ASA 5510 VLAN Configuration

Unanswered Question
JORGE RODRIGUEZ Wed, 06/18/2008 - 16:59

What do you have for license? the 5510 base license supports up to 50 VLANs.

There is no vlans commands per say, you need to implement 802.1q trunking, in other words configure subinterfaces in firewall automatically enables trunking, trunk to your switch, create L2 vlans on the switch for each conrresponding subinterface created in firewall.

Check this link




I have (2) 5510's with base licenses, but running v7.0(7). I guess I probably should upgrade :). They are only a few months old and haven't been turned on in production yet.

In one document I read that it support 10, but another indicated that you needed Security+ to support 10. It looks like it changed with v8 firmware. I was in the wrong place when I attempted to use the vlan command as I was on the interface, not a sub-interface. On a sub-interface, it worked and let me add a VLAN.

I'm working with a HP ProCurve 3400cl L3 switch and HP recommended setting up multiple VLAN's to simplify routing. But I have a site that is still using a PIX 506, and I'm not sure that those support VLANs. I need to upgrade them (since the PIX is EOL), but that isn't possible until later this year or early next. I've not used VLANs before as the networks are fairly small (< 50 hosts) and didn't have a need. Any doc's that you can point me to would be appreciated!

JORGE RODRIGUEZ Wed, 06/18/2008 - 17:46

Yes, 7.0(7) is GD as well as 7.0.8 GD is ssaid to be most stable ,however, my personal opinion, since your 5510s are not in

production may as well upgrade them to latest version 8.0(3) and take advantage of many features that 7.x does not have.

I also recommend to have Security plus license. I am soon upgrading our PIXes 515Es and that is what I will be getting 5510 with sec plus licenses. Sec plus license activates other features base license does not, see first link in my 1st post for details.

As for the PIX 506 if it is 506E it can support up to 2 VLANs with code 6.3.5 code and that is the max code it can support on the 6.x train almost same principle with trunking.

For PIX 506e it woulb be something as:

interface ethernet0 auto ( Outside interface physical )

interface ethernet1 auto (inside interface physical )

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical ( Invokes 802.1q trunking )

nameif ethernet0 outside security0

nameif ethernet1 inside security100 (sec level for inside )

nameif vlan3 inside2 security99 (sec level for inside2)

ip address inside

ip address inside2

On the swithc side would be if you have cisco switch


vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name inside_2.2.2.0/24

vlan 3 name inside2_3.3.3.0/24

Interface fastethernet0/48

Description trunk_Connection_pix ethernet1

speed auto

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3

something along those lines. Let me find some links for creating L2 vlans on switches , but not sure if same principle applies on HP switches, they may have different command syntax, I never worked with HPs.



PLs rate any helpful post if it helped


This Discussion