Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
1
Helpful
10
Replies

Multiple VLAN access problems between switch and firewall

Go to solution
cemrecanaltinel
Level 1
Level 1

‎11-30-2023 07:31 AM - edited ‎11-30-2023 07:33 AM

One of my customers has the following situation: In the connections between the Switch and the ASA firewall, all VLANs are not connected to the firewall with a single trunk port, separate access VLAN ports are configured for each VLAN and each port is connected to the firewall with a physical cable. In the current situation. There are no free ports left on the firewall, and a separate interface is used for each VLAN. They want me to add a new VLAN from the switch to the firewall without interrupting the existing traffic. I need to add another VLAN to one of the existing access ports. For example, my interface configuration for VLAN 20 on the switch is;
interface GigabitEthernet1/0/2
description "Uplink to ASA 5508-X Firewall Port Mgmt"
switchport access vlan 20 
 the configuration of the firewall port opposite it;                                                                                                                            interface GigabitEthernet1/2
description tyu Interface
nameif tyu
security-level 100
ip address 172.26.20.250 255.255.255.0
They want the existing connections not to be interrupted. Now my question is; If I add the switchport trunk native vlan 30 command to add gig1/0/2 vlan 30 on the switch;
interface GigabitEthernet1/0/2
description "Uplink to ASA 5508-X Firewall Port Mgmt"
 switchport access vlan 20,                                                                                                                                                        switchport trunk native 30                                                                                                                                                              and vlan 30 in the firewall with subinterface
interface GigabitEthernet1/2.30
vlan 30
nameif art
security-level 0
ip address 172.26.30.250 255.255.255.0.                                                                                                                                           In this way, will the clients and servers using both vlan 20 and vlan 30 continue to work without interrupting the traffic? Or should I trunk the switchingig1/0/2 port and configure vlan 20 and vlan 30 as allowed vlan? Could you help me ?Can I use both access vlan and native trunk vlan on one port?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to cemrecanaltinel

‎12-01-2023 04:41 AM

When you move from access port to Trunk port the configuration chagnes.

you will have only switchport trunk and allowed VLAN 20,30 and you can have native vlan command 30

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Turn2
Level 1
Level 1
In response to cemrecanaltinel

‎12-01-2023 05:15 AM

The native VLAN thing tells the switch what to do with any frames that arrive on the port without a tag. For example when you define a native VLAN on a trunk, you tell the port that any untagged frames arriving on that port should be switched to that specific VLAN, without really caring about what VLAN it may have actually come from.

So if you were to also define a access VLAN on the port, you would have a conflict. When an untagged frame arrives, should the port move the frame to the trunk native VLAN, or the access native VLAN? It would have no way to tell. Therefore, you can't do it.

View solution in original post

0 Helpful

Go to solution
Richard Pidcock
Level 1
Level 1

‎12-01-2023 06:00 AM

You won't get through these changes without at least a minor disruption when you reconfigure one of the interfaces from an access port to a trunk port.  I think your best option is to get your changes prepared and then get an agreed upon maintenance window where you can make the changes and tolerate the brief disruption.  I agree with @balaji.bandi , establish your trunk between the FW and switch and you will future proof yourself for future requirements.

Richard W. Pidcock

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎11-30-2023 07:35 AM

You use two link between sw and asa

One is access for mgmt 

Other is trunk that allows some vlan But must not be allow mgmt vlan(vlan20) in trunk

That config is work 

But you should care about the routing in SW.

0 Helpful

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to MHM Cisco World

‎12-01-2023 01:22 AM

Thanks for it,it make sense but I am curious about that question; Is there an explanation of how I can config both access and trunk native vlan  at the same time on a switch interface?                                                                                                                  switchport access vlan 20,                                                                                                                                                        switchport trunk native 30, like this is possible?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cemrecanaltinel

‎12-01-2023 01:32 AM

 

Just to clarify the issue 

You have two interface in FW and two interface in sw' 

One interface connect like trunk 

Other interface connect like access port (from sw side)

If that correct 

If above correct I think I get why you are confused.

In this case fw can not send two untag frame through two link

You need to make in FW interface connect to access port of sw router port not vlan port.

Router port dont care about the tag.

MHM

0 Helpful

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to MHM Cisco World

‎12-01-2023 06:51 AM

I have 2 connections between fw and switch and both have access connections. I do not have a trunk connection and I need to trunk one of my access connections. My problem is, can I do this without any interruption, but I understand that this is not possible

Go to solution
MHM Cisco World
VIP
VIP
In response to cemrecanaltinel

‎12-01-2023 07:45 AM

@cemrecanaltinel wrote:

I have 2 connections between fw and switch and both have access connections. I do not have a trunk connection and I need to trunk one of my access connections. My problem is, can I do this without any interruption, but I understand that this is not possible

It possible' why not?

How you config your FW?

Share config 

MHM

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-30-2023 09:02 AM

You sure going to have small network intruption, when you making this changes.

If the downtime agreed for 1 or 2 VLAN, suggest to bring port-channel between Firewall and Switch, so you can use sub-interface and also furture expansion, also you can consolidate exiting VLAN in to new port-channel free other ports.

if that is not the case you want to use single port for now.

then you need to convert Switch port in to Trunk and use SVI on the Switch side.

on the firewall, configure sub-interface for different VLAN with dot1q trunking.

example :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/general/asdm-76-general-config/interface-vlan.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to balaji.bandi

‎12-01-2023 01:20 AM

thanks for your suggestion.I will take your advice  but what I'm really curious about is this;Is it possible , Is there an explanation of how I can config both access and trunk native vlan  at the same time on a switch interface?                                                                switchport access vlan 20,                                                                                                                                                        switchport trunk native 30, like this is possible?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to cemrecanaltinel

‎12-01-2023 04:41 AM

When you move from access port to Trunk port the configuration chagnes.

you will have only switchport trunk and allowed VLAN 20,30 and you can have native vlan command 30

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Turn2
Level 1
Level 1
In response to cemrecanaltinel

‎12-01-2023 05:15 AM

The native VLAN thing tells the switch what to do with any frames that arrive on the port without a tag. For example when you define a native VLAN on a trunk, you tell the port that any untagged frames arriving on that port should be switched to that specific VLAN, without really caring about what VLAN it may have actually come from.

So if you were to also define a access VLAN on the port, you would have a conflict. When an untagged frame arrives, should the port move the frame to the trunk native VLAN, or the access native VLAN? It would have no way to tell. Therefore, you can't do it.

0 Helpful

Go to solution
Richard Pidcock
Level 1
Level 1

‎12-01-2023 06:00 AM

You won't get through these changes without at least a minor disruption when you reconfigure one of the interfaces from an access port to a trunk port.  I think your best option is to get your changes prepared and then get an agreed upon maintenance window where you can make the changes and tolerate the brief disruption.  I agree with @balaji.bandi , establish your trunk between the FW and switch and you will future proof yourself for future requirements.

Richard W. Pidcock
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card