Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
2
Replies

VLAN Routing between Sub-int and physical port

Go to solution
petercrowe
Level 1
Level 1

‎11-14-2012 12:02 PM - edited ‎03-07-2019 10:03 AM

All,

I've been tasked with breaking up a network that has run out of IP's, and have decided to use VLANs to accomplish this. I have to use an ASA5510 to accomplish all the routing between hosts in different VLANs.

Firewall: ASA5510

Switch: Linksys SRW2048

Physical topology: PC - > VLAN99 - > SRW2048 - trunk - > ASA5510

Switch Setup:

Port 48 is trunked to the ASA eth0/0 interface, with VLAN 99 and VLAN 20 tagging packets, VLAN 1 Untagged. Hosts hooked up to appropriate ports on Switch.

ASA5510 Setup:

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

interface Ethernet0/0.99

nameif IT

security-level 100

ip address 192.168.99.1 255.255.255.0

interface Ethernet0/0.20

nameif Accounting

security-level 100

ip address 192.168.20.1 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

static (inside,IT) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (IT,inside) 192.168.99.0 192.168.99.0 netmask 255.255.255.0

static (IT,Accounting) 192.168.99.0 192.168.99.0 netmask 255.255.255.0

static (inside,Accounting) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Accounting,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

static (Accounting,IT) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

As you can see, they've already assigned an IP and name to the physical port. I've configured subinterfaces to it, but am having trouble getting them to see each other, or more importantly the 192.168.1.x subnet. The important part is to get VLAN's 20 & 99 to talk to the servers in the default (1) VLAN since the DHCP server is there, and I need to DHCP relay client requests from the 20 & 99 VLANs to this "main" subnet.

Is it possible to run this sort of VLAN setup, or will I have to move the current eth0/0 name, security and IP to a sub-int (eth0/0.1)? Would I then name this VLAN 1 to reduce configuration on the switches? Is that allowed?

Essentially, if it's necessary, how easy is it going to be to turn off the nameif, and IP address on the physical interface, and move it down into one of the sub-ints. There are a TON of other configuration entries (NAT's, ACL's etc.) on the switch, all including the "inside" interface name. If I keep that name and move that to a sub-int., will everything still work and just now point to a sub-int instead of the eth0/0 port?

I hope I have explained everything clearly. I'm a quickly advancing newbie to VLAN's and ASA's.

Thanks much!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-14-2012 12:53 PM

The interface 'root' should not have any configuration. You should move that info down to the vlan 1 subiinterface

interface Ethernet0/0

no nameif

no ip address

interface Ethernet0/0.1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-14-2012 12:53 PM

The interface 'root' should not have any configuration. You should move that info down to the vlan 1 subiinterface

interface Ethernet0/0

no nameif

no ip address

interface Ethernet0/0.1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

0 Helpful

Go to solution
petercrowe
Level 1
Level 1
In response to Collin Clark

‎11-14-2012 05:04 PM

Thanks for your answer Collin. I sort of knew that, but I thought I could get it to work the way it is now.

My question remains. What effect will this have on the rest of the devices configuration? This firewall is now functioning and in production.

Does the interface name "inside" and all the configuration entries *move* with it. It may seem like a silly question, but I come from a Microsoft background, and something as simple as changing the name of something can have dramatic consequences.

When I create this sub-int, and I name it "inside", will all the other settings (NAT's, access lists etc.) get repointed from the root to the sub-int? In other words, are they simply looking for the int name "inside", no matter where it is on the interface (logical or physical).

A follow-up question: to maintain the vlan 1 default settings on the switches, can I apply VLAN 1 to the eth0/0.1 interface or does that break some kind of "rule"?

My nerves very much appreciate your answers.

0 Helpful
Customers Also Viewed These Support Documents