10-28-2011 09:14 AM - edited 03-11-2019 02:43 PM
Hello,
I have a quick question regarding trunking with the ASA5510. Currently I have 3 switches (DMZ subnet /inside subnet/server subnet) connected to each GE port of the ASA. Our office/server subnet are the same but I'm looking to break that up. So on GE 1/3, I'll create that new subnet. As of now, everything is working fine. So my questions is, I'm looking stack a switch and run the new office subnet and existing server subnet on it. Of course I'll VLAN the switch and trunk each port on that switch to the ASA. NOW my question is, do I need to trunk the ASA port if they aleady have seperate assigned ports on the ASA? I see alot of discusions where people are creating sub-interfaces off of one port on the ASA and doing things that way. I want to keep the setup as I have now and just add that 4th interface as my office network.
Example
GE 1/0 x.x.1.5 - server - currently server/office network are the same. has dedicated swith directly connected
GE 1/1 x.x.2.5 - DMZ - already has dedicated sw directly connected
GE 1/2 x.x.3.5 - inside_DMZ - already has dedicated sw directly connected
GE 1/3 x.x.4.5 - new office subnet. want to use same switch as the server and vlan/trunk each subnet to different asa interfaces.
Do I just need to trunk the Cisco switch ports that plug directly into the assigned interfaces on the ASA and leave the ASA physical interface as is? Or do I have to trunk the ASA as well.
If this was confusing, I do apologize.
Thanks in advance,
Jeff
10-28-2011 10:32 AM
hi,
if you connect the new port from ASA to a switch for connecting a new subnet=new VLAN then you can leave the switch port as access and the port of ASA as is.
Alain.
11-01-2011 08:38 AM
Alian,
Thank you for the reply, I'll be testing it out tomorrow.
-jeff
11-10-2011 01:08 PM
Hello Alain,
Not sure you if you can reply but I tried what you suggested and am running into minor issues. I think it has to do with the default route in my switch. Below is what I was originally trying to accomplish...
GE 1/0 x.x.1.5 - server - currently server/office network are the same. has dedicated switch directly connected
GE 1/3 x.x.4.5 - new office subnet. want to use same switch as the server and vlan/trunk each subnet to different asa interfaces
So on the ASA..
GE 1/0 x.x.1.5 - server subnet is good to go. can ping the outside world - directly connected to switch
GE 1/3 x.x.4.5 - Interface is up on the ASA, able to ping devices on on the server subnet and of course the office, outside world, no go. These interfaces are directly connected to a 3750x.
On my switch, I created 2 VLANs....
interface Vlan 1
description Server VLAN
ip address x.x.1.1 255.255.255.0
interface Vlan 4
description Office VLAN
ip address x.x..4.1 255.255.255.0
All ports have appropriate vlan access (swtichport access) "should i be trunking my switch ports that are directly connected to the ASA or I can leave them as is?"
Now I think my issue is with my default routes...
ip route 0.0.0.0 0.0.0.0.0 x.x.1.5 ---- Server Subnet - When it was just the servers default, I had full access.
when i added the next default route for the office subnet this is where it seemed issues began
ip route 0.0.0.0 0.0.0.0 x.x.x.4.5 ---- I saw both routes establish for each VLAN but it didn't seem i could get out
Are my default routes right or should they be something else. I'm assuming this is why I cant see my new office subnet from the outside. I can't even access the office switch vlan of 4.1. im able to get to the server switch vlan 1.1 just fine. for now, i only left a default route pointing to 1.5.
Again, hope I didn't lose you. If anyone else can shed some light, I would greatly appreciate it.
Thanks in advance,
-j
11-10-2011 01:55 PM
Hi,
as explained in another thread on this forum, the ASA won't support 2 equal cost default route even though there is a Cisco article that says the contrary. You can only use the second route for backup tracking the primary.
So maybe you should solve this with a routing protocol.I'm gonna take a deeper look at your latest post and if I find a possible solution I'll let you know.
Regards.
Alain
11-10-2011 02:08 PM
Hello Alain,
Thanks for the reply. I'm not trying to use the ASA with 2 default routes, it only has one. I'm sure once you have time to go over my original post, you'll see what I'm trying to accomplish. Again, thanks for taking the time to review it.
-jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide