Solved: ASA 5512X and Aruba Switch 1930 L2

Manojy · ‎12-06-2023

Dear Team,

We recently introduced the IPPhone Grandstream to our organization. I created a physical interface on the ASA5512x with an IP address for the phones. The data and voice are on different physical interfaces on ASA, with data on Interface ge0/1 and voice on ge0/2. There are no sub interfaces or VLANs inside ASA. The data is on 192.168.0.0 and the IPPhone is on 192.168.70.0. Both data and voice are accessible both ways.The data and voice are connected on the same Aruba Instant 1930. I created VLAN ID 2 for voice on the Aruba switch 1930. I would like to know if I create a trunk port on Aruba switch port 46 , which is directly connected to the physical interface of ASA Ge0/2 is it workable will aruba consider it as Trunk. Can you please help and assist me with this?

Thankyou

paul driver · ‎12-19-2023

Hello

@Manojy wrote:

Yes, you are right. However, I have different switches and need to apply a trunk between Aruba switch and five Linksys switches. All switches are L2.

So the ASA has two interfaces directly connected to the aruba switch that has two access ports upstream to the ASA in vlan 1 and vlan 2,

Then downstream from the Aruba, you need to have trunks interconnects to the various other L2 switches allowing vlan1/2 to traverse these trunks and have vlan 2 created on these other switches.....Thats it be tbh you should have reachability to either host in either subnet via the ASA as long that is the ASA as already stated by @MHM Cisco World has same-security-traffic permit inter-interface" applied to allow traffic communication to traverse between the same level interfaces.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎12-06-2023

If they are seperate VLAN, i would expect to be Access port-

If you looking to configure as Trunk, then allow VLAN allowed required in Aruba switch.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Manojy · ‎12-06-2023

"I don't have any VLANs on my ASA; there's only one interface (ge0/2) that connects to an Aruba switch on port 46. I created VLAN ID 2 on the Aruba switch. If I trunk port 46 on the Aruba switch, will it be considered as a trunk? And if I tag my VLAN 2, will it work? My data has a separate physical interface which is ge0/1 to the same switch as Native Vlan by default.

interface GigabitEthernet0/1
nameif insidePlease
security-level 100
ip address 192.168.0.1 255.255.255.0

!
interface GigabitEthernet0/2
nameif ipphone
security-level 100
ip address 192.168.70.1 255.255.255.0

Please see above my config.

MHM Cisco World · ‎12-06-2023

Same secuirty level

So you need

Same secuirty traffic permit intra interface 
Same secuirty traffic permit inter interface

You need both command.

MHM

Manojy · ‎12-06-2023

Yes its already there and working.

My only question is without having vlans on ASA will aruba switch on ports be trunked and applied.

i have already assigned Vlan2 for Voice on Aruba Switch which is my L2 Switch.The ASA interface is directly connected on Port 46 of Aruba and if i trunk that port will it consider as trunked.

MHM Cisco World · ‎12-06-2023

Trunk used in two case

1-fw use vlan

2-fw use subinterface

Above both cases make FW know the tag frame

If not then you need two link and config access port (not trunk).

MHM

Manojy · ‎12-06-2023

Hi,

Both data and voice have separate link to the switch in Aruba.In Aruba port number 46 is dedicated to ASA of Ge0/2 which is my Voice IP.When i edit the port in Aruba switch 46 to allow trunk i get two option trunk as a Static or LACP what do you recommend as i dont see any access port in aruba..

Please advise.

MHM Cisco World · ‎12-06-2023

If you use two link why you need trunk?

Sorry I ask alot but I dont get idea here

MHM

Manojy · ‎12-06-2023

Two link one for Data and One for Voice.ASA Ge0/1 interface which is my Data Network connected to one port in Aruba Switch. Second Interface Ge0/2 of ASA which is my voice network connected to on the port 46 of same Aruba Switch.Aruba switch port 46 should be Untagged as an access port and IPPBX which is also need to be untagged so allow link between them and tag rest all ports of Vlan2 in Aruba which is my voice to Default native vlan (data).

In this way Vlan 2 will be voice and Data on the Native vlan and trunk ports between switch to switch to pass traffic.I believe this method should work.Please suggest and advise.

Manojy · ‎12-18-2023

Dear All,

The ASA interface going to Aruba switch has been Untagged and rest all ports on the switch is Tagged and IpPhone are up and running.

The only issue is i am not able to ping to 192.168.70.1 ASA Interface from my host pc 192.168.0.65.

What can be the issue ?

MHM Cisco World · ‎12-18-2023

Can you draw topolgy

Thanks alot

MHM

paul driver · ‎12-19-2023

Hello

@Manojy wrote:

"I don't have any VLANs on my ASA; there's only one interface (ge0/2) that connects to an Aruba switch on port 46. I created VLAN ID 2 on the Aruba switch. If I trunk port 46 on the Aruba switch, will it be considered as a trunk? And if I tag my VLAN 2, will it work? My data has a separate physical interface which is ge0/1 to the same switch as Native Vlan by default.
interface GigabitEthernet0/1
nameif insidePlease
security-level 100
ip address 192.168.0.1 255.255.255.0

!
interface GigabitEthernet0/2
nameif ipphone
security-level 100
ip address 192.168.70.1 255.255.255.0
Please see above my config.

Yes it will work just as an access port, not need for a trunk


Aruba
vlan 2 name ASA
int 1/46
untagged vlan 2
no shut

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Manojy · ‎12-19-2023

Dear Paul,

Thanks for the Solution. I did the same setup in Aruba switch Untagged Vlan2 and Tagged all ports and its up and running. Now the network is separated and the only concern is i want to allow ICMP traffic to 192.168.70.1 from host pc 192.168.0.65 which currently not working. How can i allow ICMP traffic through commands. Please assist.

Regards

Manoj

paul driver · ‎12-19-2023

Hello
why do have all other ports “tagged” unless you are trunking you do not require any aruba ports to be tagged - ONLY untagged ports are required in their respective vlan be it vlan1 - 2 or whatever vlan you have running

Please remember a (trk x ) in aruba is a static aggregated (etherchannel) or dynamic (trk x lacp) for a normal di hole trunk you just need to tagged and untagged a port

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Manojy · ‎12-19-2023

Hi,

Yes, you are right. However, I have different switches and need to apply a trunk between Aruba switch and five Linksys switches. All switches are L2.