cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
9
Helpful
6
Replies

VLAN on ASA 5510 and L2 Switch

itindia
Level 1
Level 1

Hi,

Looking to impliment VLANS as per diagram.

ISP->Router-->ASA5510--->Switch(L2 2960).

Want to create some 25 VLANs and don't want to allow communication among VLANs.Just want to allow internet access to all of the VLANS.

How should I meet this??

Reg,

Sushil

6 Replies 6

JORGE RODRIGUEZ
Level 10
Level 10

Sure is possible, lets see, asa5510 can support up to 50 VLANS with Base lisence and 100 VLANs with security plus lisence. You will have to use trunking and allocate a FE on the ASA for this. Assuming your 2960 is a 48 port switch, not a 24 port because you will need to acomodate 25 vlans with corresponding switchport vlan#s.

1-Create your 25 vlans in the switch

2-Allocate port on switch for 802.1q trunking to a allocated FE port on ASA

3-Create subinterfaces in ASA - define IP scheme for each interface

4-Define security level requirements for subinterfaces, you could use same security level on each subinterfaces and if you do not want comminication between them you can use"no same-security-traffic permit inter-interface" command. If comminication is

needed between hosts on different vlans it can be accomplish through acls.

5- for internet acces you could use your outside interface to PAT inside nets for outbound internet connections.

Example.

Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0

ASA5510

interface ethernet0/2

speed 100

duplex full

nameif LAN

security-level 50

no ip address

interface Ethernet0/2.2

vlan 2

nameif vlan2

security-level 50

ip address 2.2.2.1 255.255.255.0

interface Ethernet0/2.3

vlan 3

nameif vlan3

security-level 50

ip address 3.3.3.1 255.255.255.0

interface Ethernet0/2.4

vlan 4

nameif vlan4

security-level 50

ip address 4.4.4.1 255.255.255.0

interface Ethernet0/2.5

vlan 5

nameif vlan5

security-level 50

ip address 5.5.5.1 255.255.255.0

global (outside) 1 interface

nat(vlan2) 1 2.2.2.0 255.255.255.0

nat(vlan3) 1 3.3.3.0 255.255.255.0

nat(vlan4) 1 4.4.4.0 255.255.255.0

nat(vlan5) 1 5.5.5.0 255.255.255.0

Switch_2960:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name VLAN2_2.2.2.0/24

vlan 3 name VLAN3_3.3.3.0/24

vlan 4 name VLAN4_4.4.4.0/24

vlan 5 name VLAN5_5.5.5.0/25

etc....

Interface fastethernet0/48

Description trunk_Connection_ASA_Ethernet03

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3,4,5 etc..

I think you got the idea..

Rgds

Jorge

Jorge Rodriguez

Thanks Jorge thats really helpful.

Would like to know can I run IPSEC for site to site VPN for some of the VLANS.May be some 15 tunnels.

Hi,

Yes you can run ipsec for some of the vlans. That should not be an issue.

Best Regards

Dinesh

(http://knowurtech.com)

Good cisco articles

Thanks guys,

One more question how should I propagate the VLAN to rest of the switches.

Say adding total 120 users to 25 VLANS.

Means 4 or 5 user in single Vlan.As my switch will be having 48 ports only.

Do I need to enable trunking between L2 switches.

How to achieve this?

Reg,

Sushil

Hi Sushil,

Since the Layer 3 interfaces of vlan are created on ASA , only l2 vlans needs to be created on the switches. Just create L2 vlan on the switches and you can extend the vlans to more switches.Just make sure that these switches are in same vtp domain and take care of the VTP more client/server or transparent etc. Yes you need to create trunk between two switches.

Please rate the post if you find it useful.

Best Regards

Dinesh

(http://knowurtech.com)

Good cisco articles

Thanks a lot Dinesh,

This is really helpful.I was looking for opinion which I got right from you guys.

Regards,

Sushil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: