Configuring VLANs

Unanswered Question
Feb 8th, 2008

Hi,

I am very new to Cisco hardware and VLANs in general. We have a very simple network setup (ASA5510 set up as a router/firewall and many switched of which I am only trying to deal with a Cisco Catalyst 2960).

WHat I was hoping to do without any additional wiring is to add a VLAN for an AP that would be used for guest access to the internet, but not the internal network.

So on the ASA i created a subinterface off of the main inside interface and on the 2960 I created a new VLAN. Then i tried to configure the port on the 2960 to which the ASA is connected as a trunk port, but at that moment everybody loses the connection to the outside.

Basically, where can i find any documentation on how to properly set this up with the hardware I have.

I am sure i am missing many things, but I do need some guidance.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 02/08/2008 - 13:50

Here is a working example.

=======================================

ASA Config

=======================================

interface Ethernet4

description Trunk Only! DO NOT CONFIGURE!!

speed 100

duplex full

no nameif

security-level 10

no ip address

!

interface Ethernet4.100

description WWW DMZ

vlan 100

nameif http

security-level 10

ip address 192.168.200.254 255.255.255.0 standby 192.168.200.253

!

interface Ethernet4.101

description WiFi DMZ

vlan 101

nameif wifi

security-level 10

ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253

!

=====================================

Switch Config

=====================================

DMZSW45#sh run int fa0/47

interface FastEthernet0/47

description Connection to PIX-FW

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100-101

switchport mode trunk

duplex full

speed 100

end

DMZSW45#

HTH

ronin2307 Mon, 02/11/2008 - 08:01

please hang in there with me as I am still getting used to the cmd line. I have tried to do this using the ASDM for the ASA and the Cisco Network Assistant.

The 47 interface, is that the one that is connected to the ASA on port 4?

If so, I believe I have done the same thing using the GUI, but the following happens:

on the port connected to the ASA (Gi0/11) I change the administrative mode from Dynamic Auto to 802.1Q Trunk and set Trunk allowed VLANs to "all". At that point everybody on the network loses internet connectivity, but after a few minutes the settings I changed go back to Dynamic Auto and Static Access for the operational mode.

any ideas?

Collin Clark Mon, 02/11/2008 - 08:25

Correct, fa0/47 is the connection between the switch and the firewall (port 4). It must be a trunk port or it will fail. The only vlans on the trunk should be DMZ's vlans or your inside users will lose connectivity.

ronin2307 Mon, 02/11/2008 - 08:36

so if I understand this right, i need to have two cables going from the witch to the ASA, one for the inside network and one for the ... well the "other" inside network. I am purposely not calling it a DMZ, because I want to explain what was my conceptual mistake, i believe.

i was under the impression that if i create a subinterface on the one that i call my INSIDE interface, give it a different ip network like 192.168.2.1 and configure the port on the witch that connects it to the ASA as a trunk and allow all vlans that it would work that way.

obviously I was wrong

so as said before I will have my port 0/11 on the switch connect to the ASA 0/1 (inside). then I will have port 0/12 on the switch connect to the ASA 0/2 (dmz), configure the 0/12 as a trunk and only allow the VLAN 200 (my dmz vlan) and not the default vlan1. That way I will not have the inside traffic flow through the dmz.

Is that correct? Again many thanks for walking me thru this

ronin2307 Mon, 02/11/2008 - 10:42

First of all thank you for babysitting me on this one.

Second, another stupid question: If I configure the asa and the switch as described before, can i then add another subinterface on the DMZ trunk and make it another VLAN on which i would keep the front end stuff like internet webserver etc, without the WIFI Vlan being able to interact with the new Vlan?

Collin Clark Mon, 02/11/2008 - 11:53

I'm not sure I understand 100%. You can create another VLAN on the switch and another sub-interface on the firewall to create a new DMZ. Restricting/Allowing communications between the DMZ's is handled by the security level and/or ACL's. Does that answer your question?

ronin2307 Mon, 02/11/2008 - 12:01

yes it does.

