Configuring VLANs on my Cisco 5515-X, is it possible ?

clille.cisco · ‎03-29-2013

I am trying to connect 2 VMWARE servers directly to my 5515-X firewall.

And this is the configuration I am looking for:

Gi0/0 - outside (already configured and working)

Gi0/1 - inside (already configured and working)

Gi0/2 - trunk with VLAN 1 + 2 + 3 + 4 + 5 for VMWARE server1

Gi0/3 - trunk with VLAN 1 + 2 + 3 + 4 + 5 for VMWARE server2

Gi0/4 not used

Gi0/5 not used

ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail)

I really hope this simple configuration is possible

Thanks in advance

Carsten

James Leinweber · ‎03-29-2013

I think you are stuck introducing a switch, sorry.

-- Jim Leinweber, WI State Lab of Hygiene

Jouni Forss · ‎03-29-2013

Hi,

I think this was only possible in the ASA5505 model which has the built in switch module.

I wonder if configuring a Gigabit Etherchannel using the Gi0/2 and Gi0/3 would be possible? I am not that familiar with the server side.

I think the basic configuration format on the ASA side would be

interface GigabitEthernet0/2

channel-group 1 mode active

interface GigabitEthernet0/3

channel-group 1 mode active

interface Port-Channel1

interface Port-Channel1.10

description Vlan 10

vlan 10

nameif vlan10

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Port-Channel1.20

description Vlan 20

vlan 20

nameif vlan20

security-level 100

ip add 10.10.20.1 255.255.255.0

- Jouni

James Leinweber · ‎03-29-2013

Doesn't an etherchannel require a single device on the other side, e.g. that pesky switch again?

I don't think you can make an ethernet channel with two participants going to two separate unrelated devices. Even with LACP for the bundle negotiations (e.g. "channel-group N mode active") the most separation you can get is two different member switches in a single unified stackwise group.

Also, you'd need recent ASA firmware, like 9.0(2), as 8.6 on the ASA didn't have etherchannel.

I've been keeping the ASA etherchannel ploy in mind for my pending 5525-X upgrade, as depending on traffic levels, I might want it on what is currently an ordinary singleton trunk port interface (replacing an 5520 running 8.2 firmware). I'll have to add this item to my test lab R&D queue.

-- Jim Leinweber, WI State Lab of Hygiene

clille.cisco · ‎03-29-2013

I have updated to latest ASDM and firmware, so I do have etherchannel, but I unsure if that will work ... and I might add one more VMWARE server later

Yura Kazakevich · ‎09-24-2017

Hi everyone!

I'm going to purchase Cisco ASA 5506-X-K9 Sec Plus device. I have plans to build the following schema:

As you can see here are two VMWare ESXi servers connected to ASA5506-X firewall. vSwitch of each server has two vlans (vlan3 - inside area, vlan4 - DMZ). So I want to configure vlan trunks between ASA and VMWare. I need vlan trunks to save more ports of my VMWare server for another needs (SAN, redundacy links, additional servers interlinks and etc.).

Can anybody tell me is it possible on Cisco ASA5506-X?

Marvin Rhoads · ‎09-24-2017

The ASA supports 802.1q trunks and can be configured with the subinterfaces necessary to act as a gateway for the resepctive subnets.

That's slightly different than the VLAN (layer 2) support you asked about but I believe it satisfies the requirement as I understand it.