Configuring VLAN asa 5510

javier.fernandez · ‎02-02-2011

Hi all, I can not see the vlan interfaces that I created, I hit settings

cisco asa 5510 bun -k9

Current IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Ethernet0/0              INSIDE                192.168.0.180   255.255.255.0
CONFIG
Ethernet0/0.201          201                    192.168.4.1     255.255.255.0
manual
Ethernet0/1              ON                      212.97.160.100 255.255.255.224
DHCP
Ethernet0/2              TEL                      10.10.10.1      255.255.255.0
manual
Ethernet0/2.200          200                    192.168.2.1     255.255.255.0
manual
Ethernet0/2.202          prueba5                192.168.3.1     255.255.255.0
manual
Ethernet0/3              ON2                            85.251.33.50    255.255.254.0
DHCP
Management0/0            management             192.168.1.1     255.255.255.0

ASA(config)# #int fastEthernet 0/2
ASA(config)# #interface ethernet 0/2
ASA(config)# #switchport mode trunk
ASA(config)# #switchport trunk allowed vlan 200-202
ASA(config)# #switchport trunk native vlan 5

ASA(config)# #no shutdown

The problem is that these vlan 200 - 201 - 202 does not look, swith it is connected to layer 2 does not have any ideas?

shzaman · ‎02-02-2011

Hi,

It looks like you want to configure trunk and allow three Vlans (200, 201 & 202.... and possibly vlan:5 as well). On ASA5510 correct way of configuring trunk is to create sub-interfaces and configure Vlan on that. The configuration mentioned in your question is used on ASA5505 which has built-in switch. And 'switchport' command is used normally on ASA5505. Following is an example for ASA5510

int eth0/0.1

vlan 200

nameif inside

ip address

security-level

int eth0/0.2

vlan 201

nameif dmz1

ip address

security-level

int eth0/0.3

vlan 202

nameif dmz2

ip address

security-level

Same way you can configure sub-interfaces for other vlans.

Physical interface should be enabled for sub-interfaces to pass traffic. If you don't want physical interface to pass untagged packets then don't configure 'nameif' command on that one. Here is a link for more information

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

I hope this will help.

-Shahid

javier.fernandez · ‎02-03-2011

From what I've read the license does not support trunk mode, this can affect the time to create the vlans?

shzaman · ‎02-03-2011

Hi,

You can check 'show ver' for license information. On ASA5510 you can configure trunk and no. of vlans are 50 for base license and 100 for security plus license. And configuration is done in the way as mentioned in previous post. You may check license requirements on following link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1096308

You can use 'show run int' command to check interface configuration and see the vlans that are configured on sub-interfaces.If there is something I have missed or unclear then please share 'show ver' and 'sh run int' output with specific question.

By the way on ASA5505 base license doesn't support trunk interface.

I hope this will help.

-Shahid

javier.fernandez · ‎02-03-2011

Supports 50 VLANs but not in trunk mode, this is only for Security Plus License

"This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license."