Solved: VLANs with a Cisco ASA 5505 and non-Cisco switch

Arvo Bowen · ‎08-11-2011

I have an ASA5505 and a Netgear GSM7224 L2 switch that I'm trying to use together. I can not grasp how VLANs work (or at least how they should be set up). When setting up my VLANs on the ASA5505 it seems simple enough, but then on my switch I figured I would just create the same VLAN numbers as I used on the ASA then add the ports I wanted to use for each VLAN.

Currently on my ASA I have the following VLANs configured...

outside - vlan11 - Port 0/0

inside - vlan1 - Port 0/1

dmz_ftp - vlan21 - Port 0/2

corp - vlan31 - Port 0/3

I need to do the same thing on my switch as well... On my switch I'm a little confused as to how I need to set the vlans up. The web GUI screen shot is below...

Note: Now normally you can change VLAN ID (red), but in this case the default vlan (vlan id 1) can not be deleted or changed, you can only changes it's settings.

With Tagged (green), Untagged (purple), and Autodetect (yellow) you have to choose at least 1. I'm just not sure how to set up one for say my inside vlan (vlan1).

On VLAN1 I want ports 1-8 on my Netgear switch used any only talking to interface/port 0/1 on the ASA5505. I do NOT want port 9-24 able to talk to ports 1-8 on the Netgear switch OR ports 0/0, 0/2 - 0/7 on the Cisco ASA 5505.

So how do I set up my inside Vlan1 on ports 1-8 on the switch? Do I tag, untag, autodetect them? What about trunking? I was kinda under the impression that I would set up my vlans on both devices then trunk 1 port and dedicate that port on both devices to nothing but trunking then the vlan security would take then packets where they need to go. Is that the wrong logic?

mirober2 · ‎08-20-2011

Hi Arvo,

If the ASA's port is only a member of a single VLAN (i.e. e0/0 only carries VLAN 11), this is called an Access port. If the ASA's port were to carry multiple VLANs, it would be considered a Trunk port.

For access ports (single VLAN), you should set the corresponding switch port to be Untagged for that particular VLAN. If you decide to configure a trunk port, then the switch port needs to be set for Tagging for each of the VLANs that the trunk will carry.

For example, on the ASA I have:

interface Ethernet0/1

switchport access vlan 20

!

interface Vlan20

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

With the above configuration, the switch config would look like this (assume the ASA's e0/1 port is connected to 0/1 on the switch):

VLAN 20 - 0/1 = untagged

If instead you used a trunk port, the config would look like this:

interface Ethernet0/0

switchport trunk allowed vlan 10,20

switchport mode trunk

!

interface Vlan10

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan20

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

Assuming the ASA's e0/0 port is connected to 0/1 on the switch):

VLAN 10 - 0/1 = tagged
VLAN 20 - 0/1 = tagged

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎08-20-2011

Hi Arvo,

If the ASA's port is only a member of a single VLAN (i.e. e0/0 only carries VLAN 11), this is called an Access port. If the ASA's port were to carry multiple VLANs, it would be considered a Trunk port.

For access ports (single VLAN), you should set the corresponding switch port to be Untagged for that particular VLAN. If you decide to configure a trunk port, then the switch port needs to be set for Tagging for each of the VLANs that the trunk will carry.

For example, on the ASA I have:

interface Ethernet0/1

switchport access vlan 20

!

interface Vlan20

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

With the above configuration, the switch config would look like this (assume the ASA's e0/1 port is connected to 0/1 on the switch):

VLAN 20 - 0/1 = untagged

If instead you used a trunk port, the config would look like this:

interface Ethernet0/0

switchport trunk allowed vlan 10,20

switchport mode trunk

!

interface Vlan10

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan20

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

Assuming the ASA's e0/0 port is connected to 0/1 on the switch):

VLAN 10 - 0/1 = tagged
VLAN 20 - 0/1 = tagged

Hope that helps.

-Mike

Arvo Bowen · ‎08-22-2011

Thanks Mike!

That's exactly the kind of response that will get me moving in the right direction. It seems to me that I will need to use trunking and let a single port on my ASA carry all the traffic to the switch. Here is an example of my setup...

So I wanna make sure I get this strait... On the ASA I have port 0/7 dedicated to trunking. Then I have my VLANs set up like in the picture. With this set up can something pugged up to INT 0/1 on the ASA ONLY talk to PCs plugged into Ports 5-9 (EX: PC1 and PC3)?

mirober2 · ‎08-22-2011

Hi Arvo,

Yes, that's correct. If you were to connect something to 0/1 on the ASA, it would be able to automatically talk to PC1 and PC3. The ASA just acts as a switch at that point, since 0/1 and 0/7 both exist in VLAN 1.

If you needed that device to talk to something in a different VLAN, the ASA will act as a layer 3 device at that point, and your security policy on the ASA will need to allow that communication.

Hope that helps.

-Mike

Arvo Bowen · ‎08-22-2011

It helps a bunch! OK now that I got the basics out of the way and I know that what I'm talking about is not wrong, back to my original question...

On the Netgear switch what should I set port 1 up as? What is all that tagging junk?

mirober2 · ‎08-22-2011

Hi Arvo,

The switch's port 1 should be configured as "tagged" for VLAN 1, VLAN 11, and VLAN 31.

Tagging refers to 802.1q VLAN tagging for packets. If a switch port is untagged, the ASA doesn't expect any 802.1q headers to be included in the packet, it just assumes that it is part of the only VLAN the port is configured for. This is sometimes called an "access" port.

