https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270371#M819988 <P>Hi</P><P></P><P>I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below</P><P></P><P>______________________________________</P><P></P><P>interface GigabitEthernet0/2</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/2.40</P><P> vlan 40</P><P> nameif DMZ-Public</P><P> security-level 40</P><P> ip address 10.32.240.1 255.255.255.0 standby 10.32.240.2 </P><P>!</P><P>interface GigabitEthernet0/2.50</P><P> vlan 50</P><P> nameif DMZ-2</P><P> security-level 50</P><P> ip address 10.32.241.1 255.255.255.0 standby 10.32.241.2 </P><P>!</P><P>interface GigabitEthernet0/2.60</P><P> vlan 60</P><P> nameif DMZ-3</P><P> security-level 60</P><P> ip address 10.32.242.1 255.255.255.0 standby 10.32.242.2 </P><P></P><P></P> Mon, 11 Mar 2019 16:03:55 GMT CCDECCDE9 2019-03-11T16:03:55Z https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270371#M819988 <P>Hi</P><P></P><P>I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below</P><P></P><P>______________________________________</P><P></P><P>interface GigabitEthernet0/2</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/2.40</P><P> vlan 40</P><P> nameif DMZ-Public</P><P> security-level 40</P><P> ip address 10.32.240.1 255.255.255.0 standby 10.32.240.2 </P><P>!</P><P>interface GigabitEthernet0/2.50</P><P> vlan 50</P><P> nameif DMZ-2</P><P> security-level 50</P><P> ip address 10.32.241.1 255.255.255.0 standby 10.32.241.2 </P><P>!</P><P>interface GigabitEthernet0/2.60</P><P> vlan 60</P><P> nameif DMZ-3</P><P> security-level 60</P><P> ip address 10.32.242.1 255.255.255.0 standby 10.32.242.2 </P><P></P><P></P> Mon, 11 Mar 2019 16:03:55 GMT https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270371#M819988 CCDECCDE9 2019-03-11T16:03:55Z https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270372#M819989 <HTML><HEAD></HEAD><BODY><P>your config on the ASA looks fine..on the switch, you will need to trunk the port using dot1q, and you will need to create those vlans - 40,50,60 - and allow them on the trunk port of the switch.</P><P></P></BODY></HTML> Fri, 07 Aug 2009 14:27:00 GMT https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270372#M819989 srue 2009-08-07T14:27:00Z https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270373#M819991 <HTML><HEAD></HEAD><BODY><P>these VLANS on the swith need to have same subnet as firewall VLAN interfaces ?</P><P>in this case</P><P></P><P>on switch :</P><P></P><P>Interface VLAN 40</P><P>ip address 10.32.240.3</P><P></P><P>Interface VLAN 50</P><P>ip address 10.32.241.3</P><P></P><P>Interface VLAN 60</P><P>ip address 10.32.242.3</P><P></P></BODY></HTML> Mon, 10 Aug 2009 15:04:44 GMT https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270373#M819991 CCDECCDE9 2009-08-10T15:04:44Z https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270374#M819992 <HTML><HEAD></HEAD><BODY><P>You don't need to create L3 vlans in the switch as you already have the firewall as a layer 3 device for those network. You just simply need to do what Steven indicated in his post.</P><P></P><P>Create the vlans in the switch </P><P></P><P>exmaple:</P><P></P><P>switch</P><P></P><P>WS1(config)vlan database</P><P>WS1(vlan)#vlan 40 name 10.32.240.0/24_net</P><P>WS1(vlan)#vlan 50 name 10.32.241.0/24_net</P><P>WS1(vlan)# vlan 60 name 10.32.242.0/24_net</P><P></P><P>then create dot1q trunk on the physical port in the switch that connects to the forewall..</P><P></P><P>SW1(config)#interface fe0/xx</P><P>SW1(config)#Description Connection to ASA</P><P>SW1(config)#switchport mode trunk</P><P>SW1(config)#switchport trunk encapsulation dot1q</P><P>SW1(config)#switchport trunk allowed vlan 40,50,60 etc..</P><P></P><P>then assign ports to respective vlans for hosts in the switch..</P><P></P><P></P><P></P><P>Regards</P><P></P><P></P></BODY></HTML> Tue, 11 Aug 2009 15:38:03 GMT https://community.cisco.com/t5/network-security/firewall-vlans-how-does-it-work/m-p/1270374#M819992 JORGE RODRIGUEZ 2009-08-11T15:38:03Z