DMZ migration from 3512 to a 4500

Unanswered Question
Jul 26th, 2007

doing a switch migration/consolidation into a 4500. I am trying to consolidate a 3512 DMZ switch into a 4506 with a 24-port FE card (among others).

Current DMZ 3512 switch is VLAN 1 --> Gateway is (ASA5510)

How would I go about moving this to a 4500 using FE ports 3/9 - 3/16 on a 24-port card in slot 3?

I alread have a VLAN created for internal network on the 4500 - VLAN1 192.168.100.xx - so moving the DMZ into the 4500 is giving me trouble. Would I need to create another VLAN, set the 3/9-16 ports to trunk ports?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

You would create a new VLAN and then assign those ports to the VLAN, they would not be trunk ports. Let's say you create VLAN 10, you would then assign the ports to the VLAN:

switch#conf t

switch(config)#int range f3/9 - 16

switch(config-if-range)#switchport access vlan 10


For security reasons many people would advise you against collapsing the DMZ onto a switch that is also host to your internal network. As long as the routed interface for this network is on the ASA and not the 4500, you can minimize your exposure somewhat. You should turn off CDP, PAgP/LACP, etc. You might also consider changing your inside VLAN from VLAN 1 to a numbered VLAN.

skokieparkdistrict Thu, 07/26/2007 - 16:35

I have tried that and still cannot get connectivity. I assigned VLAN2 to those ports exactly like your example and I cannot ping the ASA - what could I be missing?

Does the sw version matter?

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)

Jon Marshall Fri, 07/27/2007 - 00:56


No you shoud be able to do this with the switch you have as your are using it purely as a layer 2 switch in this instance.

Can you post a copy of the ASA config, minus any sensitive info, plus the output of a "sh vlan" on the 4500.



This Discussion