PMGIT
asked on
Need help creating vlan(s) with Cisco ASA 5510 and a Dell 6248
Hello Experts!
I'm working on an interesting project, and am looking for some guidance/feedback. I have an ASA 5510 currently in use with 14 existing site to site (L2L) ipsec vpn connections. The network is flat (1 subnet), and the ASA has the security plus license, and being used in routed and single context mode. ASA version 8.0(2) | ASDM version 6.0(2).
Int E0/0 - outside interface - ISP router address
Int E0/1 - inside interface - 192.168.100.1
Int E0/2 - disabled
Int E0/3 - disabled
Int Mgt0/0 - mgmt port - 192.168.1.1
--------------------------
I have a spare Dell PE 6248 layer 3 switch we could use as a vlan router and/or the ASA 5510 with config mentioned above. The network hosts approximately 1-500 simultaneous internal/external connections 24x7 365, across approximately 50 servers and approximately 100 internal workstations (the rest of the connections come from external users via terminal services).
The thought is that we can speed things up a bit and reduce some un-necessary network chatter and latency by creating 3 vlans - (workstations, servers, and printers).
So far this creates 2 big questions for me -
1. Do I need both devices (asa & dell 6248) to do this, or can/should I use only the ASA or only the Dell PowerEdge switch?
2. Will I have to re-create all of my L2L ipsec vpn tunnels if the servers (which are being accessed from the outside) are now on their own/different vlan? or can I just modify the ACL's after, or will this even be necessary?
I'm working on an interesting project, and am looking for some guidance/feedback. I have an ASA 5510 currently in use with 14 existing site to site (L2L) ipsec vpn connections. The network is flat (1 subnet), and the ASA has the security plus license, and being used in routed and single context mode. ASA version 8.0(2) | ASDM version 6.0(2).
Int E0/0 - outside interface - ISP router address
Int E0/1 - inside interface - 192.168.100.1
Int E0/2 - disabled
Int E0/3 - disabled
Int Mgt0/0 - mgmt port - 192.168.1.1
--------------------------
I have a spare Dell PE 6248 layer 3 switch we could use as a vlan router and/or the ASA 5510 with config mentioned above. The network hosts approximately 1-500 simultaneous internal/external connections 24x7 365, across approximately 50 servers and approximately 100 internal workstations (the rest of the connections come from external users via terminal services).
The thought is that we can speed things up a bit and reduce some un-necessary network chatter and latency by creating 3 vlans - (workstations, servers, and printers).
So far this creates 2 big questions for me -
1. Do I need both devices (asa & dell 6248) to do this, or can/should I use only the ASA or only the Dell PowerEdge switch?
2. Will I have to re-create all of my L2L ipsec vpn tunnels if the servers (which are being accessed from the outside) are now on their own/different vlan? or can I just modify the ACL's after, or will this even be necessary?
ASKER
Ah okay, so far so good and that's kind of what I was thinking. The part that I left out, is that we are currently using 2 PowerConnect 2748's and 2 PowerConnect 3448's - both claim to support 802.1q, and all are connected via fiber gbics (default vlan 1 & not stacked). So based on your experience, would you say better to install the 6448 (layer 3 vlan switch/router), and use that to route and control the vlans, or is the ASA the best way to go? Also (and maybe just more of a sanity check)... above, you wrote "I would simply use the 192.168.100.1/24 subnet for the devices...", and I think referring to the server subnet (vlan 10) in your example, but the ip address in the example is 192.168.200.1/24 - Again, just making sure I'm following along :).
Thank you!!!
Thank you!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oh and yes, both of the switch types you have do support vlans and trunks.
ASKER
Thanks so much for the detailed info, it is a HUGE help. I think I will keep it simple and stay with the ASA only (no big file transfer concern), and it will be much easier to implement and maintain and will still serve the same purpose. We're only using about 25% of the hardware resources on the ASA, so I don't think adding this will be enough of a hardware drain to be a concern.
For some reason, both port e0/0 and e0/1 are reporting 100Mb (as opposed to 1Gb) despite having the security plus license - always something...
Oh by the way - thanks for the additional info on the switches!
For some reason, both port e0/0 and e0/1 are reporting 100Mb (as opposed to 1Gb) despite having the security plus license - always something...
Oh by the way - thanks for the additional info on the switches!
ASKER
EXCELLENT!
