cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
3
Replies

ASA 5512 configuration question?

unrealone1
Level 1
Level 1

Hi all,

I need to setup a network enviroment, I have the following equipment: ASA 5512-X & 2960-S Series 48-Port

Couple of questions.

See the 4 networks below I want to setup as an example.

Can I set these 4 networks as seperate VLANs from a single Interface on the ASA5512 ?

Can each of these have it's own DHCP for each VLAN?

E.g

Network 1     VLAN100        DHCP     192.168.100.x

Network 2     VLAN200        DHCP     192.168.200.x 

Network 3     VLAN300        DHCP     192.168.300.x

Network 4     VLAN400        DHCP     192.168.400.x

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yes, you can configure a Trunk interface on the 2960 switch and ASA5512-X and configure subinterfaces on the ASA for each of the Vlans configured on the 2960.

You can also configure DHCP on the ASA for each of these interfaces. You can have a single DHCP Pool per interface and the DHCP pool maximum size is a /24 subnet.

If we were to presume that you have a blank ASA configuration you could do the following

  • Leave the actual physical interface without configurations unless you want to set the Duplex and Speed settings manually/staticly and perhaps set a description
  • Configure Subinterfaces for each of the Vlans you need

Configurations might for example look like this

interface GigabitEthernet0/1

  description LAN Trunk

interface GigabitEthernet0/1.100

  vlan 100

  description Network 1

  nameif LAN-1

  security-level 100

  ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/1.200

  vlan 200

  description Network 2

  nameif LAN-2

  security-level 100

  ip address 192.168.20.1 255.255.255.0

interface GigabitEthernet0/1.300

  vlan 300

  description Network 3

  nameif LAN-3

  security-level 100

  ip address 192.168.30.1 255.255.255.0

interface GigabitEthernet0/1.400

  vlan 400

  description Network 4

  nameif LAN-4

  security-level 100

  ip address 192.168.40.1 255.255.255.0

Hope this helps

- Jouni

That's excellent many thanks Jouni. One other question.....

I have an Outside interface WAN on the ASA which I would like to plug my 25mb up and down link into.

Is it possible to say throttle bandwidth, e.g. 15mb for vlan100 and then 5mb for vlan 200,300 & 400 ?

Hi,

To be honest I have not configured these on the ASA

But seems to me that the general format of the configuration might be something like this

access-list LAN-1-BANDWITH remark NO RESTRICTION FOR INTERNAL TRAFFIC

access-list LAN-1-BANDWITH deny ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list LAN-1-BANDWITH deny ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list LAN-1-BANDWITH remark RESTRICTION FOR EXTERNAL TRAFFIC

access-list LAN-1-BANDWITH permit ip 192.168.10.0 255.255.255.0 any

access-list LAN-1-BANDWITH permit ip any 192.168.10.0 255.255.255.0

class-map LAN-1-BANDWITH

match access-list LAN-1-BANDWITH

policy-map global_policy

class LAN-BANDWITH

  police input 15000000

  police output 15000000

The above presumes that you have the default "policy-map global_policy" existing in the configuration and attached globally with the command

service-policy global_policy global

Maybe you can test it out. I am not sure if the "deny" statements would help you avoid having this limiation between your different LAN networks. My initial test seemed to indicate it worked.

I am not sure how you should do the limiting for the other Vlans. Maybe a combined limit for them or one of the above for each of the Vlans.

Hope this helps

Let me know if it works and remember to mark a reply as the correct answer if it answered your question.

- Jouni

Review Cisco Networking for a $25 gift card