SR520/ASA 5505 in front of UC520 - multiple vlans

Answered Question
Jun 2nd, 2009

I have followed the document 'UC500 and SR500 Secure Router Setup' and it seems simple. I will be needing to setup a system with several vlans (company1 data, company2 data, voice vlan, guest wireless vlan) and I am not sure about the vlan setup.

I know in the past when using the wireless controller I have to manually enter the vlans into the controller.

So the question is: When using a firewall in front of the UC520 which devices controls the vlans?

Do I have to create them manually on both devices?

Should delete the native vlan on the SR520 and replace it with the corresponding vlan from the UC520 (that would be easier I think).

How about when one device supports more vlans than the other?

Thanks,

Johnny

I have this problem too.
0 votes
Correct Answer by Steven Smith about 7 years 6 months ago

Eivind has good advice as well.

I haven't tried to add the routes via CCA.  I would assume it was there.

In CLI, it would look like...

ip route 192.168.10.0 255.255.255.0 192.168.75.2

ip route 10.1.1.0 255.255.255.0 192.168.75.2

ip route 10.1.10.0 255.255.255.252 192.168.75.2

Correct Answer by Steven Smith about 7 years 6 months ago

First, make sure the firewall and NAT are turned off on the UC520.

Make sure there is a route on the SR520 that points to the UC520 for the LAN information behind it.  Also, try making the seed device in CCA the UC500. 

Correct Answer by Douglas Smith about 7 years 6 months ago

Johnny,

In the case where you have an SR520 in front of the UC500 the vlans will still be setup in the UC500. From the SR520 perspective you would need routing to the subnets.In the case of using the WLC526 wireless controller the configuration would be the same.

Hope this helps,

Douglas Smith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.

Johnny,

I am not famiular with the SR500, but the uplink port of the UC520 will trunk your VLAN's and the UC520 can act as a VTP server. If the Secure router can do a "router on a stick" config, or supports trunking to a switch port, and supports VTP you could use the UC520 to control the VLANs.

Just my two cents, but I'm sure Cisco will chime in with the best practice.

Bob

Correct Answer
Douglas Smith Tue, 06/02/2009 - 12:08

Johnny,

In the case where you have an SR520 in front of the UC500 the vlans will still be setup in the UC500. From the SR520 perspective you would need routing to the subnets.In the case of using the WLC526 wireless controller the configuration would be the same.

Hope this helps,

Douglas Smith

eoncablewire Wed, 06/03/2009 - 09:07

I was trying to work within CCA, as intended, for this product family. I dont have a wireless controller in this configuration.

Routing the subnets - I am not sure what you mean by that in relation to the SR520. I know that each device must be made to recognize the vlans independently I just wasnt sure which device would be the vlan master.

eoncablewire Thu, 06/11/2009 - 11:31

I have setup the devices per the document and I have the wan interface on the UC520 as 192.168.75.2 and the internal IP as 192.168.10.1. I am able to VPN to the SR520, RUN CCA and see all of the 192.168.75.X subnet but unable to access the 1921.68.10.x subnet.

The vlans on the UC520 are still 1 and 100 (default), the Vlans on the SR520 are still 1 and 75 (default). I thought that CCA was supposed to blend these devices together or something.

How do I get access to the local lan that it is hidden behind the wan interface on the UC520 in a CCA 2.0 compatible way?

Please help me out I am way behind on deployment.

Thanks

Correct Answer
Steven Smith Thu, 06/11/2009 - 12:05

First, make sure the firewall and NAT are turned off on the UC520.

Make sure there is a route on the SR520 that points to the UC520 for the LAN information behind it.  Also, try making the seed device in CCA the UC500. 

eoncablewire Thu, 06/11/2009 - 12:19

As far as I know I followed the setup document competely which included deleting firewall information and Nat on the UC520. What wasnt addressed in the document that I am aware of (did I miss it?) was any mention of altering the ACL for incoming traffic on the wan being able to have access to the private network.

As far as the route to the internal subnet.. what exactly do you mean? Is there a way to do it with CCA or within the CCA OOB guidelines?

Thanks

Eivind Jonassen Thu, 06/11/2009 - 12:32

Johnny,

Have you checked that the VPN server allows VLAN 1 through the VPN client??? Please check if there is a ACL on the vpn configuration.

Regards

Eivind

Correct Answer
Steven Smith Thu, 06/11/2009 - 13:36

Eivind has good advice as well.

I haven't tried to add the routes via CCA.  I would assume it was there.

In CLI, it would look like...

ip route 192.168.10.0 255.255.255.0 192.168.75.2

ip route 10.1.1.0 255.255.255.0 192.168.75.2

ip route 10.1.10.0 255.255.255.252 192.168.75.2

eoncablewire Fri, 06/12/2009 - 11:21

In the end the document did a good job of setting up the two devices to work together and allowed a pc connected directly to the SR520 to have access to the private lan behind the UC520 (defaults: 192.168.10.0, 10.1.1.0, 10.1.10.0). I was testing on the VPN and found I needed to add the extra subnets to the split tunnel networks box in CCA. Once I did that it worked.

This doesnt solve all the problems but its a big piece of the pie.

Thanks