Solved

Forcing certain Vlan Traffic to go via ASA instead of Catalyst Switch

Posted on 2006-11-19
11
879 Views
Last Modified: 2012-08-14
Hi all,

not sure if this is possible but i would like to achieve the following with my stack of Catalyst 3750's and ASA 5520
                 
            vlan 1-5        vlan 6-10
                        \     /
                         asa
                        /     \
         vlan 11-15        vlan 16-20

i want the switches to be the default gateway for each vlan and that routing happens for the 5 vlans it should know, then it should go to the firewall to get to the other vlans

so traffic lets say from vlan 1 to 5 does not go via the asa but from vlan 1 to 10 does

is this possible at all and what should i look at to get this working?

thanks in advance for any suggestions
0
Comment
Question by:dgas_it
  • 4
  • 3
  • 2
11 Comments
 
LVL 5

Expert Comment

by:WGhen
Comment Utility
Since nobody seems to be taking a crack at this let me ask you a question.  Are the 3750's layer 3 routers as well as switches?  Will They function as the gateways for each group of VLANs?  What interior routing protocal are you using (rip, ospf etc.)?

The way you have it diagrammed it looks like four seperate DMZ's comming off the ASA.   If you have the interfaces to build four DMZ's then, yeah you could do it.

If not you could sort of break it up into four areas.  Let's say that all four 3750's are L3 routers.  You create perhaps an ospf area 0 in each to support your vlans from each one.  Then static route from the 2750's to the asa.  By doing that, you have four seperate ospf areas none of which extend to include the asa which becomes the default route for any traffic not bound for each internalthe ospf area.

          _________    __________
         |  vlan 1-5  | |   vlan 6-10 |
         |          \    | |  /              |
         |_______\ _||_/________|
                         asa
          _________   ___________
         |              /| | \                |
         |vlan 11-15| |    vlan 16-20|
         |_________||___________|

Just a couple of ideas
WGhen
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Sure, it is possible.
All 3750's are, indeed, layer 3 switches.
You have many options, including putting physical interfaces of the ASA into respective VLAN ports of the switch, trunking all vlans to the ASA, both options allow the ASA to do all the routing between the vlans and is not exactly what you want.
You can also create "transient" vlans and then trunk these transient vlans through the ASA, and use the L3 routing capability of the 3750's to route between whatever vlans you want to, and route through the transient vlan/ASA between the vlans that you want to control/restrict traffic to/from.
If you could explain your configuration and desires a bit more, we might be able to come up with a more direct suggestion. Same question as WGhen has:
 Are these vlan "blocks" each connected to a different ASA interface, or is this one stack of 4 switches, or 4 stacks of switches, or what?
 
0
 

Author Comment

by:dgas_it
Comment Utility
Thanks for the reply both,

yes each block is a different interface on the ASA and to have all traffic going through the ASA might be a bit much for the ASA and IPS

also i think the setup i mentioned above is the best setup for NAC which needs to be implemented soon

i would like the default gateway being 10.56.x.1 (ip for the vlan) and the interface on the ASA for that vlan to be 10.56.x.254

the problem i have now is that when i ping a vlan that should go through the ASA it goes direct through the switches as the switches see the vlan as directly connected

all servers and routers and some users are on the 3750's, some other users are on the 2950's
there are 6 3750's and 3 2950 in total

is route-maps maybe a way to go? telling the switch that traffic from vlan 2 to vlan 7 should have a next-hop address that is the ASA or tell it to use the static route definned?

any help/suggestion/anything is more then welcome :)

alex
0
 
LVL 5

Expert Comment

by:WGhen
Comment Utility
Hi,
Well you don't mention what internal routing protocol you use, however it sounds like your switches know about the other vlans.  You need to arange it so that they don't.  They then must resort to the default gateway, which would be the ASA.  I don't know how much traffic you'll have between your four areas, or how much your asa can handle.  I think it'll be OK, but might add a little latency.  Does the ASA run a routing protocol like rip, eigrp, ospf etc?  If it does, then this might begin to work the way you want just by turning that off.  Make sure that only the 3750 for the 1-5 VLANs has the router interfaces for 1-5 and that none of the other 3750's have 1-5.  The 3750 for 6-10 will have the interfaces for 6-10 but none of the other 3750's will etc. etc.  All you have to do is find a way to make sure that the groups of vlans are not aware of each other and have to take the default route up stream to the ASA who will have static routes to each group.

WGhen
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:dgas_it
Comment Utility
Hi WGhen,

no routing protocol at the moment

the switches do know about the other vlans as most are in a stack and separating them cannot really be done

i was hoping that the route-map might be able point them in the right direction

i have had it working where the subinterfaces on the asa was the default gateway

but now i have to implement NAC  

so i thought the above drawing would be a better solution so i place the nac in between the inside (user) vlans and the firewall

cheers

0
 
LVL 5

Expert Comment

by:WGhen
Comment Utility
OK,
So the 3750's are a stack, essentially making them one switch with one single IP address?
Something puzzles me here.  What addresses are you using for your VLANs?  All VLANs have their own subnet and individual router interface, correct?  If so, the switches should not be allowing direct traffic in the first place without going through the router interface to get between subnets/VLANs.  But that's not what you want.  So, can the asa become the router for those VLANs instead of the 3750?  Or does it just monitor what's going on?

WGhen
0
 

Author Comment

by:dgas_it
Comment Utility
Hi WGhen,

all vlans have an IP address, this IP address is the default gateway for and device in that vlan

currently if you want to ping any device in any of the other vlans it works as you expect with inter vlan routing

the problem is when you have two vlans in your DMZ you do not want to traffic to bypass the ASA to get to your inside vlans because it uses the inter vlan routing

so what i am trying is to have all vlan traffic which resides in an firewall interface zone (if thats what you can call it) to be able to talk to each other but if it needs to talk to a vlan in a different firewall interface zone that it goes via the ASA

ps the DMZ having 2 vlans is just an example to try and explain it

hope that helps you help me

alex
0
 
LVL 5

Assisted Solution

by:WGhen
WGhen earned 250 total points
Comment Utility
We use OSPF in our network, so I would try running four different instances of OSPF so there is one for each group of VLANs.  Then point your default route to the ASA.  I'm assuming (oh oh) that the ASA can have static route entries like a PIX can, and therefor forware traffic to the other areas.  That should provide normal routing between VLANs as long as they belong to the same OSPF instance.  If not, they have to go upstream to the ASA.

WGhen
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now