Re: Asa 5505 trunk port

Mohammed Yusuf · ‎02-13-2014

Is it possible to configure ASA 5505 two ports to allow two access points. I have 3 vlans VLAN 1 inside , VLAN2 outside and VLAN 3 DMZ and is used for separate Guest Wi-Fi access. I am looking to rollout Cisco access point and replace two wireless routers into one access point and allow VLAN1 and VLAN3 and keep them separate.
How can I configure it? is it possible?

walter baziuk · ‎02-13-2014

any soln yet

i would like to see a soln for thsi too

Jouni Forss · ‎02-14-2014

Hi,

To be honest this seems more like a question for the Wireless section. Also WLAN is one of the areas of networking on which I have absolultely no expirience on.

But just regarding the ASA5505, if you want to configure a Trunk port on the ASA5505 then you will have to have Security Plus license on it. If you have Base License you wont be able to use Trunk interfaces, only Access ports.

You can check this with the command

show version

At the end of the licensed features you should see mention of Base License or Security Plus depending which one you have.

If I am not totally mistaken you would be separating 2 different WLAN networks to their own VLAN IDs. In that case if you need a trunk from the AP to the rest of the network and you dont have Security Plus license on the ASA then you would have to configure the Trunk to a switch for those 2 Vlan IDs that belong to either INSIDE or DMZ.

- Jouni

Mohammed Yusuf · ‎02-14-2014

I am not sure why we need security plus license for a port to convert into a trunk port on ASA 5505.
I am sure there is a better explanation or solution. Just no one has tried it yet.

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎02-14-2014

Hi,

The Trunking limitation on the ASA5505 is a known limitation without the correct license on the unit.

With Base License the unit also only supports 3 Vlan IDs/interfaces of which 1 Vlan ID is resticted. When you create the third Vlan ID/interface you will have to limit its (or one of the existing Vlan IDs) connectivity towards another Vlan ID (while the opposite direction in connection initiation is still allowed)

Just to give you an example of the Trunk limitation here is the message when I enter the command on my own ASA5505 with Base License

ASA(config-if)# switchport mode trunk

ERROR: Trunk port is not supported with this license

For official information/confirmation you can refer to these documents also

ASA at Glance (not sure why the link has mention of routers/800 series):

http://www.cisco.com/c/dam/en/us/products/collateral/routers/800-series-routers/prod_brochure0900aecd80285492.pdf

Supported Feature Licenses per Model:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2124788

The licensing on the ASA5505 units dont really make sense other than its just probably a way to get some extra money. I mean even having limitation on the actual amount of hosts supported behind the ASA is pretty unbelievable

With regards to the AP configuration I can't really help you but I imagine that you got that sorted yourself? If you are attempting to Trunk to the ASA then you need the Security Plus license. On the other hand if you have a separate switch the you can configure a Trunk between the switch and the AP and have 2 ports configured both on the ASA and the switch as Access Mode ports belonging to the 2 mentioned Vlan IDs and then connect those ports.

If you have problems regarding the AP configuration I would suggest posting a discussion on the Wireless section.

If I have missunderstood what you are attempting to accomplish then you will have to clarify. Its my understanding that you want to have 2 separate wireless networks and have their traffic come through their own Vlan ID to the ASA.

- Jouni

Jon Marshall · ‎02-14-2014

Mohammed

I am not sure why we need security plus license for a port to convert into a trunk port on ASA 5505.

Because that's what Cisco have decided for their licensing. There is nothing we can do about it other than to tell you trunks are only supported with that license. We don't work for Cisco.

I am sure there is a better explanation or solution. Just no one has tried it yet.

I don't think there is a better explanation than the one Jouni gave ie. trunks are not supported unless you have the security plus license. That is the explanation.

In terms of a better solution if the ASA does not support trunks with the license you have and you need to have multiple vlans on your AP then you need a trunk link somewhere. So the answer Jouni gave is the solution ie you need a switch (L2 or L3) so you can connect your AP via a trunk link. If there was a way to do what you want on the ASA without trunks then Jouni would very probably know how to do it considering his expertise.

The only solution that is better than that is to use a trunk from the ASA but we have already covered that one.

Please don't take this the wrong way but if you are so sure there is a better solution than the one suggested then by all means try to find it and let us know what it is because we would be very interested to hear it.

Jon

Mohammed Yusuf · ‎02-14-2014

None taken Jon

This is what I got when I run show version

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
Sent from Cisco Technical Support iPhone App

Jon Marshall · ‎02-14-2014

Mohammed

Thanks for that. It does look like the Base license ie. DMZ restricted etc.

So i think you will have to look into a switch as Jouni suggested if you need to have two vlans on the same AP.

Can't think of any other solution except obviously to upgrade your license.

Jon

Mohammed Yusuf · ‎02-14-2014

My apologies I got the link and on page 5-11 I found my answer and yes I do need security plus license to trunk a port on ASA 5505.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/int5505.pdf

Do you know how many do I need?

Sent from Cisco Technical Support iPhone App

Jon Marshall · ‎02-14-2014

Do you mean how many trunks you need ?

If so then just the one for a single AP with two separate vlans/subnets.

Jon

Mohammed Yusuf · ‎02-14-2014

Sorry I mean security plus licences.

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎02-14-2014

Hi,

You just need to get 1 Security Plus License for the ASA5505 unit you are using. (And you can't get any more than that)

Check the documents that I linked to see what other features they enable on your ASA.

- Jouni

Mohammed Yusuf · ‎02-14-2014

One silly question I do not see any one selling one security plus licence.

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎02-14-2014

Hi,

I don't personally handle ordering devices that we use and even more less likely in the future as we merge to a larger ISP (that is in progress)

But so far we have ordered all the licenses and devices we need from a Cisco reseller. To be honest I am not sure if you can get them any other way than through the official channels. I am not sure where you are looking.

- Jouni