Solved: ASA move from physical to VLAN interfaces

daniel.sandstrom · ‎02-27-2009

I am looking at moving two physical interfaces ( inside,dmz ) to a dot1q trunk on the same firewall.

How would you go ahead to minimize impact on the running configuration?

To my understanding you have to remove "nameif inside" from the physical interface and move this command to the subinterface instead ( eg int Ethernet0/2.10 ).

When removing the inside command I suppose I will lose all my statics and accesslists refering to "inside".

Is this the only way to do it ?

andrew.prince · ‎02-27-2009

Mmmmmm if I were you - I would just move the DMZ. keep the inside interface on the physical port is it now, then just create a sub interface for the DMZ.

Then change the switch port the inside interfaces connects to from an access port to a trunk....that way if you can't get it working right away - you just need to change the switch port back to an access port with minumal disruption.

Or configure the native vlan command to the VLAN the inside interface is associated to, on the switch port - that way in access layer or trunk layer you will always get connectivity to the inside interface.

HTH>

View solution in original post

andrew.prince · ‎02-27-2009

Mmmmmm if I were you - I would just move the DMZ. keep the inside interface on the physical port is it now, then just create a sub interface for the DMZ.

Then change the switch port the inside interfaces connects to from an access port to a trunk....that way if you can't get it working right away - you just need to change the switch port back to an access port with minumal disruption.

Or configure the native vlan command to the VLAN the inside interface is associated to, on the switch port - that way in access layer or trunk layer you will always get connectivity to the inside interface.

HTH>

daniel.sandstrom · ‎02-28-2009

Yup...that worked out fine - good point !

andrew.prince · ‎02-28-2009

np - glad to help.

Thanks for the rating.