Solved: ASA5585-X Switchport Trunk ask security expert

Umit AYDINLI · ‎07-25-2013

Hi, I have ASA5585-X version 9.1 and asdm version 7.1

have alot of diffrent vlans on the asr router. asr router have a subif with vlans. asa 5585 are behind to asr router. want to setting up asa 5585 switch ports trunk mode. is it possible?

Topology are below.

ISP -> Cisco ASR with bgp and subif and gateway for the vlans -> ASA5585 all ip addresses security configrations -> Cisco 6500 aggregations switch -> Cisco 2960 cabinets switchs -> Servers

James Leinweber · ‎07-25-2013

I can't speak to the ASR router configuration, but you can definitely have trunk ports on the ASA side. What has worked for me between 3750 switches and assorted generations of ASA hardware and software is configurations like:

On the switch you set it to mode trunk with negotiation off:

interface GigabitEthernet1/0/38

switchport trunk encapsulation dot1q

switchport trunk native vlan 400

switchport trunk allowed vlan 1,430-435,543-545

switchport mode trunk

switchport nonegotiate

On the ASA you put the parent physical interface into "no shutdown" state and then set up subinterfaces with vlan tags:

interface GigabitEthernet0/3

description trunk port

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.543

description first subinterface

vlan 543

nameif whatever

security-level 80

ip address 192.0.2.1 255.255.255.0

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

James Leinweber · ‎07-25-2013