Hey Jon,

Thanks for your reply.  Your answer seems simple enough and in theory correct to me.  I have been now trying to get it to work.  So far my DATA VLAN can connect to the next hop gateway but my VOICE VLAN cannot.  At this point I am still trying to troubleshoot.  I believe it should work, perhaps you have some feedback?

ip dhcp excluded-address 192.168.4.1 192.168.4.63
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp pool vlan20
   network 192.168.1.0 255.255.255.0
   dns-server .... ....
   default-router 192.168.1.1
!
ip dhcp pool vlan30
   network 192.168.4.0 255.255.255.0
   dns-server .... ....
   default-router 192.168.4.1
! 
interface GigabitEthernet1/0/6
 switchport access vlan 30
 switchport mode access
 switchport voice vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport access vlan 30
 switchport mode access
 switchport voice vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport access vlan 30
 switchport mode access
 switchport voice vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport access vlan 30
 switchport mode access
 switchport voice vlan 20
 spanning-tree portfast
!

.....

interface GigabitEthernet1/0/21
 switchport mode trunk
!

....

interface GigabitEthernet1/0/47
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/48
 switchport mode access
 switchport voice vlan 20
 spanning-tree portfast
!
interface Vlan20
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan30
 ip address 192.168.4.2 255.255.255.0
!

Thanks,

Joe

Joe

It's not clear what the above configuration is from ?

Can you explain exactly what the next hop gateway is, how you have connected the switch to it ie. what ports on the switch and the gateway, what testing you are doing and what is and isn't working.

Jon

Jon,

The above configuration is from my 2960S switch.  On my switch I have 2 VLANS.  VLAN 20 is a VOICE VLAN and VLAN 30 is a regular DATA VLAN.  I have several switch ports configured to use both VLANS.  Based on your idea on port 47 I made it a switch port access port for VLAN 30 and on port 48 I made it a switch port access voice VLAN 20 port.  These ports have an ethernet cable plugged into them which go directly to the corresponding ASA port which is the next hop gateway.

I also have DHCP enabled on my switch which provides the default-router information.  So any device plugging into the configured VLAN 20 and VLAN 30 ports should retrieve an IP that relates to the correct network and it should have connectivity.  My previous configuration I had a router between the ASA and the router port was a router on a stick configuration with virtual interfaces and I used a switch trunk port to connect to the router and with that I had everything working.  However, new requirements came out and now I am removing the router and going directly to the ASA from the switch which I assume should be no problem but currently only DATA works and anything going to the phones are not working.  

Does that provide better information?

Thanks,

Joe

Joe

Thanks, that helps.

It sounds like an issue with the ASA then.

From your configuration it looks like the default gateway for each vlan is the ASA interface IP which makes sense.

Can you confirm that ?

If so what exactly isn't working ie. is it internet access or is it communication between the vlans.

Note for communication between the vlans using an ASA with separate interfaces you need extra configuration ie. it will not just automatically route between those two vlans.

Jon

So I am not actually using the ASA now.  I have a linux IPfire firewall running which is simulating the ASA for test purposes.  The reason why I am not actually using the ASA is because it is locked down with unknown credentials for the time being.  However, as I said before when I placed my cisco 2921 in the middle of my switch and the firewall the connection worked.  Matter of fact I even gave an interface on the router its own IP address of 192.168.1.1 and tried to connect from the switch to the router "ping" and that did not even work.

On the firewall I am running tcpdump and I try to ping from the switch I do not see the pings.  However, I do see ARP requests from a test phone with IP of 192.168.1.64 "so I know DHCP for VOICE is working" and I see ARP requests from the switch but there is no actual connection.  So at this point I am just trying to understand VOICE VLAN better.

Joe

Hey Jon,

Just to let you know that might of been the answer I was looking for.  I think I was just overly frustrated and missed it but currently I am at home VPNd to my test environment and making that change I know now I can ping both VLAN gateways, I can call my test phone and it sounds like it is ringing and I can see some VOIP traffic going through the firewall so that seems to be working.  However, I believe I connected a workstation behind the phone which was working in my previous router on a stick configuration and that machine has not yet obtained an IP so I might have to further test it once I get back to the office.  Either way it looks like you caught a pretty major problem I had.  I'll get back to you once I know for sure.

Thanks for your help,

Joe

Joe

No problem and please feel free to come back if it still isn't working properly.

Jon

Everything is working the way I hoped.  Thanks again Jon!