vburshteyn
asked on
data routing / layer 3 switch to asa
Hi,
I have two networks in my office which do not touch. I need to connect them now.
One is a simple mpls -> asa (with no outside line)
The Other one has a a layer 3 switch -> asa --> router
Can anybody explain, or point me in the right direction on what to do if i connect my layer 3 switch to the asa via cable?
I have two networks in my office which do not touch. I need to connect them now.
One is a simple mpls -> asa (with no outside line)
The Other one has a a layer 3 switch -> asa --> router
Can anybody explain, or point me in the right direction on what to do if i connect my layer 3 switch to the asa via cable?
This is too vague, can you be more specific in describing your network topology and your problem?
ASKER
sorry about that
Network A
ds3 router - ASA 5505 -- Catalyst 4507
Network B
MPLS router - ASA 5500 --- Cisco Catalyst WS-C2950T-48 (this network does not have a data line yet)
at the moment the two networks dont talk. If i had a data line on the MPLS network i would just set up a vpn-vpn line between the two asa, but since i dont have that option i was thinking of running a network cable from the catalyst 4507, since it is a level 3 switch to the ASA on the mpls network and route data from network A to network B that way.
Just dont know how to set it up.
Network A
ds3 router - ASA 5505 -- Catalyst 4507
Network B
MPLS router - ASA 5500 --- Cisco Catalyst WS-C2950T-48 (this network does not have a data line yet)
at the moment the two networks dont talk. If i had a data line on the MPLS network i would just set up a vpn-vpn line between the two asa, but since i dont have that option i was thinking of running a network cable from the catalyst 4507, since it is a level 3 switch to the ASA on the mpls network and route data from network A to network B that way.
Just dont know how to set it up.
You can run a cable between the 2 switches.
The port on the 4507 will have to be configured for the 2950s subnet
The port on the 4507 will have to be configured for the 2950s subnet
ASKER
any chance you can provide more info?
How do i route the data for that subnet from the 4507?
How do i route the data for that subnet from the 4507?
On the 4507 create a VLAN that is the same as the one on the 2950.
On the ports you will be using to connect the 4507 to the 2950, you need to configure them in trunking mode.
Then you can use the 4507 to do the routing of information between the vlans on the 4507 and the 2950.
If you provide the configurations of the 4507 and the 2950, I am sure I or any of the other contributors can script it out for you.
On the ports you will be using to connect the 4507 to the 2950, you need to configure them in trunking mode.
Then you can use the 4507 to do the routing of information between the vlans on the 4507 and the 2950.
If you provide the configurations of the 4507 and the 2950, I am sure I or any of the other contributors can script it out for you.
ASKER
so if the one on 2950 is set for general vlan 1, just turn all the ports to say vlan 2.. turn one port on 4507 into vlan 2 and trunk em together.
then route date between 2 vlans
then route date between 2 vlans
No. You don't necessarily have to change vlans. The subnet of the vlans matter so just moving the ports on the 2950 to vlan 2 and connecting the switches may not do any good. If you provide the existing configurations it will be much easier to tell exactly what you need to do.
ASKER
ok so the 2950 has the generic config, there is nothing on it so its the default config other then
Switch IP 10.59.1.4 ---> connected to ASA 10.59.1.1
the 4507 is
For this purpose i created VLAN 10 and assigned FA 3/35 to it
i gave vlan 10 ip of 10.59.1.2
So what i need to figure out is how do i get the 4507 to see a device 205.132.168.191 255.255.255.255 that i can get from the 2950.
Hope this makes sense!
I pulled out some of the redundand stuff from the config:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname BW4507
!
boot-start-marker
boot-end-marker
!
no aaa new-model
qos
qos dbl
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
qos map cos 3 to dscp 26
qos map cos 5 to dscp 46
ip subnet-zero
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
redundancy
mode sso
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name VoiceVLAN
!
policy-map autoqos-voip-policy
class class-default
dbl
!
