03-06-2014 08:11 AM
Hi all -
I'm trying to find out whether an ASA 5505 can do the following things, and what type of license might be required in order to do that:
- Provide multiple subnets/Vlans, with a port on the 5505 in 802.1q trunk mode so that a wireless AP can see all Vlans.
- Provide an L2L VPN tunnel to an ASA5520, such that _all traffic_ from two or more Vlans/subnets would be transported across the VPN, while another Vlan (Guest Internet) would not be passed through the VPN and would go directly to the ISP.
- what licensing is required to provide trunking on a port of the ASA, and provide multiple Vlans?
The idea is that the ASA 5505 would be at a remote site.
One Vlan at that site would be the "corporate" network, and one Vlan would be the Guest Internet.
The corporate Vlan would need to have all packets to and from that Vlan sent across the VPN, including public Internet access from the corporate PC.
The Guest Internet Vlan would not transit the VPN at all, and would be sent directly to the ISP (cable Internet access)
A Meraki AP would be connected to a trunk port on the ASA, providing public WiFi, and also corporate WiFi.
The subnets used by those SSIDs would be the Vlans defined on the ASA for corporate and public traffic.
Note that this is NOT "split tunnel" in the traditional sense, where the remote corporate PC would only send corporate-interesting-traffic
over the VPN and the corporate PC would access the Internet directly.
The intent is that the Internet-bound traffic from the corporate PC would be sent over the VPN to go through a web-content filter in the corporate datacenter,
and guest Internet traffic would not be sent back to the corporate datacenter.
Solved! Go to Solution.
03-06-2014 10:54 AM
The ASA 5505 should be able to do what you describe as your requirements. It would require the Security Plus license to support trunking and full functionality for multiple VLANs.
This link may provide additional details that would be helpful to you.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html
HTH
Rick
03-06-2014 10:54 AM
The ASA 5505 should be able to do what you describe as your requirements. It would require the Security Plus license to support trunking and full functionality for multiple VLANs.
This link may provide additional details that would be helpful to you.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html
HTH
Rick
03-06-2014 11:36 AM
Thanks Richard!
It looks like that Business Vlan/Home Vlan is exactly the topology I'm looking for too -
One question -
Can I do what I'm wanting to do with the Base license, aside from the idea of a trunk port?
I can test my design that way, without being able to have a wireless AP with full dual Vlan support.
From what I read, I should be able to meet the following goals with a Base license:
- Business Vlan
- Home (Guest Internet) Vlan
- L2L VPN carrying all traffic from the Business VLAN back and forth between the Corporate network on the 5520 end
- Guest wireless on the Home (Guest internet ) Vlan using a Meraki AP (for example)
The only limitation in the Base license would be that I could not combine those two Vlans as a trunk on the switchport where the AP is, in order to provide for corporate AND guest wireless using the same AP and the matching Vlans for each type of traffic, correct?
Everything else should work - as I read it.
thanks, Tim
03-06-2014 02:39 PM
Tim
On the ASA5505 with the base license 2 of the vlans are full function and one of the vlans is limited. I think it should work for you, but want to make sure that the limitation has been considered.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide