cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2041
Views
8
Helpful
10
Replies

ASA and 2960g, VLANs

scott.bridges
Level 1
Level 1

Hello's,

So I have what is probably a very dumb question.  Here is what I have:

ASA5505 e0/1 ---> switch2960G ge0/24

Laptop ---> switch 2960G ge0/1

Right now I'm able to get out to the WAN, but I want to get VLAN trunking working.  This is on the switch:

interface GigabitEthernet0/24

switchport mode trunk

!

interface Vlan1

description Management VLAN

ip address 192.168.1.253 255.255.255.0

no ip route-cache

!

interface Vlan10

description wireless vlan

no ip address

no ip route-cache

!

interface Vlan50

description telecom vlan

no ip address

no ip route-cache

And this is what is on the ASA:

interface Vlan1

description LOCAL VLAN

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan10

description WIRELESS GUEST VLAN

nameif guest

security-level 50

ip address 192.168.10.1 255.255.255.0

!

interface Vlan50

description TELEPHONE VLAN

nameif telecom

security-level 50

ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/1

Now, since there is no 'switchport' command configured on Ethernet0/1 on the ASA, I assume it's defaulted to access mode.  But since the 2960 is set to TRUNK mode, shouldn't it be failing?

My biggest problem is that when I do "switchport mode trunk" on the e0/1 (ASA), my laptop completely loses connection to the outside.  The link goes down.  All I did was set both ends to trunks; I haven't done VLAN pruning yet.

My end goal is to be able to assign a few ports on the 2960 to VLAN50 and have them be able to get out to the internet through the ASA.

While letting the rest of the ports be assigned to default VLAN1 and operate as normal.

Am I missing something obvious?

Thanks

1 Accepted Solution

Accepted Solutions

Shahaludeen N
Level 1
Level 1

Hi Scott,

I am assuming something that you didn't specify taking into consideration your saying that the configuration you mentioned is letting atleast your laptop reach outside.

I am assuming your laptop is connected to vlan 1. The configuration you have, looks to me like below.

ASA

-------

interface e0/1

switchport access vlan 1 (this is the default)

!

Switch

--------

interface G0/1

switchport access vlan 1

!

interface G0/24

switchport mode trunk

!

!

ASA e0/1 is connected to Switch port G0/24.

And you mean the above configuration is working.

This probably should be working because ;

Since the port G0/24 on the switch is configured as a trunk, it will try to negotiate ( as you didn't disable DTP) with the other end and try to make a trunk. Even if the other end doesn't oblige, G0/24 on the switch will be made a trunk unconditionally, I mean the operational status will be trunk and the native vlan will be 1(default). I don't think DTP is there on the ASA, so I assume it doesn't become a trunk on the ASA. But this doesn't mean that the link will fail. As long as the speed and duplex are matched the connectivity will be there (as by default this configuration error won't err-disable the port). Now the packet sent from the laptop will be sent untagged and the ASA will recieve it on a port in vlan1 and the ASA will send the reply packet without any tagging as well. The switch receives the untagged packets and consider it as vlan 1 packets ( because of default native vlan 1) and finally the laptop will receive it, so here the communication can happen.

Now when you said "My biggest problem is that when I do "switchport mode trunk" on the e0/1  (ASA), my laptop completely loses connection to the outside.  The link  goes down.", what do you mean?. Is that the interface status going down or just that the laptop no longer be able to communicate to the outside.

If you are finding the interface status going down, just try adding the command 'switchport nonegotiate' on the trunk interface of the switch as below. If the interface is coming up but communication is lost then put the below configuration as it is and check.

Interface G0/24

switchport nonegotiate

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan 1, 50

!


And on the ASA,

interface e0/1

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan 1, 50

!

Specifically put 'switchport trunk allowed vlan 1, 50' on the ASA. As long as the interface status is not going down, even if you didn't create any vlan's on the switch, the vlan 1 should be working and so your laptop should be reachable to the outside.

Regards,

Shahal.

View solution in original post

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Scott,

If you have multiple vlans connecting to the same physical port on the ASA then you have to create a sub-interface for each vlan. Once you create more then one vlan or sub-interface the interface is automatically configured as an 802.1Q trunk.

Have a look at this config guide on how to configure it with examples

http://www.ciscosystems.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

HTH

Reza

Hi,

As this is ASA5505, the ports are all layer2 and so you cannot create subinterfaces.

You can create a trunk but for that I think you need a security plus license. Can you check what license you are having?.

If you don't have security plus licence what you can do is connect different cables for each vlan to the switch and make it access vlan only.

Regards,

Shahal

Hello,

Shahal, you appear to be correct in that I am unable to create sub-interfaces on the ASA (like you can on a router).

I do have Security Plus license installed.  I made sure to get this as I knew I'd be utilizing VLANs.

So I do have the license but when I try to turn port Ethernet0/1 into the trunk, the connection goes down.

Is there any other configuration needed?

I've tried just:

"interface ethernet 0/1

  switchport mode trunk"

And I've also tried:

"interface ethernet 0/1

  switchport mode trunk

  switchport trunk native vlan 1

  switchport trunk allowed vlan 1,10,50"

Neither of those work inconjunction with the 2960's FastEthernet0/24 being "switchport mode trunk"

Thanks

glen.grant
VIP Alumni
VIP Alumni

   Did you create the layer 2 vlans on the 2960 ?  I see for some reason you created a not needed layer 3 SVI (interface vlan 10 and 50 )on the 2960 for vlan 10 and vlan 50 ,those aren't doing anything .  Do a show vlan and see if those vlans  10 and 50 show up on the 2960. If not create the layer 2 vlans .