Thank you. Now i just have to figure out what I am doing wrong as I cant access anything through my new vlan :-)

i configured the trunk as you said and I configured another port on the switch to belong to the new vlan. but when i try to ping the subinterface on the asa i get nothing. times out

Collin Clark Mon, 02/11/2008 - 12:11

Make sure you have ICMP enabled.

icmp permit any your_dmz_name

Check your ARP cache on the firewall (show arp), you should see the switches' MAC address (from the connected port). If not, something is configured/cabled wrong.

ronin2307 Mon, 02/11/2008 - 12:18

right now there are only two implicit rules on the DMZ interface and the WIFI subinterface:

any to any less secure network

ronin2307 Mon, 02/11/2008 - 12:23

couldn't see anything with the 172 ip. i made some changes to the asa and will test it again now and see what happens. brb

ronin2307 Mon, 02/11/2008 - 12:39

yeah i have obviously something screwed up as i can't see anything in the ARP table

ronin2307 Mon, 02/11/2008 - 12:43

tboard#show interface trunk

Port Mode Encapsulation Status Native vlan

Gi0/12 on 802.1q trunking 200

Port Vlans allowed on trunk

Gi0/12 200

Port Vlans allowed and active in management domain

Gi0/12 200

Port Vlans in spanning tree forwarding state and not pruned

Gi0/12 200

tboard#

ronin2307 Mon, 02/11/2008 - 12:45

ASA

!

interface Ethernet0/2

description Trunk Only!!!! DO NOT CONFIGURE

speed 100

duplex full

nameif dmz

security-level 10

no ip address

!

interface Ethernet0/2.200

description WiFi DMZ

vlan 200

nameif WIFI

security-level 10

ip address 192.168.2.1 255.255.255.0

!

ronin2307 Mon, 02/11/2008 - 12:49

switch

I use port 13 to connect my laptop with a hardcoded IP of 192.168.2.100

tboard#sh running-config interface gig 0/12

Building configuration...

Current configuration : 197 bytes

!

interface GigabitEthernet0/12

description ASA_DMZ

switchport trunk native vlan 200

switchport trunk allowed vlan 200

switchport trunk pruning vlan none

switchport mode trunk

speed 100

end

tboard#sh running-config interface gig 0/13

Building configuration...

Current configuration : 124 bytes

!

interface GigabitEthernet0/13

switchport access vlan 200

switchport trunk allowed vlan 200

switchport mode access

end

ronin2307 Mon, 02/11/2008 - 13:47

based on what i posted do you see anything obvious I am missing?

ronin2307 Tue, 02/12/2008 - 12:11

please look at the post titled ASA...

But i don't believe that is the problem, at least not yet.

I tried to ping my laptop when i had it plugged in the switch at port 0/13 and got timed out. I pinged it from the switch itself, so i have to have something messed up with the port config on the switch

Collin Clark Tue, 02/12/2008 - 12:19

Oops sorry. The IP on the laptop was in the 192.168.2.0/24 network right? Can you give the switch an IP or are you managing it in-band (ie Telnet/SSH)?

ronin2307 Tue, 02/12/2008 - 12:23

hehe, now you are pointing out something obvious that I missed.

the switch does have an ip 192.168.1.8.

question is how does that affect this whole scenario, if at all?

Collin Clark Tue, 02/12/2008 - 12:25

None really. I'm assuming your using a layer 2 switch and hence can have only 1 IP address. The 192.168.1.8 is part of your management domain. If you have a L3 switch you can have multiple IP addresses on the switch and you could configure vlan 200 with an IP and we could test directly from the switch instead of the laptop. The laptop was int 192.168.2.0/24 right?

ronin2307 Tue, 02/12/2008 - 12:28

yes it is a L2 switch 2960 model.

the laptop and the VLan were configured for .2.0/24

Collin Clark Tue, 02/12/2008 - 12:40

Hmmm. What version of OS is on the ASA? Can you post a show interface for the ASA?

