Hi,

Owen Mould · ‎08-31-2016

I have a new c3850-24P-S and a new 5506 firewall. I have created three VLANs on the switch, each with its own /24 IP network:

vlan 123: 172.16.10.0/24

vlan 234: 172.16.20.0/24

vlan 345: 172.16.30.0/24

Port 24 is a trunk connected to the 5506's Inside interface.

I put 172.16.10.1 on the 5506's Inside interface, but a host on the switch's vlan 123 couldn't reach it.

I tried making a subinterface (Inside.123) and putting 172.16.10.1 on that instead. Still no joy.

I can plug a properly-addressed host directly into the Inside interface when it's configured without a VLAN and get out to the internet.

The piece I can't figure out is how to get from the VLAN environment on the switch to the non-VLAN environment on the firewall.

Should I create a fourth VLAN to run a transit net between the switch and the firewall? That seems like madness....

Thanks,

sarathpa · ‎08-31-2016

Hi,

I believe you have not mapped the dot 1q vlan mapping with the sub-interface.

Eg:

interface gigabitethernet 0/1
  no nameif
  no security-level
  no ip address
  no shutdown
interface gigabitethernet 0/1.1
  vlan 101
  nameif inside
  security-level 100
  ip address 192.168.6.6 255.255.255.0
  no shutdown

Steven Williams · ‎09-01-2016

is the 5506 licensed to do sub interfaces? I know back in the day with 5505's without security plus you could only have 3 vlans. And you would need to use VRF's downstream to accomplish more than that.

sarathpa · ‎09-01-2016

Hi,

I believe license is not required to create sub-interface on the ASA.

How to connect 3850 with VLANs to 5506?