If a switch port is tagged, the ASA expects that each packet will arrive with an 802.1q header that indicates which VLAN the packet is part of. This is used for trunk ports, since they will carry packets from multiple VLANs. The only way the ASA will know which VLAN a packet is part of when it receives it on a trunk port is if it has a 802.1q tag.

-Mike

Arvo Bowen · ‎08-22-2011

OK well it's 1/2 working...

I switch ed up a few things... Currently I'm using the Netgear's port 0.24 solely for trunking. And int 0/7 on the ASA solely for trunking. The Netgear's ports 1-16 are UNtagged for VLAN1, then ports 17-22 are UNtagged for VLAN 31. Also ports 23 and 24 are TAGGED for VLAN1, and VLAN31.

Here is the status on the Netgear...

VLAN ID VLAN Name VLAN Type Slot/Port Member Ports

1 inside Default 0/1 0/2 0/3 0/4 0/5 0/6 0/7 0/8 0/9 0/10 0/11 0/12 0/13 0/14 0/15 0/16 0/23 0/24

31 corp Static 0/17 0/18 0/19 0/20 0/21 0/22 0/23 0/24

I have PCs in VLAN1 talking to each other... but no dice on VLAN31

Netgear's Config File...

(GSM7224) >show run

!Current Configuration:

!

!System Description "GSM7224 L2 Managed Gigabit Switch"

!System Description 6.2.0.14

!

set prompt "GSM7224"

network protocol none

network parameters 10.71.1.253 255.255.255.0 10.71.1.1

vlan database

vlan name 1 inside

vlan 31

vlan name 31 corp

exit

configure

logging buffered

authentication login Admin local

lineconfig

exit

spanning-tree configuration name 00-0F-B5-43-A8-90

snmp-server sysname "GSM7224-1"

snmp-server location "Core Switch"

snmp-server contact "Arvo Bowen"

snmp-server community public@31

interface 0/1

vlan participation exclude 31

exit

interface 0/2

vlan participation exclude 31

exit

interface 0/3

vlan participation exclude 31

exit

interface 0/4

vlan participation exclude 31

exit

interface 0/5

vlan participation exclude 31

exit

interface 0/6

vlan participation exclude 31

exit

interface 0/7

vlan participation exclude 31

exit

interface 0/8

vlan participation exclude 31

exit

interface 0/9

vlan participation exclude 31

exit

interface 0/10

vlan participation exclude 31

exit

interface 0/11

vlan participation exclude 31

exit

interface 0/12

vlan participation exclude 31

exit

interface 0/13

vlan participation exclude 31

exit

interface 0/14

vlan participation exclude 31

exit

interface 0/15

vlan participation exclude 31

exit

interface 0/16

vlan participation exclude 31

exit

interface 0/17

vlan participation exclude 1

vlan participation include 31

exit

interface 0/18

vlan participation exclude 1

vlan participation include 31

exit

interface 0/19

vlan participation exclude 1

vlan participation include 31

exit

interface 0/20

vlan participation exclude 1

vlan participation include 31

exit

interface 0/21

vlan participation exclude 1

vlan participation include 31

exit

interface 0/22

vlan participation exclude 1

vlan participation include 31

exit

interface 0/23

vlan tagging 1

vlan participation include 31

vlan tagging 31

exit

interface 0/24

vlan tagging 1

vlan participation include 31

vlan tagging 31

exit

mirober2 · ‎08-22-2011

Hi Arvo,

What do you mean by "no dice on VLAN31"? Are you saying PC2 and PC4 are unable to talk to each other? What ports are those PCs connected to?

-Mike

Arvo Bowen · ‎08-22-2011

PC 2 and 4 work great together. It's going from PC 2 over the trunk to the ASA and trying to hit the IP of the ASA on VLAN31.

PC 2's IP on Netgear Switch Port 15: 10.71.3.50

ASA's IP on VLAN31: 10.71.3.1

I should be able to hit 10.71.3.1 from PC 2...

PC 1's IP on Netgear Switch Port 5: 10.71.1.50

ASA's IP on VLAN1: 10.71.1.1

Currently I can ping 10.71.1.1 from PC 1 and get great responces...

So what am I doing wrong?

Arvo Bowen · ‎08-22-2011

I figured it out!

On the Netgear switch I had to configure the VLANs in two places... I have no clue why but that's what it took to get it working...

Step 1: System->Switch->VLAN->Config

Here you want to set up all your VLANs.. In my case I had 2 VLANs including the default. I had the following VLANs.

1 - Default

31 - Corp

So in my case I used the default and changed the VLAN name to "inside" then the ONLY thing selected under TAGGED was ports 23 and 24. Then under UNTAGGED the ONLY thing that was selected was ports 1-16. And NOTHING under autodetect. Submit the changes... Then I choose the drop down at the top and created a new VLAN. I set the ID to 31 and called it "corp". Then the ONLY thing selected under TAGGED was ports 23 and 24. Then under UNTAGGED the ONLY thing that was selected was ports 17-22. And NOTHING under autodetect. Submit the changes.

Step 2: System->Switch->VLAN->Port Config

Here you want to define your VLANs per port. It seems your doing it all over again but it makes a difference!! So here I just selected ports 1-16 set the Port VLAN ID to 1 then left the defaults, then hit submit. Next selected ports 17-22 and used VLAN ID 31, then hit submit.

That did it for me! Thanks for the help mirober2!