Collin Clark Tue, 02/12/2008 - 12:44

Add this to your ASAs interface.

switchport mode trunk

switchport trunk allowed vlan 200

ronin2307 Tue, 02/12/2008 - 12:58

can't. the switchport command doesn't appear to exist. i tried it on config-if and just config

Collin Clark Tue, 02/12/2008 - 13:19

Weird.

CISCO-COLO# config t

CISCO-COLO(config)# int Ethernet 0/3

CISCO-COLO(config-if)# switchport ?

interface mode commands/options:

access Set access mode characteristics of the interface

mode Set trunking mode of the interface

monitor Monitor another interface

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

CISCO-COLO(config-if)# switchport

Also remove the nameif from E0/2

Collin Clark Tue, 02/12/2008 - 13:25

interface Ethernet0/2

description Trunk Only!!!! DO NOT CONFIGURE

speed 100

duplex full

no ip address

switchport mode trunk

switchport trunk allowed vlan 200

ronin2307 Tue, 02/12/2008 - 13:29

Hawkeye-ASA5510# config t

Hawkeye-ASA5510(config)# int eth 0/2

Hawkeye-ASA5510(config-if)# switchport

^

ERROR: % Invalid input detected at '^' marker.

Hawkeye-ASA5510(config-if)# switchport ?

ERROR: % Unrecognized command

Hawkeye-ASA5510(config-if)# switchport

Collin Clark Tue, 02/12/2008 - 13:39

Was this port configured with nameif before you upgraded to 8.x? Normally you can only assign nameif to VLANs.

ronin2307 Tue, 02/12/2008 - 13:46

the port was disabled since the beginning. I just as recently as last week enabled it and started playing with the vlans

ronin2307 Tue, 02/12/2008 - 13:51

already did, but i dont see why that would make any difference

Collin Clark Tue, 02/12/2008 - 13:55

nameif implies a security zone, we want a switch/trunk port. Still no switchport under the physical interface?

ronin2307 Tue, 02/12/2008 - 12:45

latest and the greatest 8.0.3

Result of the command: "show interface"

Interface Ethernet0/1 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 0012.d948.f617, MTU 1500

IP address 192.168.1.XXX, subnet mask 255.255.255.0

3377797 packets input, 1409435170 bytes, 0 no buffer

Received 165455 broadcasts, 0 runts, 0 giants

0 input errors, 13719 CRC, 0 frame, 0 overrun, 13719 ignored, 0 abort

0 L2 decode drops

4746865 packets output, 2385992427 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/30) software (0/0)

output queue (curr/max packets): hardware (0/53) software (0/0)

Traffic Statistics for "inside":

3377584 packets input, 1341678780 bytes

4746865 packets output, 2296225116 bytes

73578 packets dropped

1 minute input rate 74 pkts/sec, 5958 bytes/sec

1 minute output rate 135 pkts/sec, 56821 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 67 pkts/sec, 40605 bytes/sec

5 minute output rate 83 pkts/sec, 31588 bytes/sec

5 minute drop rate, 1 pkts/sec

Interface Ethernet0/2 "dmz", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Description: Trunk Only!!!! DO NOT CONFIGURE

MAC address 0012.d948.f618, MTU 1500

IP address unassigned

59 packets input, 5374 bytes, 0 no buffer

Received 59 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

1 packets output, 64 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (5/9) software (0/0)

output queue (curr/max packets): hardware (0/1) software (0/0)

Traffic Statistics for "dmz":

59 packets input, 4312 bytes

0 packets output, 0 bytes

22 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Ethernet0/2.200 "WIFI", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

VLAN identifier 200

Description: WiFi DMZ

MAC address 0012.d948.f618, MTU 1500

IP address 192.168.2.1, subnet mask 255.255.255.0

Traffic Statistics for "WIFI":

0 packets input, 0 bytes

1 packets output, 28 bytes

0 packets dropped

Interface Ethernet0/3 "", is administratively down, line protocol is down

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0012.d948.f619, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/0) software (0/0)

output queue (curr/max packets): hardware (0/0) software (0/0)

Collin Clark Tue, 02/12/2008 - 14:50

We found out (config guide) that the ASA only supports trunking with the Security Plus license.

Actions

This Discussion