Unanswered Question
Aug 7th, 2009
User Badges:


I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below


interface GigabitEthernet0/2

no nameif

no security-level

no ip address


interface GigabitEthernet0/2.40

vlan 40

nameif DMZ-Public

security-level 40

ip address standby


interface GigabitEthernet0/2.50

vlan 50

nameif DMZ-2

security-level 50

ip address standby


interface GigabitEthernet0/2.60

vlan 60

nameif DMZ-3

security-level 60

ip address standby

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 08/07/2009 - 07:27
User Badges:
  • Blue, 1500 points or more

your config on the ASA looks fine..on the switch, you will need to trunk the port using dot1q, and you will need to create those vlans - 40,50,60 - and allow them on the trunk port of the switch.

CCDECCDE9 Mon, 08/10/2009 - 08:04
User Badges:

these VLANS on the swith need to have same subnet as firewall VLAN interfaces ?

in this case

on switch :

Interface VLAN 40

ip address

Interface VLAN 50

ip address

Interface VLAN 60

ip address

JORGE RODRIGUEZ Tue, 08/11/2009 - 08:38
User Badges:
  • Green, 3000 points or more

You don't need to create L3 vlans in the switch as you already have the firewall as a layer 3 device for those network. You just simply need to do what Steven indicated in his post.

Create the vlans in the switch



WS1(config)vlan database

WS1(vlan)#vlan 40 name

WS1(vlan)#vlan 50 name

WS1(vlan)# vlan 60 name

then create dot1q trunk on the physical port in the switch that connects to the forewall..

SW1(config)#interface fe0/xx

SW1(config)#Description Connection to ASA

SW1(config)#switchport mode trunk

SW1(config)#switchport trunk encapsulation dot1q

SW1(config)#switchport trunk allowed vlan 40,50,60 etc..

then assign ports to respective vlans for hosts in the switch..



This Discussion