Re: ASA with 802.1Q

netadmindetail · ‎03-31-2008

Hi all

I want to know if it's possible (see attachment for detail) to manage multiple subnet within a Layer 3 switch (3750) through a ASA5520 with 802.1Q tagging.

Refering to jpg file; the SQL and ACS subnet are only define in the layer 3 switch The DMZ port on the ASA are not in the SQL or ACS subnet.

It is possible ?

Thank you very much for your help.

srue · ‎03-31-2008

you can let the ASA do your intervlan routing (as well as security between vlans), but you might be better off using the routing capabilities of the 3750 if you don't need much security between vlans.

the ASA can do 802.1q trunking though using subinterfaces with the 'vlan' command.

netadmindetail · ‎03-31-2008

Do I need a particular Software version on my ASA ?

srue · ‎03-31-2008

nope..it's been supported on the ASA since 7.0

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intrface.html#wp1044006

netadmindetail · ‎04-03-2008

Do I need to put subinterface on my inside interface too or just on my DMZ port ?

Does the ASA subinterfaces are trunking 802.1q by defaut ?

Thank you very much

srue · ‎04-03-2008

the ASA's only do dot1q so there's no way to specify encapsulation type.

there are two steps to creating a dot1q trunk...

1. create the subinterface

2. specify the vlan number on subinterface.

- then assign normal interface commands (nameif, security-level, address, description...acls)

eg.

int eth0/2.100

vlan 100

nameif dmz1

security-level 50

ip address 10.1.1.1 255.255.255.0

specify trunking on the switch as you normally would, just make sure you use dot1q and that the vlans you use on the ASA exist on your switch(es)