Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2159
Views
0
Helpful
4
Replies

ASA 5505 and Cisco 2960S Routing

AMD_GAMER
Level 1
Level 1

‎05-21-2012 07:10 PM - edited ‎03-07-2019 06:49 AM

I currently have an ASA5505 with the base license (no trunk ports allowed). The ASA is currently functioning as my router, DHCP server, and VPN device to work. I would like to add a Cisco wireless AP that will serve up two SSID's (a private SSID and a "guest" SSID). I want the private SSID to be on the same vlan as my other devices (computers, servers, printers, and have access to the split tunnel VPN). I want to limit the guest SSID to simply have access to the Internet. Below would be the network configuration:

Private Network

192.168.10.x

Guest Network

192.168.20.x

Cisco ASA 5505

(192.168.1.1) - VLAN 1

Cisco 2960

(192.168.1.2) - VLAN 1 - Management

(192.168.10.1) -VLAN 10 - Private Network

(192.168.20.1) -VLAN 20 - Guest Wireless Network

The Cisco AP will have the SSID's tied to VLAN 10 and 20. The switch port will have both VLAN 10 untagged and VLAN 20 tagged.

I believe I need the Security Plus license to enable trunking on the ASA so that I can pass VLAN 10 and 20 to the ASA and then use ACL to block VLAN 20 to the private network and the VPN tunnel.

Is there a way I can use the switch's SVI to eliminate the need for the Security Plus license on the ASA? I know the new Cisco 2960S switches have the capability to do Layer3 static routing. Thanks.

Dave

Labels:
0 Helpful
4 Replies 4

flokki123
Level 3
Level 3

‎05-31-2012 11:44 PM

hi david,

as far as i know 2960S switches dont support L3 at at all, just L2.

the easiest way would be to enable trunking on the ASA create the vlans´s on all devices (switch, ap and asa), connect all of them with a trunk connection and let the ASA do the routing and also create the ACL on the ASA to regulate the inter-vlan routing and the internet access.

if you had an L3 switch you could connect the AP with a trunk and let the switch do the routing, create a routed port for the connection to the ASA, so the way to the ASA would be routed and the other connection to the AP would be switched.

0 Helpful

AMD_GAMER
Level 1
Level 1
In response to flokki123

‎06-01-2012 03:51 AM

From what I have read, the new 2960S switches have the capability to do Layer 3 static routing with upto 16 static routes. See below:

http://www.cisco.com/en/US/products/ps6406/index.html

0 Helpful

jonathan.kent
Level 1
Level 1
In response to AMD_GAMER

‎06-01-2012 06:12 AM

David,

I can confirm that the 2960s will do L3 as defined above. You need to run

sdm prefer lanbase-routing global configuration command to set the Switch Database Management (SDM) feature to the routing template.

There is a Cisco config guide "Configuring Static IP Unicast Routing" for the 2960 which has a little throw away section about needing to run this command.

Hope that helps.

0 Helpful

flokki123
Level 3
Level 3
In response to AMD_GAMER

‎06-03-2012 11:43 PM

thats interesting. didnt know that. so you just need the lan-base feature set in order to do routing?

so if the switch can do routing, you could to it as mentioned above.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card