My thought that since I did:

interface Vlan10

description wireless vlan

no ip address

no ip route-cache

On the 2960, that this would enable Vlan10 on the 2960.  And since the 2960 is a Layer2 device, then that Vlan10 interface was Layer2.

What do you mean by creating the Layer2 VLAN?

Also, even if I didn't have the VLANs defined on the switch, but the giga0/24 was defined as a trunk on the switch, shouldn't it still work?

Thanks

  No that is a layer 3 SVI .  On a layer 2 switch you only need one of those which will allow you to manage the switch via telnet or ssh . Thats its only function . You have an address on vlan 1 so I assume thats the address you are using to manage the switch.   Do a show vlan   and see if vlan 10 and 50  show active , if not do the following.

conf t

vlan 50

vlan 10

exit

exit

wr mem

You were correct.  I did not do the "vlan 10" and "vlan 50" commands.  I just did that and got:

2960G#sh vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4

                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8

                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12

                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16

                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20

                                                Gi0/21, Gi0/22

2    VLAN0002                         active    Gi0/23

10   VLAN0010                         active

50   VLAN0050                         active

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

2    enet  100002     1500  -      -      -        -    -        0      0

10   enet  100010     1500  -      -      -        -    -        0      0

50   enet  100050     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1003 tr    101003     1500  -      -      -        -    -        0      0

1004 fdnet 101004     1500  -      -      -        ieee -        0      0

1005 trnet 101005     1500  -      -      -        ibm  -        0      0

2960G#

So now I have Gi0/24 connected via trunk:

2960G#sh int status | inc 0/24

Gi0/24                       connected    trunk      a-full  a-100 10/100/1000Ba

seTX

*BUT*, this is what Gi0/24 is connected to on the ASA (e0/1):

!

interface Ethernet0/1

!

It is *not* configured as a trunk.  Yet everything is okay.  The problem occurs when I set e0/1 on the ASA to "switchport mode trunk".

Again, my goal would be to assign, for example, port Gi0/20 and Gi0/21 on the Switch to VLAN50, and still have it all work.

Thanks

    When you force on the trunks like that all it needs to see is a physical link and  it is going to say trunking on the switch side even though it might not be .  I can't tell you what the FW side should be but once you get that side ironed out it should be ok .  Make sure the native vlans match on both sides , if none was set then the native vlan defualts to vlan 1 .   The FW side may need to be set using  subinterfaces for the trunking setup  but it will still work it is setup correctly.  Maybe someone with more FW experience can chime in .  Here is blurb in one of the docs about trunking on the ASA

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/intrface.html#wpxref83021

Shahaludeen N
Level 1
Level 1

Hi Scott,

I am assuming something that you didn't specify taking into consideration your saying that the configuration you mentioned is letting atleast your laptop reach outside.

I am assuming your laptop is connected to vlan 1. The configuration you have, looks to me like below.

ASA

-------

interface e0/1

switchport access vlan 1 (this is the default)

!

Switch

--------

interface G0/1

switchport access vlan 1

!

interface G0/24

switchport mode trunk

!

!

ASA e0/1 is connected to Switch port G0/24.

And you mean the above configuration is working.

This probably should be working because ;

Since the port G0/24 on the switch is configured as a trunk, it will try to negotiate ( as you didn't disable DTP) with the other end and try to make a trunk. Even if the other end doesn't oblige, G0/24 on the switch will be made a trunk unconditionally, I mean the operational status will be trunk and the native vlan will be 1(default). I don't think DTP is there on the ASA, so I assume it doesn't become a trunk on the ASA. But this doesn't mean that the link will fail. As long as the speed and duplex are matched the connectivity will be there (as by default this configuration error won't err-disable the port). Now the packet sent from the laptop will be sent untagged and the ASA will recieve it on a port in vlan1 and the ASA will send the reply packet without any tagging as well. The switch receives the untagged packets and consider it as vlan 1 packets ( because of default native vlan 1) and finally the laptop will receive it, so here the communication can happen.

Now when you said "My biggest problem is that when I do "switchport mode trunk" on the e0/1  (ASA), my laptop completely loses connection to the outside.  The link  goes down.", what do you mean?. Is that the interface status going down or just that the laptop no longer be able to communicate to the outside.

If you are finding the interface status going down, just try adding the command 'switchport nonegotiate' on the trunk interface of the switch as below. If the interface is coming up but communication is lost then put the below configuration as it is and check.

Interface G0/24

switchport nonegotiate

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan 1, 50

!


And on the ASA,

interface e0/1

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan 1, 50

!

Specifically put 'switchport trunk allowed vlan 1, 50' on the ASA. As long as the interface status is not going down, even if you didn't create any vlan's on the switch, the vlan 1 should be working and so your laptop should be reachable to the outside.

Regards,

Shahal.

Hello,

So your instructions were correct.

I could have swore that I had all this correct last time, but when I issued the "switchport mode trunk" on the ASA, that the ethernet0/1 went down.  The only way I could get it back up was removing the trunk.  Weird.

Oh well, it seems that I am routing VLANs!  Thanks both of you for all your help!

I need to create an access-list for inter-vlan communication on the ASA, but I'll move over to the other forum for that.

Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: