cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
0
Helpful
40
Replies

Configuring VLANs

ronin2307
Level 1
Level 1

Hi,

I am very new to Cisco hardware and VLANs in general. We have a very simple network setup (ASA5510 set up as a router/firewall and many switched of which I am only trying to deal with a Cisco Catalyst 2960).

WHat I was hoping to do without any additional wiring is to add a VLAN for an AP that would be used for guest access to the internet, but not the internal network.

So on the ASA i created a subinterface off of the main inside interface and on the 2960 I created a new VLAN. Then i tried to configure the port on the 2960 to which the ASA is connected as a trunk port, but at that moment everybody loses the connection to the outside.

Basically, where can i find any documentation on how to properly set this up with the hardware I have.

I am sure i am missing many things, but I do need some guidance.

Thank you

40 Replies 40

Collin Clark
VIP Alumni
VIP Alumni

Here is a working example.

=======================================

ASA Config

=======================================

interface Ethernet4

description Trunk Only! DO NOT CONFIGURE!!

speed 100

duplex full

no nameif

security-level 10

no ip address

!

interface Ethernet4.100

description WWW DMZ

vlan 100

nameif http

security-level 10

ip address 192.168.200.254 255.255.255.0 standby 192.168.200.253

!

interface Ethernet4.101

description WiFi DMZ

vlan 101

nameif wifi

security-level 10

ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253

!

=====================================

Switch Config

=====================================

DMZSW45#sh run int fa0/47

interface FastEthernet0/47

description Connection to PIX-FW

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100-101

switchport mode trunk

duplex full

speed 100

end

DMZSW45#

HTH

please hang in there with me as I am still getting used to the cmd line. I have tried to do this using the ASDM for the ASA and the Cisco Network Assistant.

The 47 interface, is that the one that is connected to the ASA on port 4?

If so, I believe I have done the same thing using the GUI, but the following happens:

on the port connected to the ASA (Gi0/11) I change the administrative mode from Dynamic Auto to 802.1Q Trunk and set Trunk allowed VLANs to "all". At that point everybody on the network loses internet connectivity, but after a few minutes the settings I changed go back to Dynamic Auto and Static Access for the operational mode.

any ideas?

Correct, fa0/47 is the connection between the switch and the firewall (port 4). It must be a trunk port or it will fail. The only vlans on the trunk should be DMZ's vlans or your inside users will lose connectivity.

so if I understand this right, i need to have two cables going from the witch to the ASA, one for the inside network and one for the ... well the "other" inside network. I am purposely not calling it a DMZ, because I want to explain what was my conceptual mistake, i believe.

i was under the impression that if i create a subinterface on the one that i call my INSIDE interface, give it a different ip network like 192.168.2.1 and configure the port on the witch that connects it to the ASA as a trunk and allow all vlans that it would work that way.

obviously I was wrong

so as said before I will have my port 0/11 on the switch connect to the ASA 0/1 (inside). then I will have port 0/12 on the switch connect to the ASA 0/2 (dmz), configure the 0/12 as a trunk and only allow the VLAN 200 (my dmz vlan) and not the default vlan1. That way I will not have the inside traffic flow through the dmz.

Is that correct? Again many thanks for walking me thru this

You got it.

First of all thank you for babysitting me on this one.

Second, another stupid question: If I configure the asa and the switch as described before, can i then add another subinterface on the DMZ trunk and make it another VLAN on which i would keep the front end stuff like internet webserver etc, without the WIFI Vlan being able to interact with the new Vlan?

I'm not sure I understand 100%. You can create another VLAN on the switch and another sub-interface on the firewall to create a new DMZ. Restricting/Allowing communications between the DMZ's is handled by the security level and/or ACL's. Does that answer your question?

yes it does.

Thank you. Now i just have to figure out what I am doing wrong as I cant access anything through my new vlan :-)

i configured the trunk as you said and I configured another port on the switch to belong to the new vlan. but when i try to ping the subinterface on the asa i get nothing. times out

Make sure you have ICMP enabled.

icmp permit any your_dmz_name

Check your ARP cache on the firewall (show arp), you should see the switches' MAC address (from the connected port). If not, something is configured/cabled wrong.

right now there are only two implicit rules on the DMZ interface and the WIFI subinterface:

any to any less secure network

what about the ARP tables?

couldn't see anything with the 172 ip. i made some changes to the asa and will test it again now and see what happens. brb

yeah i have obviously something screwed up as i can't see anything in the ARP table

is it trunking? In the switch show interface trunk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: