6509 Routing configuration.

Posted on 2009-04-17
Last Modified: 2012-06-04
Need help with this.
Please see my attached topology to get familiar with my setup.
I recently inherited this network and my predecessor tried for a while to achieve the goal below to no avail.

All traffic leaving vlan25 to vlan85, vlan70 or any other vlan must pass through the internal firewall (and not the 6509) who inspects it and makes the final decision.

Note: The internal firewall is managed by a different team and my problem& at least for now, is not what happens in there.  The network without the ASA firewall works perfectly find with the 6509 doing the routing.

I need someone who can help
a) Tell me that this is achievable or
b) Suggest the simplest way to implement it


Open in new window

Question by:oliverwari

    Accepted Solution

    This will not necessarily be a solution, but we'll see, first thing, since hsrp is proto between 6509's simplify your trouble shooting by eliminating the standby from the picture for now.
    Next your requirement is for vlan 25 traffic to be inspected by the asa.
    I see the asa represented with multiple interfaces, we will need one for x.x.25.3 network.
    For this config your 6509's would not route vlan 25 the asa would route this vlan. vlan 25 on the 6509's would just provide the logical path to the asa's. Say for example ASA interface (outside) security level 0, interface (inside) security level 100, interface (vlan25) security level 60 (gateway for vlan25).
    Then you can apply policy to vlan25 traffic as it passes through asa.
    If you try to route vlan 25 with the 6509's you would have to apply various acl's to isolate and still next hop that traffic to asa (pain in the asa ;) )
    LVL 8

    Assisted Solution

    Yes; this is perfectly achievable. But if all of your subnets have direct layer2 connectivity to your 6509s routing is not necessary in this scenario. Simply place one of the ports of you ASA in vlan 25 and delete any router interface on the 6509s into vlan 25. This is how I used to segment my wireless before I iplmented a layer 3 core.

    Author Comment

    rp_harris and Sniper98G: Greatly appreciate your both comments which I can make a lot of sense out of. I am pretty sure you guys will help me nail this after a couple of posts.  I am preparing detail information on the exact situation and we'll go from there.

    Author Comment

    Ok guys.
    Here is my simplified diagram with more detail added to my goals. Lets only look at one 6509 as suggested.
    I want the Firewall to control what comes in and goes out of Vlan25, Vlan30 and Vlan55
    Please take into consideration the placement of my DHCP, DNS and NTP servers etc etc on the network before posting your comment. Please make no assumptions as well. The gateways for each vlan for the current setup is A.B.vlan#.1 (1 is the virtual for my HRSP 6509s)
    I hate PBR and ACLs with next hop but would do it that is the best way to go about it.
    It is a pleasure having you all address my concerns with so much expertise and in such a timely manner.

    LVL 8

    Assisted Solution

    well your problem is that although you have the VLAN piped to the ASA as you should. You seam to have router interfaces into the VLANs as well. In order to force them to go through the firewall you must not have a path that goes around it. For VLANs 25, 30 and 55 the ASA (the interface in their subnet) should be the default gateway and no other interfaces should exist into them.

    Author Comment

    Thanks again.
    I will implement it next week, test and post my results here.

    Author Comment

    Here is the relevant output for my vlan 25.
    What is the easiest way to stop the 6509 from doing routing for this interface?

    6509# show ip route  
       A.B.0.0/8 is variably subnetted, 59 subnets, 6 masks
    --------output surpressed------
    C       A.B.25.0/24 is directly connected, Vlan25
    ------output suppressed------------
    6509#sh run int vlan 25
    Building configuration...
    Current configuration: 201 bytes
    interface Vlan 25
     ip address A.B.25.3
     ip helper-address A.B.23.16
     no ip redirects
     ip pim sparse-mode
     ip route-cache flow
     standby 25 ip A.B.25.1
     standby 25 preempt
    LVL 8

    Assisted Solution

    The easiest way to stop routing is to delete the router interface.
    "no interface vlan 25"

    Author Comment

    Great and Thanks....will be working with the ASA admin on next business day and post results  here.

    Author Closing Comment

    You guys are great. This worked with no problem.  I am closing this and will be opening another case later today on 4506 fiber connections. I am replacing three  2948s with a single 4506 and want to make sure I get it right at first try!

    Author Comment

    It worked!

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Would an outbound ACL be an overkill? 3 47
    Zenoss 2 43
    Physical Network Design 11 73
    Cisco 3560G PoE remote power on/off 3 0
    This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
    Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now