Moving "inside" interface to subinterface

Answered Question
May 24th, 2010
User Badges:

Hi All,


I have setup some subinterfaces(VLANs) on my firewalls LAN physical interface and now I wish to move my "inside" interface from the phyical interface to its own VLAN so that my LAN physical interface is no longer accepting untagged traffic.


My firewall is connected to a 2960 switch.


I am managing these switches at the moment remotely at the moment and I do not want to loose management to the firewalls or the switch during this change.


I have opened up external ssh access to the firewall as a temporary measure from an IP.


I tried moving the inside interface configuration to a subinterface as VLAN 1  as my switch configuration has the current management IP in VLAN 1.


But then I lose connectivity to the switches ( cannot ping from the firewall).


For example.


Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is XXXXXX

Internet address is 192.168.1.98/24



VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/17, Gi0/18, Gi0/19, Gi0/20, Gi0/21, Gi0/22
10   VLAN0010                         active   
11   VLAN0011                         active



Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1


Port        Vlans allowed on trunk
Gi0/1       1-4094



I probably want to change my native VLAN to something else but until I'm on site I don't want to do this and lose access.


Any advice is greatly appreciated.

Correct Answer by Jon Marshall about 6 years 10 months ago

marcosgeorgopoulos wrote:


Hi,


Thank you for your reply.


Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.


I know how to configure the subinterface etc.... but when I move it to a sub interface i.e


from e0/2 to e0/2.1  and assigned vlan 1,


I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).


Marcos


If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 05/24/2010 - 19:17
User Badges:
  • Green, 3000 points or more

Marcos,


Currently the inside interface of the ASA has an IP on VLAN 1 (192.168.1.x/24)?
That IP is assigned to the physical interface and you want to move that configuration to a subinterface, but keep the same IP (same VLAN)?


Federico.

marcosgeorgopoulos Wed, 05/26/2010 - 00:20
User Badges:

Hi,


Thank you for your reply.


Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.


I know how to configure the subinterface etc.... but when I move it to a sub interface i.e


from e0/2 to e0/2.1  and assigned vlan 1,


I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Correct Answer
Jon Marshall Wed, 05/26/2010 - 02:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

marcosgeorgopoulos wrote:


Hi,


Thank you for your reply.


Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.


I know how to configure the subinterface etc.... but when I move it to a sub interface i.e


from e0/2 to e0/2.1  and assigned vlan 1,


I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).


Marcos


If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.


Jon

Actions

This Discussion