Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


6509 Routing configuration.

Posted on 2009-04-17
Medium Priority
Last Modified: 2012-06-04
Need help with this.
Please see my attached topology to get familiar with my setup.
I recently inherited this network and my predecessor tried for a while to achieve the goal below to no avail.

All traffic leaving vlan25 to vlan85, vlan70 or any other vlan must pass through the internal firewall (and not the 6509) who inspects it and makes the final decision.

Note: The internal firewall is managed by a different team and my problem& at least for now, is not what happens in there.  The network without the ASA firewall works perfectly find with the 6509 doing the routing.

I need someone who can help
a) Tell me that this is achievable or
b) Suggest the simplest way to implement it


Open in new window

Question by:oliverwari
  • 7
  • 3

Accepted Solution

rp_harris earned 800 total points
ID: 24173480
This will not necessarily be a solution, but we'll see, first thing, since hsrp is proto between 6509's simplify your trouble shooting by eliminating the standby from the picture for now.
Next your requirement is for vlan 25 traffic to be inspected by the asa.
I see the asa represented with multiple interfaces, we will need one for x.x.25.3 network.
For this config your 6509's would not route vlan 25 the asa would route this vlan. vlan 25 on the 6509's would just provide the logical path to the asa's. Say for example ASA interface (outside) security level 0, interface (inside) security level 100, interface (vlan25) security level 60 (gateway for vlan25).
Then you can apply policy to vlan25 traffic as it passes through asa.
If you try to route vlan 25 with the 6509's you would have to apply various acl's to isolate and still next hop that traffic to asa (pain in the asa ;) )

Assisted Solution

Sniper98G earned 1200 total points
ID: 24173491
Yes; this is perfectly achievable. But if all of your subnets have direct layer2 connectivity to your 6509s routing is not necessary in this scenario. Simply place one of the ports of you ASA in vlan 25 and delete any router interface on the 6509s into vlan 25. This is how I used to segment my wireless before I iplmented a layer 3 core.

Author Comment

ID: 24173541
rp_harris and Sniper98G: Greatly appreciate your both comments which I can make a lot of sense out of. I am pretty sure you guys will help me nail this after a couple of posts.  I am preparing detail information on the exact situation and we'll go from there.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 24175143
Ok guys.
Here is my simplified diagram with more detail added to my goals. Lets only look at one 6509 as suggested.
I want the Firewall to control what comes in and goes out of Vlan25, Vlan30 and Vlan55
Please take into consideration the placement of my DHCP, DNS and NTP servers etc etc on the network before posting your comment. Please make no assumptions as well. The gateways for each vlan for the current setup is A.B.vlan#.1 (1 is the virtual for my HRSP 6509s)
I hate PBR and ACLs with next hop but would do it that is the best way to go about it.
It is a pleasure having you all address my concerns with so much expertise and in such a timely manner.


Assisted Solution

Sniper98G earned 1200 total points
ID: 24175825
well your problem is that although you have the VLAN piped to the ASA as you should. You seam to have router interfaces into the VLANs as well. In order to force them to go through the firewall you must not have a path that goes around it. For VLANs 25, 30 and 55 the ASA (the interface in their subnet) should be the default gateway and no other interfaces should exist into them.

Author Comment

ID: 24176154
Thanks again.
I will implement it next week, test and post my results here.

Author Comment

ID: 24183326
Here is the relevant output for my vlan 25.
What is the easiest way to stop the 6509 from doing routing for this interface?

6509# show ip route  
   A.B.0.0/8 is variably subnetted, 59 subnets, 6 masks
--------output surpressed------
C       A.B.25.0/24 is directly connected, Vlan25
------output suppressed------------
6509#sh run int vlan 25
Building configuration...
Current configuration: 201 bytes
interface Vlan 25
 ip address A.B.25.3
 ip helper-address A.B.23.16
 no ip redirects
 ip pim sparse-mode
 ip route-cache flow
 standby 25 ip A.B.25.1
 standby 25 preempt

Assisted Solution

Sniper98G earned 1200 total points
ID: 24185557
The easiest way to stop routing is to delete the router interface.
"no interface vlan 25"

Author Comment

ID: 24186834
Great and Thanks....will be working with the ASA admin on next business day and post results  here.

Author Closing Comment

ID: 31571680
You guys are great. This worked with no problem.  I am closing this and will be opening another case later today on 4506 fiber connections. I am replacing three  2948s with a single 4506 and want to make sure I get it right at first try!

Author Comment

ID: 24195286
It worked!

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question