topic Thanks Akshay. I should've in Network Security

Figure out connected VLAN

noisey_uk — Tue, 12 Mar 2019 06:57:46 GMT

An ASA5515-X is sucessfully connected to a 2960X via an LACP port-channel. Someone has changed the config on the 2960X end of the port-channel so we've no idea which VLANs are being trunked or the IP addresses of the management SVI on said switch. The switch is half way across the world and local resources are not great technically so, clutching at straws, can anyone think of a way of finding out the VLANs/IP involved? I've put this in Firewalling as I'd have thought a debug command on the ASA is the biggest hope...

Hi,

Akshay Rastogi — Sun, 29 Nov 2015 05:13:08 GMT

Hi,

You can try your luck with sub-interfaces created on ASA from that port channel. Check the subnet configured on those interfaces. Also check the routes on ASA with 'show route' this would show you connected routes. With this you could get the idea of the subnet connected to it. Also it would show you the next hop for those subnets. As you have mentioned that SVI is configured on switch so i believe that next hop would be the SVI on switch.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

You might be able to

Marvin Rhoads — Sun, 29 Nov 2015 14:22:20 GMT

You might be able to ascertain the information by doi ng a packet capture on the ASA inside interface and examining the LACP bits.

You might also get the switch address from the CDP neighbor advertisements. Even though the ASA doesn't participate in CDP per se, it will still see the Layer 2 CDP broadcasts at the packet level.

Thanks for your input Marvin.

noisey_uk — Mon, 30 Nov 2015 09:31:10 GMT

Thanks for your input Marvin. Packet capture is half the answer I think as it would rely on configuring the ASA subinterface with the VLAN ID that matches the corresponding switch VLAN... which I don't know. I guess I'm after a more thorough capture capability, like Wireshark, built into the ASA. Might still be a bit of trial and error involved I think. Relieved this is T&M...!

Thanks Akshay. I should've

noisey_uk — Mon, 30 Nov 2015 09:35:06 GMT

Thanks Akshay. I should've clarified in my post - the ASA does not have config on relating to the 2960X - it's a new ASA, connecting to a 2960X which has been taken from another site and someone has changed some of the configuration on it... nightmare!

Noisey,

Marvin Rhoads — Mon, 30 Nov 2015 13:31:20 GMT

Noisey,

You only need the subinterface ID in order to complete LACP negotiation. Without it, you will still se the switch's offered VLAN tags on the trunking establishment messages (even though the trunk won't establoish until the ASA matches).