Wired Intelligent Edge

Question,

I have a Procurve 2910al switch as a "core" switch. Attached to this switch are my servers (untagged VLAN1) and 4 other switches all attached to ports untagged in their own VLANs2-5. So i have dedicated switches for workstations, printers, wifi etc. all untagged ports each in their own private subnets.

Also attached to the 2910 is a Cisco ASA firewall.

I enabled ip routing on the switch and setup ip addresses for all the VLANs.

Now to enable all the VLANs to access the internet, do i just create a default route on the 2910 to route 0.0.0.0 0.0.0.0 192.168.100.1 (the address of the Cisco on VLAN1)? And do i need to additionally enable NAT for every subnet on the Cisco?

And do i need to make the uplink to the Cisco tagged in all VLANs? No, right? Because i want the switch to do the inter VLAN routing.

Thanks,

Dennes

You are correct that you don't want your VLAns trunked to the Cisco.

Additionally, your link to the Cisco should not be in the same VLAN as all your server hosts.

OK, but Cisco not in same VLAN as servers, for security reasons? Because if i put them in another VLAN/subnet, i'll probably have to change all the NAT/PAT rules in the Cisco.

Just one final question. In the Cisco, do i only setup NAT for the (private)subnet that it is directly attached to, or do i have to put a NAT rule for every subnet/VLAN in it? I'd think i dont have to, but just want to make sure.

Thanks,

Dennes

Put the link to the Cisco in another subnet: a point-to-point link is how you should join layer-3 devices.

I'm not sure about your NATing question. Presumably you need a NAT rule for any subnet you want to enable for internet access.