them up. Create named VLANs, assign ports to the vlans. Create Layer 3 vlan interfaces for the routed vlans. I.e.
    [define vlans]
    switch#vlan data
    switch(vlan)#vlan 2 name DMZ
    switch(vlan)#vlan 3 name Servers
    switch(vlan)#vlan 4 name IT
    switch(vlan)#vlan 5 name CallCenter
    switch#config t
    [create layer 3 interfaces]
    switch(config)#interface vlan 3
    switch(config-if)#description Server LAN
    switch(config-if)#ip address
    switch(config-if)#interface vlan 4
    switch(config-if)#description IT VLAN
    switch(config-if)#ip address
    <etc>  NOTE: No layer 3 interface created for DMZ - the ASA will provice all L3 services
    [assign ports to the vlans]
    switch(config)#interface range gig 1/0/1 - 14
    switch(config-if)#switchport accesss vlan 2
    switch(config-if)#interface range gig1/0/15 - 22
    switch(config-if)#switchport access vlan 3
    switch(config-if)#interface gig1/0/23
    switch(config-if)#switchport access vlan 2
    switch(config-if)#descript ASA DMZ Interface
    switch(config-if)#interface gig1/0/24
    switch(config-if)#switchport access vlan 1
    switch(config-if)#descript ASA inside Interface

    [set default route to ASA]
    ip route


    Author Comment

    So should I have the third interface of the ASA plug into the Server Vlan the have the servers point to it for their gateway?  Should I then also have all other vlans route to the ASA interface in the Server Vlan to get outside?
    LVL 79

    Expert Comment

    Not exactly.
    Outside interface - separate switch
    DMZ interface - switchport gig1/0/23 given the above config
    Inside interface - switchport gig1/0/24

    I forgot one piece of the config:
     interface vlan 1
       ip address (ASA inside IP =

    ASA inside interface is in a VLAN all by itself - vlan 1 (default)

    With the exception of the DMZ servers, *all* systems will point to the 3750's VLAN X IP address for their respective vlans. The 3750 will provide all layer 3 routing internally and only the 3750 will have a route out through the ASA via vlan1

    If you really, really want the servers-client traffic to be policed by the ASA, then you would simply not create a L3 interface on the 3750 for the server vlan and plug a physical interface of the ASA into that vlan, point all systems in that vlan to the ASA interface as the default.

    Hope that makes sense. . .

    Author Comment

    Ok, so let me make sure I have this straight.  The outside will be on a seperate switch no problem.  The DMZ Vlan reside on the 3750 and have a specified number of access switchports for the DMZ servers.  The ASA will have it's second interface be part of that DMZ Vlan and have an IP address of /24 & a ASA Security of 50.  All DMZ Vlan servers will point to gateway /24.  The third ASA interface will be connected to the it's own Vlan.  Why do I need to assign an IP of to vlan 1?  I am guessing that is for management purposes so I can manage the switch.  Also I thought it was good practice to never use Vlan 1 for management since all switches by default use this as their management Vlan and hence can be a security issue.  The rest looks good.  I will assign an IP address to each vlan internally then have all traffic route to the inside interface of the ASA.

    Author Comment

    Irmoore I want this configuration/setup to be a secure as possible, but realistic for business purposes.  Does the above configuration look good for a business of 300-500 employees in your honest opinion?
    LVL 79

    Expert Comment

    As a matter of fact, this is almost identical to a setup that I have installed for a government client where security is paramount.

    >Why do I need to assign an IP of to vlan 1?
    I just used this as example. It could just as well be vlan 10. It was not for management, but to simply put the ASA Inside interface into a dedicated layer 3 vlan on the switch to reduce the amount of broadcast packets the ASA would have to process/discard. You can designate your IT VLAN interface as the "management" interface if you like.

    How are you connecting the rest of the users if you only have 2x24 port switches? If the rest of the access switches are also Cisco, you can enable VTP so that all switches can participate in any vlan.

    Author Comment

    They are not all Cisco switches in fact most of them are 3com.  The server Vlan however will have another set of dedicated 3750 switches.  The rest of the company however will be using 3com switches specifically 4400 10/100 switches.  I will be using 802.1q tagging for the trunk connections.  We have fiber running to a bunch of areas of the company so I will use the SFP ports on the 3750's for connectivity to the 4400's.  One more question I do need an IP address assigned to the vlan that the inside interface of the ASA will be connecting to?  Why?  Thanks for all your help.
    LVL 79

    Accepted Solution

    >do need an IP address assigned to the vlan that the inside interface of the ASA will be connecting to?  Why?  
    Not if your inside interface is in one of the other vlans.
    If you use my example of a separate vlan just for the purpose of isolating the inside interface, then yes you would assign the switch vlan interface an IP address in the same subnet as the ASA interface, which is a different subnet than all the rest of the vlans/subnets. The 3750 handles all the routing.
    Why? To segregate the ASA interface into a separate "private" vlan that does not see all the broadcasts from the others. If it's in another vlan, then something has to route the other traffic to it - a vlan interface on the 3750.

    Author Comment


    Thanks for your insight and quick responses.
    LVL 79

    Expert Comment

    Glad I could help. Post new Q's if you run into anything sticky..

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now