Solved: 5506-X Vlanning when there is no vlan 1

Dean Romanelli · ‎07-16-2018

Hi All,

I have an ASA 5506-X. I know this isn't the firewalling forum but this is more of an IP set up question:

I need to configure the LAN facing port of the 5506 with an IP address that is on vlan 50, not vlan 1. There is no vlan 1. This means that the physical interface itself will not have a zone assignment or IP address, but rather the only zone assignment and IP address will live on the sub-interface alone, like below:

interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.50
desc To_LAN
vlan 50
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0

Is this possible, or does the physical interface that would presumably belong to the vlan 1 subnet if it existed need to have a zone and IP address assigned to it in order to sub-interface off of it?

Richard Burts · ‎07-16-2018

What you have posted should work just fine. There is no requirement to have an IP address, or zone assignment, or security level on the physical interface if you do not intend to use the native vlan on the trunk connecting the ASA to the switch.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-16-2018

What you have posted should work just fine. There is no requirement to have an IP address, or zone assignment, or security level on the physical interface if you do not intend to use the native vlan on the trunk connecting the ASA to the switch.

HTH

Rick

HTH

Rick

Dean Romanelli · ‎07-16-2018

Thank you Richard.

I've implemented it as such but it looks like I cannot ping across the directly connected interface. The provider is delivering the service via Q-in-Q, so the directly connected interface is currently set up in trunk mode. I've examined my config and I do not see any discrepancy, so I am wondering if they need to set their port to access mode and tag it to match my vlan instead of trunk mode.

Richard Burts · ‎07-16-2018

The original question was whether the physical interface needed any configuration to be able to configure and use vlan sub interfaces. I am confident that the answer is that the physical interface does not require any configuration to be able to use vlan sub interfaces. If you are not able to ping over the interface then we need to look for some problem other than configuring something on the physical interface. I do not see any reason why the ASA would have a problem with the provider using Q-in-Q. Am I correct in assuming that your ASA connects directly to the provider device? What is on the other end of the provider Q-in-Q? Can you verify with that device that vlan 50 is carried on their trunk and that vlan 50 is not the native vlan?

I do not understand your comment about setting their interface to access mode and tagging it. In access mode would it not just send untagged frames? Can they do Q-in-Q with an access port?

Perhaps the output of show interface and of show arp might help us understand what is going on.

HTH

Rick

HTH

Rick

Dean Romanelli · ‎07-16-2018

Hi Rick,

Yes, the provider has gone back to check their configurations. The far end is a Cisco 6509 I believe. My thought was perhaps if they changed their connecting port to access mode and and tagged it with vlan 50 (i.e. make it not a trunk any longer), we'd be able to communicate, but to be honest I don't know much about Q-in-Q, so I don't even know if that is possible.

In any case, the ISP has just come back and said they had a config error on their end. It appears to be working now on the configuration you approved above.

Thanks very much for your help as always.

Richard Burts · ‎07-16-2018

Thanks for the update. I am glad to know that it appears to be working now and that the issue was configuration error in the provider network. That makes sense and I am glad that the configuration you suggested and that I agreed with does work.

HTH

Rick

HTH

Rick