• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1195
  • Last Modified:

Need help creating vlan(s) with Cisco ASA 5510 and a Dell 6248

Hello Experts!
I'm working on an interesting project, and am looking for some guidance/feedback.  I have an ASA 5510 currently in use with 14 existing site to site (L2L) ipsec vpn connections. The network is flat (1 subnet), and the ASA has the security plus license, and being used in routed and single context mode. ASA version 8.0(2) | ASDM version 6.0(2).  
Int E0/0 - outside interface - ISP router address
Int E0/1 - inside interface - 192.168.100.1
Int E0/2 - disabled
Int E0/3 - disabled
Int Mgt0/0 - mgmt port - 192.168.1.1
----------------------------------------------------------
I have a spare Dell PE 6248 layer 3 switch we could use as a vlan router and/or the ASA 5510 with config mentioned above. The network hosts approximately 1-500 simultaneous internal/external connections 24x7 365, across approximately 50 servers and approximately 100 internal workstations (the rest of the connections come from external users via terminal services).
The thought is that we can speed things up a bit and reduce some un-necessary network chatter and latency by creating 3 vlans - (workstations, servers, and printers).
So far this creates 2 big questions for me -
1. Do I need both devices (asa & dell 6248) to do this, or can/should I use only the ASA or only the Dell PowerEdge switch?
2. Will I have to re-create all of my L2L ipsec vpn tunnels if the servers (which are being accessed from the outside) are now on their own/different vlan? or can I just modify the ACL's after, or will this even be necessary?


0
PMGIT
Asked:
PMGIT
  • 7
  • 6
1 Solution
 
djcaponeCommented:
1. Whether you need both devices to accomplish this depends on the capabilities of the switches you currently have in place.  If your question is, do I need a layer 3 switch/devices other than the ASA, the answer is no.  If your question is do I need the PE 6248 to create and setup the VLANs, then the answer would be yes.  Basically, you would need switches in place (they can be layer 2) that support VLANing and a 802.1q trunks.  You would configure the switches for whatever VLANs you choose and setup a trunk port to connect back to the ASA.  On the ASA, you would configure VLANs and trunk by using subinterfaces:

int e0/1.1
int e0/1.2

On each subinterface, you would configure it similiar to the way you would configure your inside interface with the exception that you would need to specify which vlan the subinterface is responsible for :

vlan 10
nameif inside_servers
security-level 100
ip address 192.168.200.1 255.255.255.0
...

2.  To prevent the need to change any ACLs and reduce your workload, I would simply use the 192.168.100.1/24 subnet for the devices that will need to be accessed via the VPN.  If these devices cross the logical boundaries you have set (workstations, servers, printers), then you would either need to reconsider your logical boundaries, and/or update the ACLs that describe the "interesting" traffic to include all the subnets that would need to be accessed via the VPN.

Hope this helps.
0
 
PMGITAuthor Commented:
Ah okay, so far so good and that's kind of what I was thinking.  The part that I left out, is that we are currently using 2 PowerConnect 2748's and 2 PowerConnect 3448's - both claim to support 802.1q, and all are connected via fiber gbics (default vlan 1 & not stacked).  So based on your experience, would you say better to install the 6448 (layer 3 vlan switch/router), and use that to route and control the vlans, or is the ASA the best way to go?  Also (and maybe just more of a sanity check)... above, you wrote "I would simply use the 192.168.100.1/24 subnet for the devices...", and I think referring to the server subnet (vlan 10) in your example, but the ip address in the example is 192.168.200.1/24 - Again, just making sure I'm following along :).
Thank you!!!
0
 
djcaponeCommented:
The 6248 would not act as a firewall, so you would still need the ASA to be in the picture somewhere.

The advantage of using the 6248 would be the potential for better intervlan bandwidth when transferring data between the VLANs.  this would occur because you could in theory provide a direct connection to the 6248 from each of your Layer 2 switches and even have the potential to create etherchannels to each switch for each more bandwidth.  If intervlan bandwidth is not a concern (might not be considering you have some FastE switches in the mix) because there are not many file transfer operations between VLANs, then the network design would be a bit simplier without the 6248.

