Trunking on ASA

Unanswered Question
Jun 13th, 2007

Hi all,

Have a question about trunking on an ASA5510. Here is my setup.

3Com switch VLAN300 = ports 5-8 and VLAN301 = ports 9-12. I have both VLANs trunked to port 13.

ASA5510 VLAN300 on ethernet0/3.300 and VLAN301 on ethernet0/3.301. Port 13 on the 3Com switch is attached to ethernet0/3 on the ASA. I assume the next step would be to trunk the two VLANs to ethernet0/3?

I tried to run the following commands:

ciscoasa(config)# interface ethernet0/3

ciscoasa(config-if)# switchport mode trunk

but i get an "Error: % Invalid input detected at '^' marker." The ^ is pointing to the switchport command. Any ideas?

Thanks for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chris.lepa Wed, 06/13/2007 - 11:28


You must do this:

asa(config)#int eth0/3

asa(config)#no shut

asa(config)#int eth0/3.300

asa(config-if)#encapsulation dot1q 300

asa(config-if)#ip add

asa(config-if)#no shut

asa(config)#int eth0/3.301

asa(config)#encapsulation dot1q 301

asa(config-if)#ip add

asa(config-if)#no shut

Hope that helps. Please rate if it does.


EvolutionVI Thu, 06/14/2007 - 06:21

Hi Chris,

Thanks for the info. I tried the command "encapsulation..." but it came up with the same error.

I was doing more research and apparently the ASA will automatically trunk the physical interface if more than 1 VLAN is added on that inteface. hmm...

One more question, I'm trying to get the two VLANs to communicate with each other but i'm having difficulties... here's my config:

interface Ethernet0/1

nameif outside

security-level 0

ip address x.x.x.2 y.y.y.y

ospf cost 10

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Ethernet0/3.300

vlan 300

nameif vlan-inside

security-level 90

ip address

interface Ethernet0/3.301

vlan 301

nameif vlan-public

security-level 10

ip address

access-list vlan-inside_access_in extended permit ip any

access-list vlan-public_access_in extended permit ip any


global (outside) 1 interface

global (outside) 2 x.x.x.3 netmask y,y,y,y

global (outside) 3 x.x.x.4 netmask y.y.y.y

global (vlan-inside) 3 interface

global (vlan-public) 2 interface

nat (vlan-inside) 2

nat (vlan-public) 3

access-group outside_access_in in interface outside

access-group vlan-inside_access_in in interface vlan-inside

access-group vlan-public_access_in in interface vlan-public

route outside x.x.x.1 1

I can get out to the internet on both VLANs and they are going out on the right IPs. I just can't ping or get traffic to flow between VLAN 300 to VLAN301... any ideas?

Thanks for your help in advance.

glen.grant Wed, 06/13/2007 - 12:32

Chris is correct you would need to use subinterfaces to trunk whatever vlans you want .


This Discussion