Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
2
Replies

ASA5510/2960 vlan subinterfaces

Go to solution
churchillma
Level 1
Level 1

‎11-28-2012 08:06 AM - edited ‎03-11-2019 05:29 PM

Hello, I'd like to know if the setup below is a viable configuration for what I'm trying to do.  All of the users are on vlan 1 for data and I created some subinterfaces for other networks to work off of.  Subinterfaces were created for vlans 20,60,200

Here is the switch config

vlan 20

name F5

!

vlan 60

name Guest-Wireless

!

vlan 200

name Lab

!

vlan 999

name BlackHole

interface GigabitEthernet1/0/1

description ASA-Main-Inside

switchport trunk native vlan 999

switchport trunk allowed vlan 1,20,60,200

switchport mode trunk

spanning-tree portfast trunk

The ASA config

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif Inside

security-level 100

ip address 10.1.1.253 255.255.255.0 standby 10.1.1.252

!

interface Ethernet0/1.20

vlan 20

nameif F5

security-level 0

ip address 10.1.20.1 255.255.255.0 standby 10.1.20.2

!

interface Ethernet0/1.60

vlan 60

nameif Guest

security-level 0

ip address 10.1.60.1 255.255.255.0 standby 10.1.60.2

!

interface Ethernet0/1.200

vlan 200

nameif Lab

security-level 0

ip address 10.1.200.1 255.255.255.0 standby 10.1.200.2

I read one article that mentioned leaving the vlan 1 IP information on the physical interface and leaving the native vlan on the switch as 1 (untagged) but I think from what I'm doing, I'm accomplishing the same thing.

Thoughts?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2012 08:12 AM

You configured it the way it should be done. The only thing that is not best practice is the usage of VLAN 1 for users. But the native VLAN should not be used on a security-device. So it's correct to also have a subinterface for that VLAN and not to use a nameif/ip-config under the major interface of the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2012 08:12 AM

You configured it the way it should be done. The only thing that is not best practice is the usage of VLAN 1 for users. But the native VLAN should not be used on a security-device. So it's correct to also have a subinterface for that VLAN and not to use a nameif/ip-config under the major interface of the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
churchillma
Level 1
Level 1
In response to Karsten Iwen

‎11-28-2012 08:15 AM

Yeah, I understand about not using vlan 1, just the way it is for now.  Thanks for the reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card