I currently have an ASA5505 with the base license (no trunk ports allowed). The ASA is currently functioning as my router, DHCP server, and VPN device to work. I would like to add a Cisco wireless AP that will serve up two SSID's (a private SSID and a "guest" SSID). I want the private SSID to be on the same vlan as my other devices (computers, servers, printers, and have access to the split tunnel VPN). I want to limit the guest SSID to simply have access to the Internet. Below would be the network configuration:
Cisco ASA 5505
(192.168.1.1) - VLAN 1
(192.168.1.2) - VLAN 1 - Management
(192.168.10.1) -VLAN 10 - Private Network
(192.168.20.1) -VLAN 20 - Guest Wireless Network
The Cisco AP will have the SSID's tied to VLAN 10 and 20. The switch port will have both VLAN 10 untagged and VLAN 20 tagged.
I believe I need the Security Plus license to enable trunking on the ASA so that I can pass VLAN 10 and 20 to the ASA and then use ACL to block VLAN 20 to the private network and the VPN tunnel.
Is there a way I can use the switch's SVI to eliminate the need for the Security Plus license on the ASA? I know the new Cisco 2960S switches have the capability to do Layer3 static routing. Thanks.
as far as i know 2960S switches dont support L3 at at all, just L2.
the easiest way would be to enable trunking on the ASA create the vlans´s on all devices (switch, ap and asa), connect all of them with a trunk connection and let the ASA do the routing and also create the ACL on the ASA to regulate the inter-vlan routing and the internet access.
if you had an L3 switch you could connect the AP with a trunk and let the switch do the routing, create a routed port for the connection to the ASA, so the way to the ASA would be routed and the other connection to the AP would be switched.
From what I have read, the new 2960S switches have the capability to do Layer 3 static routing with upto 16 static routes. See below:
I can confirm that the 2960s will do L3 as defined above. You need to run
sdm prefer lanbase-routing global configuration command to set the Switch Database Management (SDM) feature to the routing template.
There is a Cisco config guide "Configuring Static IP Unicast Routing" for the 2960 which has a little throw away section about needing to run this command.
Hope that helps.
thats interesting. didnt know that. so you just need the lan-base feature set in order to do routing?
so if the switch can do routing, you could to it as mentioned above.