Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
8
Helpful
5
Replies

Figure out connected VLAN

noisey_uk
Level 1
Level 1

‎11-28-2015 03:57 PM - edited ‎03-11-2019 11:57 PM

An ASA5515-X is sucessfully connected to a 2960X via an LACP port-channel. Someone has changed the config on the 2960X end of the port-channel so we've no idea which VLANs are being trunked or the IP addresses of the management SVI on said switch. The switch is half way across the world and local resources are not great technically so, clutching at straws, can anyone think of a way of finding out the VLANs/IP involved? I've put this in Firewalling as I'd have thought a debug command on the ASA is the biggest hope...

Labels:
0 Helpful
5 Replies 5

Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-28-2015 09:13 PM

Hi,

You can try your luck with sub-interfaces created on ASA from that port channel. Check the subnet configured on those interfaces. Also check the routes on ASA with 'show route' this would show you connected routes. With this you could get the idea of the subnet connected to it. Also it would show you the next hop for those subnets. As you have mentioned that SVI is configured on switch so i believe that next hop would be the SVI on switch.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

noisey_uk
Level 1
Level 1
In response to Akshay Rastogi

‎11-30-2015 01:35 AM

Thanks Akshay. I should've clarified in my post - the ASA does not have config on relating to the 2960X - it's a new ASA, connecting to a 2960X which has been taken from another site and someone has changed some of the configuration on it... nightmare!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-29-2015 06:22 AM

You might be able to ascertain the information by doi ng a packet capture on the ASA inside interface and examining the LACP bits.

You might also get the switch address from the CDP neighbor advertisements. Even though the ASA doesn't participate in CDP per se, it will still see the Layer 2 CDP broadcasts at the packet level.

noisey_uk
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2015 01:31 AM

Thanks for your input Marvin. Packet capture is half the answer I think as it would rely on configuring the ASA subinterface with the VLAN ID that matches the corresponding switch VLAN... which I don't know. I guess I'm after a more thorough capture capability, like Wireshark, built into the ASA. Might still be a bit of trial and error involved I think. Relieved this is T&M...!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to noisey_uk

‎11-30-2015 05:31 AM

Noisey,

You only need the subinterface ID in order to complete LACP negotiation. Without it, you will still se the switch's offered VLAN tags on the trunking establishment messages (even though the trunk won't establoish until the ASA matches).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card