E0/0 being 100Mbps makes a bit of sense as it is most likely your uplink to your ISP. They probably are only giving you a 100Mbps port (typical unless your committing to a lot of bandwidth).
E/0/1 is probably being reported as 100 Mbps because you are probably connecting this port to one of your PC 3448 instead of the 2748. The 3448 are FastE switches while the 2748 are GigE switches. You would be better served connecting the ASA to one of the GigE ports of the 2748 to connect the ASA to your network. Assuming your switch ports on the 2748 and E0/1 on the ASA are set to autonegotiate this should bump the port speed to 1 Gbps for you.
E/0/1 is probably being reported as 100 Mbps because you are probably connecting this port to one of your PC 3448 instead of the 2748. The 3448 are FastE switches while the 2748 are GigE switches. You would be better served connecting the ASA to one of the GigE ports of the 2748 to connect the ASA to your network. Assuming your switch ports on the 2748 and E0/1 on the ASA are set to autonegotiate this should bump the port speed to 1 Gbps for you.
ASKER
Brilliant! I just read the same exact thing about the auto neg - that's exactly what it is!!!
Thanks again :)
Thanks again :)
ASKER
One more quick thought -
"use the 192.168.100.1/24 subnet for the devices that will need to be accessed via the VPN"
Do you mean create a sub int on the existing port 0/1, or do you mean create a new vlan (e0/2.1) and use 192.168.100.1 as the ip subnet (which I THINK will maintain the ACL's)...?
Sorry, still trying to put small details together.
"use the 192.168.100.1/24 subnet for the devices that will need to be accessed via the VPN"
Do you mean create a sub int on the existing port 0/1, or do you mean create a new vlan (e0/2.1) and use 192.168.100.1 as the ip subnet (which I THINK will maintain the ACL's)...?
Sorry, still trying to put small details together.
You would use the existing subnet on whatever VLAN you put your servers in, but it can remain on the same interface...
int e0/1.10
vlan 10
ip address 192.168.100.1 255.255.255.0
nameif inside_servers
....
or if your recreating everything on a new port (not necessary), it would work the same way on e0/2
int e0.2.10
....
int e0/1.10
vlan 10
ip address 192.168.100.1 255.255.255.0
nameif inside_servers
....
or if your recreating everything on a new port (not necessary), it would work the same way on e0/2
int e0.2.10
....
ASKER
so... if I create a new int (e0/2.10) and assign this server subnet to this vlan will I have to recreate my VPN ACL's? Currently, the VPN ACL's are all assigned to e0/0 (outside), and e0/1 (inside), so I suspect I'll have to re-setup all of my VPN's (or at least modify the ACL's) if I choose this option. Should I open a new question...?
no need to open a new question...having the points already assigned will prevent others from chiming in, but I have no problem continuing to follow up.
I do not think you will actually need to modify the ACLs. You may need to assign them to a different interface but that should be the extent of it, since you are going to reuse the same IP subnet for the devices that need connectivity via the VPN.
I do not think you will actually need to modify the ACLs. You may need to assign them to a different interface but that should be the extent of it, since you are going to reuse the same IP subnet for the devices that need connectivity via the VPN.
ASKER
Okay, great - and thank you again. I think I understand now. I did post another question relative to the e0/0 & e0/1 int's not appearing as 1000 though, becasue I connected e0/1 into a gig switch (and made sure the switch port was forced to gig), then tried to force the ASA to gig thru cli, but am only allowed the 10/100/auto option
(ASA5510_e0/0_e0/1 - feel free to chime in :).
Thanks!
(ASA5510_e0/0_e0/1 - feel free to chime in :).
Thanks!
int e0/1.1
int e0/1.2
On each subinterface, you would configure it similiar to the way you would configure your inside interface with the exception that you would need to specify which vlan the subinterface is responsible for :
vlan 10
nameif inside_servers
security-level 100
ip address 192.168.200.1 255.255.255.0
...
2. To prevent the need to change any ACLs and reduce your workload, I would simply use the 192.168.100.1/24 subnet for the devices that will need to be accessed via the VPN. If these devices cross the logical boundaries you have set (workstations, servers, printers), then you would either need to reconsider your logical boundaries, and/or update the ACLs that describe the "interesting" traffic to include all the subnets that would need to be accessed via the VPN.
Hope this helps.