09-20-2013 02:28 AM - edited 09-20-2013 02:29 AM
I have a Procurve 2910al switch as a "core" switch. Attached to this switch are my servers (untagged VLAN1) and 4 other switches all attached to ports untagged in their own VLANs2-5. So i have dedicated switches for workstations, printers, wifi etc. all untagged ports each in their own private subnets.
Also attached to the 2910 is a Cisco ASA firewall.
I enabled ip routing on the switch and setup ip addresses for all the VLANs.
Now to enable all the VLANs to access the internet, do i just create a default route on the 2910 to route 0.0.0.0 0.0.0.0 192.168.100.1 (the address of the Cisco on VLAN1)? And do i need to additionally enable NAT for every subnet on the Cisco?
And do i need to make the uplink to the Cisco tagged in all VLANs? No, right? Because i want the switch to do the inter VLAN routing.
09-23-2013 12:39 AM
OK, but Cisco not in same VLAN as servers, for security reasons? Because if i put them in another VLAN/subnet, i'll probably have to change all the NAT/PAT rules in the Cisco.
Just one final question. In the Cisco, do i only setup NAT for the (private)subnet that it is directly attached to, or do i have to put a NAT rule for every subnet/VLAN in it? I'd think i dont have to, but just want to make sure.
09-23-2013 03:30 PM
Put the link to the Cisco in another subnet: a point-to-point link is how you should join layer-3 devices.
I'm not sure about your NATing question. Presumably you need a NAT rule for any subnet you want to enable for internet access.