Moving "inside" interface to subinterface

Answered Question
May 24th, 2010

Hi All,

I have setup some subinterfaces(VLANs) on my firewalls LAN physical interface and now I wish to move my "inside" interface from the phyical interface to its own VLAN so that my LAN physical interface is no longer accepting untagged traffic.

My firewall is connected to a 2960 switch.

I am managing these switches at the moment remotely at the moment and I do not want to loose management to the firewalls or the switch during this change.

I have opened up external ssh access to the firewall as a temporary measure from an IP.

I tried moving the inside interface configuration to a subinterface as VLAN 1  as my switch configuration has the current management IP in VLAN 1.

But then I lose connectivity to the switches ( cannot ping from the firewall).

For example.

Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is XXXXXX

Internet address is 192.168.1.98/24

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/17, Gi0/18, Gi0/19, Gi0/20, Gi0/21, Gi0/22
10   VLAN0010                         active   
11   VLAN0011                         active


Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

I probably want to change my native VLAN to something else but until I'm on site I don't want to do this and lose access.

Any advice is greatly appreciated.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 6 months ago

marcosgeorgopoulos wrote:

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1  and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Marcos

If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 05/24/2010 - 19:17

Marcos,

Currently the inside interface of the ASA has an IP on VLAN 1 (192.168.1.x/24)?
That IP is assigned to the physical interface and you want to move that configuration to a subinterface, but keep the same IP (same VLAN)?

Federico.

marcosgeorgopoulos Wed, 05/26/2010 - 00:20

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1  and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Correct Answer
Jon Marshall Wed, 05/26/2010 - 02:36

marcosgeorgopoulos wrote:

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1  and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Marcos

If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.

Jon

Actions

This Discussion