cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2042
Views
0
Helpful
11
Replies

Vlan subinterface on ASA and connection to internet

mahesh18
Level 6
Level 6

Hi Everyone,

Need to understand the network  here

Say we have ASA  which has gi0/0 interface and we do subinterfaces of this and it has trunk connection to switch.

gi0/0.1 outside  vlan 10

gi0/0.2 visitor   vlan 20

gi0/0.3 wi fi    vlan 30

say we have 2 dhcp pools for interface visitor and wi fi.

Say users on visitor dhcp pool has gateway of 192.168

say users on wi fi dhcp pool has gateway of 172.x.x.x

gi 0/0.1 has public ip  address and it has default route to edge router.

ASA--------Switch 1------------switch2-------------edge eouter ---------ISP

Switch2 is learning about vlans 10,20,30.

But connection between switch2 and edge router carries only vlan40.

Need to understand how users on vlan 20 and 30 reach the edge router and access the internet as  switch2 port connected to edge router carries only

vlan10 as allowed traffic on trunk link?

Thanks

Mahesh

2 Accepted Solutions

Accepted Solutions

Hello Mahesh,

For what I can understand from here,

When a host on vlan 20 sends a packet, SW1 or SW2 will receive the traffic with no tags on their access-ports ..

Depending on the host destination IP address  the packet  will be send to the ASA as this is the 802.1Q routing guy in the picture and the default gateway for them ...

The ASA has an ARP entry for the IP and MAC address of the ISP router ( The default gateway which is in vlan 10 )

When the ASA receives a packet from VLAN 20 that needs to go to an IP address that is unknown to it, it will send it to it's default gateway, checks the IP address and sees that it must go out vlan 10 interface, so it will tag it with a TAG value of 10, it will then reach SW1 with a TAG of 10, it will move like this up to the ISP router,

Let me know if I was clear,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hi,

Sounds about right to me Mahesh

Traffic on access ports is not tagged with any Vlan ID

Traffic on Trunk links is tagged with Vlan ID

Finally the traffic arriving to the Edge Router removes the tag.

Naturally the way towards the Internet from there depends on how its implemented. Usually there is no subinterfaces involved on the customer side equipment.

- Jouni

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

Are you telling us that the trunk port between switch 2 and 1 only allows packets tagged with an 802.1Q header making reference to vlan 40?

My question actually would be , is that link a trunk or it's an access port ?

Cause if it's a trunk it would not be allowed.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi julio,

Let me check on this

Mahesh

Sure,

keep me posted

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi julio,

Trunk between switch 1 and 2 carries all the vlan 10,20 and 30

thanks

mahesh

Hi julio

ASA----------------Trunk vlan 10,20,30 allowed----sw1-------- trunk vlan 10,20,30-------------sw2---------------Trunk only vlan10--edge router

Thanks

MAhesh

Hello Mahesh,

You sure it's a trunk what you are using between switch 2 and Edge router? Is not an access-port?

Is the ASA the only device performing 802.1Q routing?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi julio,

yes there is trunk connection to edge router.

ASA has only static routes no routing.

when you say ASA the only device performing 802.1Q routing?

what do you mean?

thanks

mahesh

Hello Mahesh,

For what I can understand from here,

When a host on vlan 20 sends a packet, SW1 or SW2 will receive the traffic with no tags on their access-ports ..

Depending on the host destination IP address  the packet  will be send to the ASA as this is the 802.1Q routing guy in the picture and the default gateway for them ...

The ASA has an ARP entry for the IP and MAC address of the ISP router ( The default gateway which is in vlan 10 )

When the ASA receives a packet from VLAN 20 that needs to go to an IP address that is unknown to it, it will send it to it's default gateway, checks the IP address and sees that it must go out vlan 10 interface, so it will tag it with a TAG value of 10, it will then reach SW1 with a TAG of 10, it will move like this up to the ISP router,

Let me know if I was clear,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi julio,

Below is my understanding  ---

Let me know if i am wrong anywhere---

The switch 1 and switch 2 have vlan 20,30 where user connect ther PC and access the internet.

Remember  switch  1 and 2 does not have SVI  vlan 20 and 30.So when user connect to access port vlan 20 or 30 on switch 1 or 2 PC  gets IP address from DHCP pool defined on ASA.

  and it has default gateway of ASA interface of gi0/0.2 or 0.3

When user need to access the internet traffic goes to ASA interface gi0/0.2 as thats default gateway for user PC.

Then ASA has default static route that  points to the ASA Edge Router.

So traffic from say PC to switch 2 is untagged then from switch 2 to ASA  it goes tagged due to trunking.

Then return traffic from ASA  to edge router is

ASA  to SW1 -----------trunk tagged.

Sw1 to sw2 ----trunk tagged

Sw2 to edge router tagged with vlan 10.

Edge router has 802.1q trunking for vlan 10

sw2 to edge router  comes as tagged then edge router removes the vlan 10 tag.

Regards

MAhesh

Hi,

Sounds about right to me Mahesh

Traffic on access ports is not tagged with any Vlan ID

Traffic on Trunk links is tagged with Vlan ID

Finally the traffic arriving to the Edge Router removes the tag.

Naturally the way towards the Internet from there depends on how its implemented. Usually there is no subinterfaces involved on the customer side equipment.

- Jouni

Hi Jouni,

Thanks again for confirming me i am correct.

Regards

MAhesh

Review Cisco Networking for a $25 gift card