Solved: Re: ASA/SubInterfaces/VLAN/Trunking Question

losbanosit · ‎12-13-2010

I currently have a 3750 connected to my ASA 5520 on the "inside" interface. I would like to introduce 2 subinterfaces on the ASA "inside" interface and trunk the switchport. I believe I have done this, but I am not able to ping from the ASA to a client computer on a new vlan off a downstream switch. Here is what I have. ASA interface is 192.168.52.1 --> Cisco 3750 is 192.168.52.248 --> Cisco 2960 is 192.168.52.249 --> Cisco 2950 is 192.168.52.250. I created the VLANs with 192.168.20.1(VLAN20) and 192.168.30.1(VLAN30), these are showing up on all three switches and I am able to PING between all switches. I cannot get outside to the internet, and also I cannot ping the subinterface IPs that I created on the ASA (192.168.20.1 and 192.168.30.1).

I trunked the swithport that goes up to the ASA, but the configuration is as follows:

interface GigabitEthernet1/0/2
switchport access vlan 3
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast

I believe my problem is with a misconfiguration on the Gig 1/0/2 interface. Please confirm what my configuration would have to be in order to maintain the

original traffic, and introduce the new networks (192.168.20.X and 192.168.30.X). What do I have wrong here?

The help from the community is appreactiated!!

JG

Reza Sharifi · ‎12-13-2010

Your switch port is not trunked

configure the 3750 as follows and try again

interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,30
switchport mode trunk
end

C3750-E(config-if)#

HTH

Reza

View solution in original post

Reza Sharifi · ‎12-13-2010

Your switch port is not trunked

configure the 3750 as follows and try again

interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,30
switchport mode trunk
end

C3750-E(config-if)#

HTH

Reza

losbanosit · ‎12-13-2010

Perfect, thanks for the reply.

Will this still allow the native (not sure how to reference it) or VLAN3 (192.168.52.X) traffic to continue to pass? The new networks are intended to be my "test" environments, while the production network is actually on that interface as 192.168.52.1 currently. I was reading about the "nameif" command and got a little confused.

I knew something looked strange about that configuration

Thanks Reza,

JG

Reza Sharifi · ‎12-13-2010

If you want to use vlan 3 as native vlan, you can add it to the config. see below:

Current configuration : 168 bytes
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 20,30
switchport mode trunk
end

C3750-E(config-if)#

losbanosit · ‎12-13-2010

If I run the commands in the following manner, will I have any network downtime or outage? I'd like to do this ASAP....

conf t

int gig1/0/2

switchport trunk native vlan 3

switchport mode trunk

switchport trunk allowed vlan 20,30

wr mem

Just curious if I have all the commands in order to complete this.

The above should take my current config of:

interface GigabitEthernet1/0/2
switchport access vlan 3
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast

To:

interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 20,30
switchport mode trunk

Correct?

JG

Reza Sharifi · ‎12-13-2010

I would do it during an outage window. That will give you also sometimes to test it to make sure every thing is working

losbanosit · ‎12-13-2010

I agree, but there is ALWAYS someone "in the office" around here!

Thanks for your time and input. I'll post my results in hopes it can help someone else with a similar configuration issue.

JG

losbanosit · ‎12-14-2010

Just to follow up, the configuration that Reza recommended worked perfectly. I now am able to see all

traffic between the firewall and the switches.

Thank you for your time Reza!

JG