how to create trunk port with ASA 5520

Unanswered Question
vitripat Fri, 06/29/2007 - 13:41

Hi ,

You may create subinterfaces using gi0/2 interface and connect this interface to trunk port of 2960. The physical port by itself will act as trunk port and you dont need to configure this separately.

We need to keep in mind that if you have created subinterfaces and have not given any nameif command on the main physical interface then this interface will only accept tagged packets. Thus packets from native vlan on switch trunk will be dropped. If you need to pass these native vlan packets also, you can give nameif command on the main physical interface. So lets say you have following

gi0/2

nameif dmz

gi0/2.1

nameif dmz1

vlan 10

gi0/2.2

nameif dmz2

vlan 20

so you need to connect gi0/2 port to the trunk port of 2960. ASA would accept tagged packets for vlan 10, 20 and these will be sent to gi0/2.1 and gi0/2.2 respectively. Untagged packets will be sent directly on the physical interface which would be part of native vlan.

Following link may be helpful:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/intrface.htm

Hope this helps.

Regards,

Vibhor.

vitripat Fri, 06/29/2007 - 14:22

ASA/PIX by default only support 802.1q encapsulation. However on the switch side you need to configure trunk for 802.1q encapsulation.

Regards,

Vibhor.

tony.broom Mon, 11/22/2010 - 16:06

I know this is an old thead but this came up when I was searching for an answer to my question.

I have an ASA5510.

Below is Ethernet0/0 and it's subinterfaces. The physical Ethernet 0/0 is connected to a Gig port on a 2950T that is set to trunk.

I'm not using the native vlan so is the ASA dropping the native vlan? and can I change the 2950T from trunk to allowing vlans?

My reason for wanting to do this is because I have a Barracuda WebFilter that is designed to be inline. In my case between the ASA and switch. The webfilter can handle vlan traffic but not trunked.

Thank for any input.

interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.50
vlan 50
nameif Engineering
security-level 80
ip address 192.168.220.1 255.255.255.0
!
interface Ethernet0/0.100
vlan 100
nameif OfficeNet
security-level 90
ip address 192.168.92.1 255.255.255.0
!
interface Ethernet0/0.200
vlan 200
nameif Automation
security-level 100
ip address 192.168.200.5 255.255.255.0
!
interface Ethernet0/0.201
vlan 201
nameif Enco
security-level 100
ip address 10.107.61.1 255.255.255.0
!
interface Ethernet0/0.202
vlan 202
nameif Traffic
security-level 95
ip address 192.168.202.5 255.255.255.0

Actions

This Discussion