Solved: sure

tahirs001 · ‎08-24-2015

Hello,

I need to separate some wireless traffic on a ASA 5520 which is currently hitting our inside network, I would like to move this specific traffic to the DMZ.

Currently I have an Interface named as DMZ, I am looking to create an sub-interface so I can protect this wireless traffic getting to the inside network.

My queries are;

If I create a sub-interface under the DMZ interface, will I need to remove the existing DMZ interface to create a sub-interface? (what are the best practices on creating a sub-interface)
THE DMZ interface is an Access Port on a 3750 switch, which currently allows one VLAN shall I change this to a trunk Port?
If you have 2 VLANS on one physical port, how will the VLAN traffic be identified ?

Many Thanks

Tahir

Marius Gunnerud · ‎08-24-2015

If I create a sub-interface under the DMZ interface, will I need to remove the existing DMZ interface to create a sub-interface? (what are the best practices on creating a sub-interface)

If you intend to have several VLANs terminating on the ASA interface then best practice is to move the DMZ to a subinterface with a specified VLAN.

THE DMZ interface is an Access Port on a 3750 switch, which currently allows one VLAN shall I change this to a trunk Port?

Yes this should be confiugred as a trunk port and specify which VLANs are permitted to cross the link by using switchport access vlan allowed command.

If you have 2 VLANS on one physical port, how will the VLAN traffic be identified ?

Not sure what you are trying to get at here. But VLAN traffic is tagged with the VLAN ID when it is sent over the trunk Link. Another reason why you should have the DMZ on a subinterface on the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-25-2015

(shall I change this to a trunk port and allow VLAN315?

If both VLANs are to terminate on the ASA then yes this port should be a trunk.

if I do this how pain-free is it to move the existing rules over to the newly created DMZ sub-interface.

What you should do is take a backup of all configuration that references that interface since all this will be removed once you delete the interface. That would include, but might not be limited to, NAT, static routing, ssh / http managment, dhcp, access-group, etc.

I suggest you first make a configuration template for this interface and all subsequent commands that reference it, so that once you remove the interface it is a quick job of just pasting the config back in ( I am assuming you will not be changing the interface name). This should ofcourse be done in a planned service window and outside of regular working hours.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-24-2015

If I create a sub-interface under the DMZ interface, will I need to remove the existing DMZ interface to create a sub-interface? (what are the best practices on creating a sub-interface)

If you intend to have several VLANs terminating on the ASA interface then best practice is to move the DMZ to a subinterface with a specified VLAN.

THE DMZ interface is an Access Port on a 3750 switch, which currently allows one VLAN shall I change this to a trunk Port?

Yes this should be confiugred as a trunk port and specify which VLANs are permitted to cross the link by using switchport access vlan allowed command.

If you have 2 VLANS on one physical port, how will the VLAN traffic be identified ?

Not sure what you are trying to get at here. But VLAN traffic is tagged with the VLAN ID when it is sent over the trunk Link. Another reason why you should have the DMZ on a subinterface on the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

tahirs001 · ‎08-25-2015

HI Marius,

Appreciate the response.

What I am trying to achieve is to send certain wireless traffic which is picked up by a specific (SSID) into the dmz rather than to the internal network.

At the moment this is working and going to the internal network, and I have been tasked to get this sent to dmz.

On the core switch I have an Interface VLAN315 created with no IP address for this specific ssid traffic, there is also an VLAN created for DMZ VLAN100 which is sending traffic through on int gig/4/0/19 which is an access port (shall I change this to a trunk port and allow VLAN315?

You mentioned in your first comment to move the physical dmz interface to a sub interface, if I do this how pain-free is it to move the existing rules over to the newly created DMZ sub-interface.

Thanks

tahirs001 · ‎08-27-2015

Hi Marius,

Can I send you a private P2P?

Thanks

Marius Gunnerud · ‎08-27-2015

sure

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎08-25-2015

(shall I change this to a trunk port and allow VLAN315?

If both VLANs are to terminate on the ASA then yes this port should be a trunk.

if I do this how pain-free is it to move the existing rules over to the newly created DMZ sub-interface.

What you should do is take a backup of all configuration that references that interface since all this will be removed once you delete the interface. That would include, but might not be limited to, NAT, static routing, ssh / http managment, dhcp, access-group, etc.

I suggest you first make a configuration template for this interface and all subsequent commands that reference it, so that once you remove the interface it is a quick job of just pasting the config back in ( I am assuming you will not be changing the interface name). This should ofcourse be done in a planned service window and outside of regular working hours.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Creating Sub-Interface Cisco ASA