!
interface Vlan1
ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
interface FastEthernet6/48
switchport mode access
switchport voice vlan 2
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
qos trust cos
qos trust device cisco-phone
macro description cisco-phone
auto qos voip cisco-phone
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/1
!
interface GigabitEthernet7/2
!
interface GigabitEthernet7/3
!
interface GigabitEthernet7/4
!
interface GigabitEthernet7/5
!
interface GigabitEthernet7/6
!
interface GigabitEthernet7/7
!
interface GigabitEthernet7/8
!
interface GigabitEthernet7/9
!
interface GigabitEthernet7/10
!
interface GigabitEthernet7/11
!
interface GigabitEthernet7/12
!
!
interface GigabitEthernet7/36
!
interface GigabitEthernet7/37
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
qos trust dscp
macro description cisco-router
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/38
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/39
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/40
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/41
!
interface GigabitEthernet7/42
!
interface GigabitEthernet7/43
!
interface GigabitEthernet7/44
!
interface GigabitEthernet7/45
!
interface GigabitEthernet7/46
!
interface GigabitEthernet7/47
!
interface GigabitEthernet7/48
!
interface Vlan1
ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
!
snmp-server community Br0adway1 RO
!
control-plane
!
!
line con 0
stopbits 1
length 0
!
end
BW4507#
Switch IP 10.59.1.4 ---> connected to ASA 10.59.1.1
the 4507 is
For this purpose i created VLAN 10 and assigned FA 3/35 to it
i gave vlan 10 ip of 10.59.1.2
So what i need to figure out is how do i get the 4507 to see a device 205.132.168.191 255.255.255.255 that i can get from the 2950.
Hope this makes sense!
I pulled out some of the redundand stuff from the config:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service compress-config
service sequence-numbers
!
hostname BW4507
!
boot-start-marker
boot-end-marker
!
no aaa new-model
qos
qos dbl
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
qos map cos 3 to dscp 26
qos map cos 5 to dscp 46
ip subnet-zero
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
redundancy
mode sso
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name VoiceVLAN
!
policy-map autoqos-voip-policy
class class-default
dbl
!
!
interface Vlan1
ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
interface FastEthernet6/48
switchport mode access
switchport voice vlan 2
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
qos trust cos
qos trust device cisco-phone
macro description cisco-phone
auto qos voip cisco-phone
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/1
!
interface GigabitEthernet7/2
!
interface GigabitEthernet7/3
!
interface GigabitEthernet7/4
!
interface GigabitEthernet7/5
!
interface GigabitEthernet7/6
!
interface GigabitEthernet7/7
!
interface GigabitEthernet7/8
!
interface GigabitEthernet7/9
!
interface GigabitEthernet7/10
!
interface GigabitEthernet7/11
!
interface GigabitEthernet7/12
!
!
interface GigabitEthernet7/36
!
interface GigabitEthernet7/37
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
qos trust dscp
macro description cisco-router
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
!
interface GigabitEthernet7/38
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/39
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/40
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet7/41
!
interface GigabitEthernet7/42
!
interface GigabitEthernet7/43
!
interface GigabitEthernet7/44
!
interface GigabitEthernet7/45
!
interface GigabitEthernet7/46
!
interface GigabitEthernet7/47
!
interface GigabitEthernet7/48
!
interface Vlan1
ip address 172.17.20.2 255.255.255.0
!
interface Vlan2
ip address 172.17.30.2 255.255.255.0
!
ip route profile
ip route 0.0.0.0 0.0.0.0 172.17.20.1 permanent
ip http server
!
!
!
snmp-server community Br0adway1 RO
!
control-plane
!
!
line con 0
stopbits 1
length 0
!
end
BW4507#
Hi vburshteyn,
Could you make it more clear?
Do you have to Internet lines and you want to activate them both over the network with the 4507?
Could you make it more clear?
Do you have to Internet lines and you want to activate them both over the network with the 4507?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
none of the provided solutions worked.
At the moment you have one or two ASA's?
Are the two networks in one office or is the second network at a remote location (through the mpls)?
Just trying to get the whole picture here.