Solved: Re: Inter-VLAN on ASA5505

Danny Cheng Chee Wah · ‎03-25-2013

Hi,

I'd like to confirm if inter-vlan on ASA5505 can be done. The following will be my setup.

Setup: ISP <> ASA5505 <> Cisco 2960

1) ASA5505 can't configure sub-interfaces, thus if I have 3 VLANs on 2960, then I'll need to have 3 separate trunks to the firewall?

2) If using ASA5510 which can configure sub-interfaces, a single trunk from 2960 will be suffice?

3) Inter-VLAN routing can be done via ASA5505, where VLAN1 host can communicate with VLAN2 host (and vice versa)?

Thank you.

Julio Carvajal · ‎03-26-2013

Hello Danny,

1)You cannot configure subinterface due to the fact that the ASA 5505 behaves more like a layer 3 switch... So you can have SVI's and switchports set as access or trunks but at the end they will behave the same thing if using a trunk ofcourse as the 802.1Q encapsulation will be used

2) You could configure sub-interfaces and one trunk on the 2960 will do it You are right.

3) Yes, it can be done. Just create the right SVIs and then create the trunk as required

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎03-26-2013

Hi,

I managed to completely miss the fact that there would naturally be 4 Vlan interfaces on the ASA.

For this you would need Security Plus license on the ASA5505

If you have a Base License ASA5505 your "show version" might look something like this

Partial output

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 10 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

As you can see, if you have Base License then the ASA5505 cant handle the setup of 4 Vlan interfaces

- Jouni

View solution in original post

Julio Carvajal · ‎03-26-2013

Hello Danny,

1)You cannot configure subinterface due to the fact that the ASA 5505 behaves more like a layer 3 switch... So you can have SVI's and switchports set as access or trunks but at the end they will behave the same thing if using a trunk ofcourse as the 802.1Q encapsulation will be used

2) You could configure sub-interfaces and one trunk on the 2960 will do it You are right.

3) Yes, it can be done. Just create the right SVIs and then create the trunk as required

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Danny Cheng Chee Wah · ‎03-26-2013

Hi jcarvaja,

Thanks for your reply, thus to confirm if on my 2960 will have 3 separate VLANs, I need to have 3 separate physical connection between 2960 and ASA5505 for each VLAN. Is that right?

Regards,

Danny.

Jouni Forss · ‎03-26-2013

Hi,

What is your ASA5505 license?

If you are running Base License you cant configure Trunks

Check the "show version" output for information related to the amount of Vlans that can be configured and if you can configure Trunks

Base License would also limit your Vlan amount to 3 of which one of the Vlans would be restricted to form connections to one of the other Vlans. This however would not stop the other Vlans from connecting to this resricted Vlan.

- Jouni

Jouni Forss · ‎03-26-2013

Also

If you have a license on the ASA that supports Trunkin then you could configure a single Trunk between the ASA and the Switch. Though if you want to divide the Vlans to different physical interfaces then you can naturally do that if you want. Though in that case dont configure a single Vlan to multiple Trunks.

If you have the Base License and therefore cant create Trunk interfaces on the ASA then I would suggest configure an Access Mode port for each Vlan on the Switch and you can then connec those Access Mode ports to the corresponding Vlan Access Mode port on the ASAs side.

- Jouni

Danny Cheng Chee Wah · ‎03-26-2013

Jouni,

This is just for planning purpose, cause on 2960 will be having 3 VLANs. If that's the case, ASA5505 will be able to cater inter-vlan routing, but subject to licenses, correct?

Cause 1 VLAN for WAN connection, another 3 VLAN for LAN connection, thus will need a total of 4 VLAN running on the ASA5505, right?

Please advise if this can be done.

Thank you.

Jouni Forss · ‎03-26-2013

Hi,

I managed to completely miss the fact that there would naturally be 4 Vlan interfaces on the ASA.

For this you would need Security Plus license on the ASA5505

If you have a Base License ASA5505 your "show version" might look something like this

Partial output

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 10 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

As you can see, if you have Base License then the ASA5505 cant handle the setup of 4 Vlan interfaces

- Jouni

Danny Cheng Chee Wah · ‎03-26-2013

Hi Jouni,

Thanks for the kind explanation on this.

Regards,

Danny.