Essentially, when VLANing, traffic between vlans would need to hit a layer 3 device to be transmitted from one vlan to the other.  As such, if you just use the ASA, all traffic between vlans would be carried over the link that is connected to e0/1 on the ASA.  In turn, the total bandwidth available for intervlan routing would be 1 Gbps or (2 Gbps if you setup an etherchannel).

With the 6248, this can be significantly more as each switch could have a dedicated 1 Gbps to it for intervlan routing (or more with an etherchannel going to each switch).

Because of this, the best choice comes down to your ability to manage the solution coupled with your need for bandwidth between VLANs.

As for the subnets and VPN issue, the example was made completely independant from the thought process on the VPN and was strictly to demonstrate configuring a trunk port on the ASA.  I didn't intend for their to be a connection between the 2 thoughts.  I apologize for the confusion it may have created.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
djcaponeCommented:
oh and yes, both of the switch types you have do support vlans and trunks.
0
 
PMGITAuthor Commented:
Thanks so much for the detailed info, it is a HUGE help.  I think I will keep it simple and stay with the ASA only (no big file transfer concern), and it will be much easier to implement and maintain and will still serve the same purpose.  We're only using about 25% of the hardware resources on the ASA, so I don't think adding this will be enough of a hardware drain to be a concern.
For some reason, both port e0/0 and e0/1 are reporting 100Mb (as opposed to 1Gb) despite having the security plus license - always something...
Oh by the way -  thanks for the additional info on the switches!
0
 
PMGITAuthor Commented:
EXCELLENT!
0
 
djcaponeCommented:
E0/0 being 100Mbps makes a bit of sense as it is most likely your uplink to your ISP.  They probably are only giving you a 100Mbps port (typical unless your committing to a lot of bandwidth).

E/0/1 is probably being reported as 100 Mbps because you are probably connecting this port to one of your PC 3448 instead of the 2748.  The 3448 are FastE switches while the 2748 are GigE switches.  You would be better served connecting the ASA to one of the GigE ports of the 2748 to connect the ASA to your network.  Assuming your switch ports on the 2748 and E0/1 on the ASA are set to autonegotiate this should bump the port speed to 1 Gbps for you.
0
 
PMGITAuthor Commented:
Brilliant! I just read the same exact thing about the auto neg - that's exactly what it is!!!
Thanks again :)
0
 
PMGITAuthor Commented:
One more quick thought -
"use the 192.168.100.1/24 subnet for the devices that will need to be accessed via the VPN"
Do you mean create a sub int on the existing port 0/1, or do you mean create a new vlan (e0/2.1) and use 192.168.100.1 as the ip subnet (which I THINK will maintain the ACL's)...?
Sorry, still trying to put small details together.
0
 
djcaponeCommented:
You would use the existing subnet on whatever VLAN you put your servers in, but it can remain on the same interface...

int e0/1.10
vlan 10
ip address 192.168.100.1 255.255.255.0
nameif inside_servers
....

or if your recreating everything on a new port (not necessary), it would work the same way on e0/2

int e0.2.10
....
0
 
PMGITAuthor Commented:
so... if I create a new int (e0/2.10) and assign this server subnet to this vlan will I have to recreate my VPN ACL's?  Currently, the VPN ACL's are all assigned to e0/0 (outside), and e0/1 (inside), so I suspect I'll have to re-setup all of my VPN's (or at least modify the ACL's) if I choose this option. Should I open a new question...?
0
 
djcaponeCommented:
no need to open a new question...having the points already assigned will prevent others from chiming in, but I have no problem continuing to follow up.

I do not think you will actually need to modify the ACLs.  You may need to assign them to a different interface but that should be the extent of it, since you are going to reuse the same IP subnet for the devices that need connectivity via the VPN.
0
 
PMGITAuthor Commented:
Okay, great - and thank you again.  I think I understand now.  I did post another question relative to the e0/0 & e0/1 int's not appearing as 1000 though, becasue I connected e0/1 into a gig switch (and made sure the switch port was forced to gig), then tried to force the ASA to gig thru cli, but am only allowed the 10/100/auto option
(ASA5510_e0/0_e0/1 - feel free to chime in :).
Thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now