Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8694
Views
0
Helpful
2
Replies

ASA VLANs connected to Switch Trunk

Cody Ridge
Level 1
Level 1

‎06-27-2011 12:38 PM - edited ‎03-07-2019 12:59 AM

Hello,

I am using an ASA5510 configured with redundant interface pairs and multiple VLAN sub-interfaces, having different security levels. 

The VLANs and sub-interfaces will need to pass traffic between subnets. 


I have added the same-security-traffic permit intra-interface command as well as necessary static NATs / ACLs

From the ASA I will connect to core switches configured as trunk ports. 
The primary ASA redundant interface will connect to Switch A and the secondary will connect to Switch B.

Below is a brief outline of some of the subnets configured and interfaces.

ASA

interface GigabitEthernet0/2
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
no nameif
no security-level
no ip address

interface Redundant1
description redundant interface group 1 members
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Redundant1.5
vlan 5
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!            
interface Redundant1.10
vlan 10
nameif lan1
security-level 99
ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
!

interface Redundant1.15
vlan 15
nameif lan2
security-level 50
ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2

My question involves properly configuring the vlans on the switch trunk ports for tagged traffic.

For example, on Switch A gig0/5 will connect to gig0/2 on the ASA. 
Switch A will need to accept and pass traffic from and bound for vlans 5, 10, 15.

An inside client on the network behind the core switch with an IP of 192.168.10.50 will need to
pass traffic to a LAN2 client with an IP of 192.168.12.50

Would the gig0/5 port on the Switch A simply need to be configured as a trunk port allowing vlan 5, 10, 15?

Switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5, 10, 15 

Are there any additional native vlan, trunking, tagging requirements on either the ASA or Switch?

Thank you.

Labels:
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎06-27-2011 01:05 PM

Hi,

On the switch side your configuration is correct.  As for native vlan, in your case you are using the default vlan (1) for untagged traffic.

HTH

Reza

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to Reza Sharifi

‎06-27-2011 01:59 PM

Hi,

Q: Would the gig0/5 port on the Switch A simply need to be configured as a trunk port allowing vlan 5, 10, 15?

A: Yes,It has to be configured this way.

Q: Are there any additional native vlan, trunking, tagging requirements on either the ASA or Switch?

A: Tagged Packet : ASA and Switch can handle tagged packets on VLAN-5 , VLAN-10 and VLAN-15.

    Untagged Packet : Switch still sends untagged packets(vlan1) out to ASA because of native vlan(802.1q). You've not assigned "name-if" on physical interface or redundant interface on ASA. So ASA won't pass untagged packets. This is a good thing to do though.

HTH,

Toshi

0 Helpful
Customers Also Viewed These Support Documents