cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31967
Views
10
Helpful
4
Replies

how to create trunk port with ASA 5520

bma
Level 1
Level 1

Hi

We need creat multi vlan in the ASA 5520 dmz, dmz switch is cisco 2960. How to config ASA dmz sub interface to 2960 trunk port? could send a example?

Thanks

ben

4 Replies 4

vitripat
Level 7
Level 7

Hi ,

You may create subinterfaces using gi0/2 interface and connect this interface to trunk port of 2960. The physical port by itself will act as trunk port and you dont need to configure this separately.

We need to keep in mind that if you have created subinterfaces and have not given any nameif command on the main physical interface then this interface will only accept tagged packets. Thus packets from native vlan on switch trunk will be dropped. If you need to pass these native vlan packets also, you can give nameif command on the main physical interface. So lets say you have following

gi0/2

nameif dmz

gi0/2.1

nameif dmz1

vlan 10

gi0/2.2

nameif dmz2

vlan 20

so you need to connect gi0/2 port to the trunk port of 2960. ASA would accept tagged packets for vlan 10, 20 and these will be sent to gi0/2.1 and gi0/2.2 respectively. Untagged packets will be sent directly on the physical interface which would be part of native vlan.

Following link may be helpful:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/intrface.htm

Hope this helps.

Regards,

Vibhor.

Thanks Vibhor.

Do I still need setup "encapsulation dot1Q vlan name" in the sub interface or only setup dot1q in the switch side?

Ben

ASA/PIX by default only support 802.1q encapsulation. However on the switch side you need to configure trunk for 802.1q encapsulation.

Regards,

Vibhor.

I know this is an old thead but this came up when I was searching for an answer to my question.

I have an ASA5510.

Below is Ethernet0/0 and it's subinterfaces. The physical Ethernet 0/0 is connected to a Gig port on a 2950T that is set to trunk.

I'm not using the native vlan so is the ASA dropping the native vlan? and can I change the 2950T from trunk to allowing vlans?

My reason for wanting to do this is because I have a Barracuda WebFilter that is designed to be inline. In my case between the ASA and switch. The webfilter can handle vlan traffic but not trunked.

Thank for any input.

interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.50
vlan 50
nameif Engineering
security-level 80
ip address 192.168.220.1 255.255.255.0
!
interface Ethernet0/0.100
vlan 100
nameif OfficeNet
security-level 90
ip address 192.168.92.1 255.255.255.0
!
interface Ethernet0/0.200
vlan 200
nameif Automation
security-level 100
ip address 192.168.200.5 255.255.255.0
!
interface Ethernet0/0.201
vlan 201
nameif Enco
security-level 100
ip address 10.107.61.1 255.255.255.0
!
interface Ethernet0/0.202
vlan 202
nameif Traffic
security-level 95
ip address 192.168.202.5 255.255.255.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: