topic Re: Vlan subinterface on ASA and connection to internet in Network Security

Vlan subinterface on ASA and connection to internet

mahesh18 — Tue, 12 Mar 2019 01:41:00 GMT

Hi Everyone,

Need to understand the network here

Say we have ASA which has gi0/0 interface and we do subinterfaces of this and it has trunk connection to switch.

gi0/0.1 outside vlan 10

gi0/0.2 visitor vlan 20

gi0/0.3 wi fi vlan 30

say we have 2 dhcp pools for interface visitor and wi fi.

Say users on visitor dhcp pool has gateway of 192.168

say users on wi fi dhcp pool has gateway of 172.x.x.x

gi 0/0.1 has public ip address and it has default route to edge router.

ASA--------Switch 1------------switch2-------------edge eouter ---------ISP

Switch2 is learning about vlans 10,20,30.

But connection between switch2 and edge router carries only vlan40.

Need to understand how users on vlan 20 and 30 reach the edge router and access the internet as switch2 port connected to edge router carries only

vlan10 as allowed traffic on trunk link?

Thanks

Mahesh

Vlan subinterface on ASA and connection to internet

Julio Carvajal — Thu, 09 May 2013 04:18:40 GMT

Hello Mahesh,

Are you telling us that the trunk port between switch 2 and 1 only allows packets tagged with an 802.1Q header making reference to vlan 40?

My question actually would be , is that link a trunk or it's an access port ?

Cause if it's a trunk it would not be allowed.

Regards

Vlan subinterface on ASA and connection to internet

mahesh18 — Thu, 09 May 2013 04:22:29 GMT

Hi julio,

Let me check on this

Mahesh

Vlan subinterface on ASA and connection to internet

Julio Carvajal — Thu, 09 May 2013 04:27:15 GMT

Sure,

keep me posted

Vlan subinterface on ASA and connection to internet

mahesh18 — Thu, 09 May 2013 04:33:07 GMT

Hi julio,

Trunk between switch 1 and 2 carries all the vlan 10,20 and 30

thanks

mahesh

Vlan subinterface on ASA and connection to internet

mahesh18 — Thu, 09 May 2013 04:35:14 GMT

Hi julio

ASA----------------Trunk vlan 10,20,30 allowed----sw1-------- trunk vlan 10,20,30-------------sw2---------------Trunk only vlan10--edge router

Thanks

MAhesh

Re: Vlan subinterface on ASA and connection to internet

Julio Carvajal — Thu, 09 May 2013 04:46:57 GMT

Hello Mahesh,

You sure it's a trunk what you are using between switch 2 and Edge router? Is not an access-port?

Is the ASA the only device performing 802.1Q routing?

Vlan subinterface on ASA and connection to internet

mahesh18 — Thu, 09 May 2013 04:53:30 GMT

Hi julio,

yes there is trunk connection to edge router.

ASA has only static routes no routing.

when you say ASA the only device performing 802.1Q routing?

what do you mean?

thanks

mahesh

Re: Vlan subinterface on ASA and connection to internet

Julio Carvajal — Thu, 09 May 2013 05:05:42 GMT

Hello Mahesh,

For what I can understand from here,

When a host on vlan 20 sends a packet, SW1 or SW2 will receive the traffic with no tags on their access-ports ..

Depending on the host destination IP address the packet will be send to the ASA as this is the 802.1Q routing guy in the picture and the default gateway for them ...

The ASA has an ARP entry for the IP and MAC address of the ISP router ( The default gateway which is in vlan 10 )

When the ASA receives a packet from VLAN 20 that needs to go to an IP address that is unknown to it, it will send it to it's default gateway, checks the IP address and sees that it must go out vlan 10 interface, so it will tag it with a TAG value of 10, it will then reach SW1 with a TAG of 10, it will move like this up to the ISP router,

Let me know if I was clear,

Vlan subinterface on ASA and connection to internet

mahesh18 — Sat, 11 May 2013 05:00:54 GMT

Hi julio,

Below is my understanding ---

Let me know if i am wrong anywhere---

The switch 1 and switch 2 have vlan 20,30 where user connect ther PC and access the internet.

Remember switch 1 and 2 does not have SVI vlan 20 and 30.So when user connect to access port vlan 20 or 30 on switch 1 or 2 PC gets IP address from DHCP pool defined on ASA.

and it has default gateway of ASA interface of gi0/0.2 or 0.3

When user need to access the internet traffic goes to ASA interface gi0/0.2 as thats default gateway for user PC.

Then ASA has default static route that points to the ASA Edge Router.

So traffic from say PC to switch 2 is untagged then from switch 2 to ASA it goes tagged due to trunking.

Then return traffic from ASA to edge router is

ASA to SW1 -----------trunk tagged.

Sw1 to sw2 ----trunk tagged

Sw2 to edge router tagged with vlan 10.

Edge router has 802.1q trunking for vlan 10

sw2 to edge router comes as tagged then edge router removes the vlan 10 tag.

Regards

MAhesh

Vlan subinterface on ASA and connection to internet

Jouni Forss — Sat, 11 May 2013 11:26:48 GMT

Hi,

Sounds about right to me Mahesh

Traffic on access ports is not tagged with any Vlan ID

Traffic on Trunk links is tagged with Vlan ID

Finally the traffic arriving to the Edge Router removes the tag.

Naturally the way towards the Internet from there depends on how its implemented. Usually there is no subinterfaces involved on the customer side equipment.

- Jouni

Vlan subinterface on ASA and connection to internet

mahesh18 — Sat, 11 May 2013 13:47:21 GMT

Hi Jouni,

Thanks again for confirming me i am correct.

Regards

MAhesh