05-21-2012 07:10 PM - edited 03-07-2019 06:49 AM
I currently have an ASA5505 with the base license (no trunk ports allowed). The ASA is currently functioning as my router, DHCP server, and VPN device to work. I would like to add a Cisco wireless AP that will serve up two SSID's (a private SSID and a "guest" SSID). I want the private SSID to be on the same vlan as my other devices (computers, servers, printers, and have access to the split tunnel VPN). I want to limit the guest SSID to simply have access to the Internet. Below would be the network configuration:
Private Network
192.168.10.x
Guest Network
192.168.20.x
Cisco ASA 5505
(192.168.1.1) - VLAN 1
Cisco 2960
(192.168.1.2) - VLAN 1 - Management
(192.168.10.1) -VLAN 10 - Private Network
(192.168.20.1) -VLAN 20 - Guest Wireless Network
The Cisco AP will have the SSID's tied to VLAN 10 and 20. The switch port will have both VLAN 10 untagged and VLAN 20 tagged.
I believe I need the Security Plus license to enable trunking on the ASA so that I can pass VLAN 10 and 20 to the ASA and then use ACL to block VLAN 20 to the private network and the VPN tunnel.
Is there a way I can use the switch's SVI to eliminate the need for the Security Plus license on the ASA? I know the new Cisco 2960S switches have the capability to do Layer3 static routing. Thanks.
Dave
05-31-2012 11:44 PM
hi david,
as far as i know 2960S switches dont support L3 at at all, just L2.
the easiest way would be to enable trunking on the ASA create the vlans´s on all devices (switch, ap and asa), connect all of them with a trunk connection and let the ASA do the routing and also create the ACL on the ASA to regulate the inter-vlan routing and the internet access.
if you had an L3 switch you could connect the AP with a trunk and let the switch do the routing, create a routed port for the connection to the ASA, so the way to the ASA would be routed and the other connection to the AP would be switched.
06-01-2012 03:51 AM
From what I have read, the new 2960S switches have the capability to do Layer 3 static routing with upto 16 static routes. See below:
06-01-2012 06:12 AM
David,
I can confirm that the 2960s will do L3 as defined above. You need to run
sdm prefer lanbase-routing global configuration command to set the Switch Database Management (SDM) feature to the routing template.
There is a Cisco config guide "Configuring Static IP Unicast Routing" for the 2960 which has a little throw away section about needing to run this command.
Hope that helps.
06-03-2012 11:43 PM
thats interesting. didnt know that. so you just need the lan-base feature set in order to do routing?
so if the switch can do routing, you could to it as mentioned above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide