VLAN on ASA 5510 and L2 Switch

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
JORGE RODRIGUEZ Wed, 01/02/2008 - 22:18

Sure is possible, lets see, asa5510 can support up to 50 VLANS with Base lisence and 100 VLANs with security plus lisence. You will have to use trunking and allocate a FE on the ASA for this. Assuming your 2960 is a 48 port switch, not a 24 port because you will need to acomodate 25 vlans with corresponding switchport vlan#s.

1-Create your 25 vlans in the switch

2-Allocate port on switch for 802.1q trunking to a allocated FE port on ASA

3-Create subinterfaces in ASA - define IP scheme for each interface

4-Define security level requirements for subinterfaces, you could use same security level on each subinterfaces and if you do not want comminication between them you can use"no same-security-traffic permit inter-interface" command. If comminication is

needed between hosts on different vlans it can be accomplish through acls.

5- for internet acces you could use your outside interface to PAT inside nets for outbound internet connections.

Example.

Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0

ASA5510

interface ethernet0/2

speed 100

duplex full

nameif LAN

security-level 50

no ip address

interface Ethernet0/2.2

vlan 2

nameif vlan2

security-level 50

ip address 2.2.2.1 255.255.255.0

interface Ethernet0/2.3

vlan 3

nameif vlan3

security-level 50

ip address 3.3.3.1 255.255.255.0

interface Ethernet0/2.4

vlan 4

nameif vlan4

security-level 50

ip address 4.4.4.1 255.255.255.0

interface Ethernet0/2.5

vlan 5

nameif vlan5

security-level 50

ip address 5.5.5.1 255.255.255.0

global (outside) 1 interface

nat(vlan2) 1 2.2.2.0 255.255.255.0

nat(vlan3) 1 3.3.3.0 255.255.255.0

nat(vlan4) 1 4.4.4.0 255.255.255.0

nat(vlan5) 1 5.5.5.0 255.255.255.0

Switch_2960:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name VLAN2_2.2.2.0/24

vlan 3 name VLAN3_3.3.3.0/24

vlan 4 name VLAN4_4.4.4.0/24

vlan 5 name VLAN5_5.5.5.0/25

etc....

Interface fastethernet0/48

Description trunk_Connection_ASA_Ethernet03

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3,4,5 etc..

I think you got the idea..

Rgds

Jorge

dinesh_mih Thu, 01/03/2008 - 04:22

Hi Sushil,

Since the Layer 3 interfaces of vlan are created on ASA , only l2 vlans needs to be created on the switches. Just create L2 vlan on the switches and you can extend the vlans to more switches.Just make sure that these switches are in same vtp domain and take care of the VTP more client/server or transparent etc. Yes you need to create trunk between two switches.

Please rate the post if you find it useful.

Best Regards

Dinesh

(http://knowurtech.com)

Good cisco articles

Actions

This Discussion