I'm setting up a small network of the office. This is my 2nd 5506-x. first one was setup without much of a problem since I had L3 switch handling all the traffic. This time i have a different setup with unmanaged switches for each vlan.
The connectivity goes:
ISP gateway--> GE1/1 of 5506
GE1/2 of 5506--> Unmanaged switch for inside Data traffic
GE1/3 of 5506--> Unmanaged switch for inside Voice traffic
GE1/8 of 5506--> to Managed Access Point which supports VLANs
Management VLAN 5 (Subnet: 192.168.5.254/24)
Data VLAN 10: (Subnet: 10.10.10.254/24)
Voice VLAN 20: (Subnet: 10.10.20.254/24)
Guest VLAN 30: (Subnet: 10.10.30.254/24) for guest Wi-Fi (Only Access points; no physical connectivity required for this vlan).
DHCP and DNS will be handled by ASA for each VLAN.
I want to configure the GE1/2 as Data VLAN, GE1/2 as Voice VLAN and GE1/8 as trunk.
I tried many things and read many things without any luck. I also found out that ASA 5506-x doesn't have switchport capabilities. How can i make this work with the hardware i have?
Any help will be greatly appreciated.
As you already know, the new 5506x series firewalls don't support switching/trucking capabilities.
Since you are using a physical interface per vlan/subnet, you design should work. If you need to have multiple vlans on one of the physical interfaces, you may want to try using sub-interfaces.
Thanks for the quick response.
If I use physical interface per vlan, yes, it will work. so i configured the physical interfaces as follows:
description ISP (ComCast) connection
ip address dhcp setroute
ip address 10.10.10.254 255.255.255.0
ip address 10.10.20.254 255.255.255.0
dhcpd auto_config outside
dhcpd address 10.10.10.26-10.10.10.200 Data
dhcpd dns 18.104.22.168 22.214.171.124 interface Data
dhcpd enable Data
dhcpd address 10.10.20.26-10.10.20.200 voice
dhcpd dns 126.96.36.199 188.8.131.52 interface voice
dhcpd enable voice
object network obj_any
nat (any,outside) dynamic interface
nat (Data,outside) after-auto source dynamic any interface (may not be needed)
nat (voice,outside) after-auto source dynamic any interface (may not be needed)
dns domain-lookup outside
dns server-group defaultdns
name-server 184.108.40.206 outside
name-server 220.127.116.11 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Now, How can I configure the access point connected to physical interface G1/8 so that I can have access to all networks/VLANs (Data, Voice, Guest wifi) over WiFi. It doesn't let me configure the sub-interfaces with the same names as the names are already defined under physical interfaces (ge1/2 & ge1/3) and where can I add sub-interface for Guest VLAN?
I'm very confused about the multiple vlans and sub-interfaces. Please advise.
I am not sure what type of APs and wireless controller you have, but I was thinking that you connect the APs and the controller to a switch and than connect the switch to the firewall. Now since you can't do vlan on the firewall, I was thinking you can maybe create 2 sub-interfaces,say g1/8 is where the switch is connected and you need 2 subnets (say 10.10.50.0/24 for internal WiFi and 10.10.60.0/24 guest WiFi. So, something like:
only one AP so no controller is needed in this application. Also, the switches i have are unmanaged and can't do Vlan tagging so the sub-interfaces wont work here. I will play with this and if it still doesn't work, I will connect AP directly to Data switch and have only Data and guest network configured with L2 isolation on AP.
Thank you very much.
Still open for help from anyone on this.