[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Forcing certain Vlan Traffic to go via ASA instead of Catalyst Switch

Posted on 2006-11-19
Medium Priority
Last Modified: 2012-08-14
Hi all,

not sure if this is possible but i would like to achieve the following with my stack of Catalyst 3750's and ASA 5520
            vlan 1-5        vlan 6-10
                        \     /
                        /     \
         vlan 11-15        vlan 16-20

i want the switches to be the default gateway for each vlan and that routing happens for the 5 vlans it should know, then it should go to the firewall to get to the other vlans

so traffic lets say from vlan 1 to 5 does not go via the asa but from vlan 1 to 10 does

is this possible at all and what should i look at to get this working?

thanks in advance for any suggestions
Question by:dgas_it
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Expert Comment

ID: 17974925
Since nobody seems to be taking a crack at this let me ask you a question.  Are the 3750's layer 3 routers as well as switches?  Will They function as the gateways for each group of VLANs?  What interior routing protocal are you using (rip, ospf etc.)?

The way you have it diagrammed it looks like four seperate DMZ's comming off the ASA.   If you have the interfaces to build four DMZ's then, yeah you could do it.

If not you could sort of break it up into four areas.  Let's say that all four 3750's are L3 routers.  You create perhaps an ospf area 0 in each to support your vlans from each one.  Then static route from the 2750's to the asa.  By doing that, you have four seperate ospf areas none of which extend to include the asa which becomes the default route for any traffic not bound for each internalthe ospf area.

          _________    __________
         |  vlan 1-5  | |   vlan 6-10 |
         |          \    | |  /              |
         |_______\ _||_/________|
          _________   ___________
         |              /| | \                |
         |vlan 11-15| |    vlan 16-20|

Just a couple of ideas
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 17975081
Sure, it is possible.
All 3750's are, indeed, layer 3 switches.
You have many options, including putting physical interfaces of the ASA into respective VLAN ports of the switch, trunking all vlans to the ASA, both options allow the ASA to do all the routing between the vlans and is not exactly what you want.
You can also create "transient" vlans and then trunk these transient vlans through the ASA, and use the L3 routing capability of the 3750's to route between whatever vlans you want to, and route through the transient vlan/ASA between the vlans that you want to control/restrict traffic to/from.
If you could explain your configuration and desires a bit more, we might be able to come up with a more direct suggestion. Same question as WGhen has:
 Are these vlan "blocks" each connected to a different ASA interface, or is this one stack of 4 switches, or 4 stacks of switches, or what?

Author Comment

ID: 17977592
Thanks for the reply both,

yes each block is a different interface on the ASA and to have all traffic going through the ASA might be a bit much for the ASA and IPS

also i think the setup i mentioned above is the best setup for NAC which needs to be implemented soon

i would like the default gateway being 10.56.x.1 (ip for the vlan) and the interface on the ASA for that vlan to be 10.56.x.254

the problem i have now is that when i ping a vlan that should go through the ASA it goes direct through the switches as the switches see the vlan as directly connected

all servers and routers and some users are on the 3750's, some other users are on the 2950's
there are 6 3750's and 3 2950 in total

is route-maps maybe a way to go? telling the switch that traffic from vlan 2 to vlan 7 should have a next-hop address that is the ASA or tell it to use the static route definned?

any help/suggestion/anything is more then welcome :)

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Expert Comment

ID: 17978589
Well you don't mention what internal routing protocol you use, however it sounds like your switches know about the other vlans.  You need to arange it so that they don't.  They then must resort to the default gateway, which would be the ASA.  I don't know how much traffic you'll have between your four areas, or how much your asa can handle.  I think it'll be OK, but might add a little latency.  Does the ASA run a routing protocol like rip, eigrp, ospf etc?  If it does, then this might begin to work the way you want just by turning that off.  Make sure that only the 3750 for the 1-5 VLANs has the router interfaces for 1-5 and that none of the other 3750's have 1-5.  The 3750 for 6-10 will have the interfaces for 6-10 but none of the other 3750's will etc. etc.  All you have to do is find a way to make sure that the groups of vlans are not aware of each other and have to take the default route up stream to the ASA who will have static routes to each group.


Author Comment

ID: 17979031
Hi WGhen,

no routing protocol at the moment

the switches do know about the other vlans as most are in a stack and separating them cannot really be done

i was hoping that the route-map might be able point them in the right direction

i have had it working where the subinterfaces on the asa was the default gateway

but now i have to implement NAC  

so i thought the above drawing would be a better solution so i place the nac in between the inside (user) vlans and the firewall



Expert Comment

ID: 17979305
So the 3750's are a stack, essentially making them one switch with one single IP address?
Something puzzles me here.  What addresses are you using for your VLANs?  All VLANs have their own subnet and individual router interface, correct?  If so, the switches should not be allowing direct traffic in the first place without going through the router interface to get between subnets/VLANs.  But that's not what you want.  So, can the asa become the router for those VLANs instead of the 3750?  Or does it just monitor what's going on?


Author Comment

ID: 17979607
Hi WGhen,

all vlans have an IP address, this IP address is the default gateway for and device in that vlan

currently if you want to ping any device in any of the other vlans it works as you expect with inter vlan routing

the problem is when you have two vlans in your DMZ you do not want to traffic to bypass the ASA to get to your inside vlans because it uses the inter vlan routing

so what i am trying is to have all vlan traffic which resides in an firewall interface zone (if thats what you can call it) to be able to talk to each other but if it needs to talk to a vlan in a different firewall interface zone that it goes via the ASA

ps the DMZ having 2 vlans is just an example to try and explain it

hope that helps you help me


Assisted Solution

WGhen earned 1000 total points
ID: 17979707
We use OSPF in our network, so I would try running four different instances of OSPF so there is one for each group of VLANs.  Then point your default route to the ASA.  I'm assuming (oh oh) that the ASA can have static route entries like a PIX can, and therefor forware traffic to the other areas.  That should provide normal routing between VLANs as long as they belong to the same OSPF instance.  If not, they have to go upstream to the ASA.

LVL 79

Expert Comment

ID: 18107888
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question