Solved: Jon,Thanks , appreciate the

jsaxon747 · ‎07-14-2015

Hi,

I'm new to implementing VLANs and wondering how VLAN functionality works between our ASA 5505 VLAN capability and switches with VLAN capability. Currently we do not have VLAN capable switches so wondering if VLAN capable switches are necessary/preferred to work with the ASA 5505 to create the VLAN. Or put another way: can we create VLANs on the ASA 5505 and keep our non-VLAN switches?

As a secondary question, given our physical layout with some offices having just 4 port switches for a desktop and laptop, do we need to have VLAN capable switches for the ENTIRE network or can we use non-VLAN switches if all devices on the switch are assigned to the same VLAN? In other words, a mix of VLAN and non-VLAN switches.

Thanks,

Jon Marshall · ‎07-14-2015

You don't need vlan capable switches necessarily for this to work.

On the 5505 you assign ports into vlans. So if you assign a port into a specific vlan and then connect a non capable vlan switch to that port the ASA should juts assume all traffic is in the same vlan.

As long as you configure them as access ports ie. not trunks, then I can't see why it wouldn't work because there are no vlan tags.

What it does mean though is that you wouldn't be able to connect one switch to two ports on the ASA and these ports are in different vlans because the switch has no way of distinguishing between vlans.

So for each different vlan you would need a dedicated port on the ASA and a dedicated switch connecting to that port and only clients in that vlan could be connected to that switch.

Not sure what you are asking with your second question. If only need one vlan you don't need switches that support multiple vlans although the vast majority of switches do support multiple vlans these days

Just to add I haven't done the above ie. used non vlan switches but as long as you use access port configuration on the ASA I can't see why it wouldn't work with the above caveats.

Jon

View solution in original post

Jon Marshall · ‎07-14-2015

You don't need vlan capable switches necessarily for this to work.

On the 5505 you assign ports into vlans. So if you assign a port into a specific vlan and then connect a non capable vlan switch to that port the ASA should juts assume all traffic is in the same vlan.

As long as you configure them as access ports ie. not trunks, then I can't see why it wouldn't work because there are no vlan tags.

What it does mean though is that you wouldn't be able to connect one switch to two ports on the ASA and these ports are in different vlans because the switch has no way of distinguishing between vlans.

So for each different vlan you would need a dedicated port on the ASA and a dedicated switch connecting to that port and only clients in that vlan could be connected to that switch.

Not sure what you are asking with your second question. If only need one vlan you don't need switches that support multiple vlans although the vast majority of switches do support multiple vlans these days

Just to add I haven't done the above ie. used non vlan switches but as long as you use access port configuration on the ASA I can't see why it wouldn't work with the above caveats.

Jon

jsaxon747 · ‎07-15-2015

Jon,

Thanks , appreciate the explanation.

Vince

CIsco ASA 5505 -- VLAN Implementation