ASA with VLANs ...... does dot1q actually work ?

Answered Question
Jan 8th, 2009
User Badges:

Hi,


I have a very simple config :

1x ASA5510 firewall and 1x 2950 ethernet switch.


I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.


This is easy right ?


<--------------ASA------------------->

interface Ethernet3

speed 100

duplex full

nameif DMZ1-TEST

security-level 6

no ip address

!

interface Ethernet3.1

vlan 700

nameif DMZ1-TEST-VLAN700

security-level 6

ip address 172.18.10.1 255.255.0.0

!

interface Ethernet3.2

vlan 701

nameif DMZ1-TEST-VLAN701

security-level 6

ip address 172.19.10.1 255.255.0.0




<------------2950 SWITCH---------------->

interface FastEthernet0/23

description *** UPLINK to ASA TEST ***

duplex full

speed 100

switchport trunk encapsulation dot1q

switchport mode trunk

!

------------------------------------------



However, I cannot see any traffic between the two devices, infact, I am unable to ping the switch from the firewall and visa-versa.


if I do a show int on the firewall, I see ..... "390349 L2 decode drops" THIS IS NOT GOOD I ASSUME !


So, I think there is a problem with the trunk.


Any Ideas or debug I could apply ?


Any help would really be appreciated.


Thank you.

Matt C


Correct Answer by JORGE RODRIGUEZ about 8 years 4 months ago

Hi Matt,


have you created the l2 vlans in the switch for the respective FW subinterfaces?


switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701


when u place host on a specific switchport conectivity should work .


switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700


u should be able from PC ping its default gateway 172.18.10.1


same principle for the other subnet vlan 701


communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.



Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Thu, 01/08/2009 - 08:31
User Badges:
  • Green, 3000 points or more

Hi Matt,


have you created the l2 vlans in the switch for the respective FW subinterfaces?


switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701


when u place host on a specific switchport conectivity should work .


switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700


u should be able from PC ping its default gateway 172.18.10.1


same principle for the other subnet vlan 701


communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.



Regards

mcroft Thu, 01/08/2009 - 15:24
User Badges:

THANK YOU for your help.


I was being an wally, and only created the vlan interface on the switch and not the VLANs itself.


As soon as I read the first two lines of your email ... I knew immediately what I had done.

Silly me.


Thank you for you help. Appreciated !

JORGE RODRIGUEZ Thu, 01/08/2009 - 15:45
User Badges:
  • Green, 3000 points or more

Matt, you are welcome and glad I could help and all is fine I assume, don't forget to rate helpful posts.


Bst Rgds

Jorge

fareed_farooqui Tue, 04/14/2009 - 02:23
User Badges:

Hi Jorge


Can PC1 communicate with PC2 which has ip address 172.19.10.34 ....


Will intervlan commnication work with ASA as a L3 device .

Please can you elaborate " communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excem"


I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Is that true?

Many Thanks

Fareed

JORGE RODRIGUEZ Tue, 04/14/2009 - 03:37
User Badges:
  • Green, 3000 points or more

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???


Hi Fareed, This is not true! , you may have subinterfaces with same sec level same physical trunk, or simply physical interfaces again with same sec level and have communication between the two networks as long you have configured same-security-traffic permit inter-interface statement along with a nonat exempt rule.


Regards

Jorge


fareed_farooqui Tue, 04/14/2009 - 03:51
User Badges:

Thanks alot Jorge..

FYI here is the link which was the cause of my confusion.. if you scroll right at the bottom you will see a conclusion with a reference to a TAC case..


I typed these words in google "same-security-traffic permit inter-interface trunk asa"

and 7th result from the top from experts-exchange.com is the link iam referring to..

Regards

Fareed

Actions

This Discussion