Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
6
Replies

ASA with VLANs ...... does dot1q actually work ?

Go to solution
mcroft
Level 1
Level 1

‎01-08-2009 07:40 AM - edited ‎03-11-2019 07:34 AM

Hi,

I have a very simple config :

1x ASA5510 firewall and 1x 2950 ethernet switch.

I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.

This is easy right ?

<--------------ASA------------------->

interface Ethernet3

speed 100

duplex full

nameif DMZ1-TEST

security-level 6

no ip address

!

interface Ethernet3.1

vlan 700

nameif DMZ1-TEST-VLAN700

security-level 6

ip address 172.18.10.1 255.255.0.0

!

interface Ethernet3.2

vlan 701

nameif DMZ1-TEST-VLAN701

security-level 6

ip address 172.19.10.1 255.255.0.0

<------------2950 SWITCH---------------->

interface FastEthernet0/23

description *** UPLINK to ASA TEST ***

duplex full

speed 100

switchport trunk encapsulation dot1q

switchport mode trunk

!

------------------------------------------

However, I cannot see any traffic between the two devices, infact, I am unable to ping the switch from the firewall and visa-versa.

if I do a show int on the firewall, I see ..... "390349 L2 decode drops" THIS IS NOT GOOD I ASSUME !

So, I think there is a problem with the trunk.

Any Ideas or debug I could apply ?

Any help would really be appreciated.

Thank you.

Matt C

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎01-08-2009 08:31 AM

Hi Matt,

have you created the l2 vlans in the switch for the respective FW subinterfaces?

switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701

when u place host on a specific switchport conectivity should work .

switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700

u should be able from PC ping its default gateway 172.18.10.1

same principle for the other subnet vlan 701

communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.

Regards

Jorge Rodriguez

View solution in original post

0 Helpful
6 Replies 6

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎01-08-2009 08:31 AM

Hi Matt,

have you created the l2 vlans in the switch for the respective FW subinterfaces?

switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701

when u place host on a specific switchport conectivity should work .

switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700

u should be able from PC ping its default gateway 172.18.10.1

same principle for the other subnet vlan 701

communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.

Regards

Jorge Rodriguez
0 Helpful

Go to solution
mcroft
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-08-2009 03:24 PM

THANK YOU for your help.

I was being an wally, and only created the vlan interface on the switch and not the VLANs itself.

As soon as I read the first two lines of your email ... I knew immediately what I had done.

Silly me.

Thank you for you help. Appreciated !

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to mcroft

‎01-08-2009 03:45 PM

Matt, you are welcome and glad I could help and all is fine I assume, don't forget to rate helpful posts.

Bst Rgds

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
fareed_farooqui
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-14-2009 02:23 AM

Hi Jorge

Can PC1 communicate with PC2 which has ip address 172.19.10.34 ....

Will intervlan commnication work with ASA as a L3 device .

Please can you elaborate " communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excem"

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Is that true?

Many Thanks

Fareed

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to fareed_farooqui

‎04-14-2009 03:37 AM

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Hi Fareed, This is not true! , you may have subinterfaces with same sec level same physical trunk, or simply physical interfaces again with same sec level and have communication between the two networks as long you have configured same-security-traffic permit inter-interface statement along with a nonat exempt rule.

Regards

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
fareed_farooqui
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-14-2009 03:51 AM

Thanks alot Jorge..

FYI here is the link which was the cause of my confusion.. if you scroll right at the bottom you will see a conclusion with a reference to a TAC case..

I typed these words in google "same-security-traffic permit inter-interface trunk asa"

and 7th result from the top from experts-exchange.com is the link iam referring to..

Regards

Fareed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card