11-28-2012 08:06 AM - edited 03-11-2019 05:29 PM
Hello, I'd like to know if the setup below is a viable configuration for what I'm trying to do. All of the users are on vlan 1 for data and I created some subinterfaces for other networks to work off of. Subinterfaces were created for vlans 20,60,200
Here is the switch config
vlan 20
name F5
!
vlan 60
name Guest-Wireless
!
vlan 200
name Lab
!
vlan 999
name BlackHole
interface GigabitEthernet1/0/1
description ASA-Main-Inside
switchport trunk native vlan 999
switchport trunk allowed vlan 1,20,60,200
switchport mode trunk
spanning-tree portfast trunk
The ASA config
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif Inside
security-level 100
ip address 10.1.1.253 255.255.255.0 standby 10.1.1.252
!
interface Ethernet0/1.20
vlan 20
nameif F5
security-level 0
ip address 10.1.20.1 255.255.255.0 standby 10.1.20.2
!
interface Ethernet0/1.60
vlan 60
nameif Guest
security-level 0
ip address 10.1.60.1 255.255.255.0 standby 10.1.60.2
!
interface Ethernet0/1.200
vlan 200
nameif Lab
security-level 0
ip address 10.1.200.1 255.255.255.0 standby 10.1.200.2
I read one article that mentioned leaving the vlan 1 IP information on the physical interface and leaving the native vlan on the switch as 1 (untagged) but I think from what I'm doing, I'm accomplishing the same thing.
Thoughts?
Solved! Go to Solution.
11-28-2012 08:12 AM
You configured it the way it should be done. The only thing that is not best practice is the usage of VLAN 1 for users. But the native VLAN should not be used on a security-device. So it's correct to also have a subinterface for that VLAN and not to use a nameif/ip-config under the major interface of the ASA.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-28-2012 08:12 AM
You configured it the way it should be done. The only thing that is not best practice is the usage of VLAN 1 for users. But the native VLAN should not be used on a security-device. So it's correct to also have a subinterface for that VLAN and not to use a nameif/ip-config under the major interface of the ASA.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-28-2012 08:15 AM
Yeah, I understand about not using vlan 1, just the way it is for now. Thanks for the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide