Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3043
Views
0
Helpful
3
Replies

ASA5510 - Barracuda Webfilter VLAN/Trunk?

tony.broom
Level 1
Level 1

‎11-22-2010 04:10 PM - edited ‎03-11-2019 12:13 PM

Below is Ethernet0/0 and it's subinterfaces. The physical Ethernet 0/0 is connected to a Gig port on a 2950T that is set to trunk.

I'm not using the native vlan but is the ASA dropping the native vlan data from the switch since the physical interface wasn't issued a nameif? and can I change the 2950T from trunk to allowing select vlans (switchport access 50,100,etc..)?

My reason for wanting to do this is because I have a Barracuda WebFilter that is designed to be inline. In my case between the ASA and switch. The webfilter can handle vlan traffic but not trunked.

Thanks for any input.

interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.50
vlan 50
nameif Engineering
security-level 80
ip address 192.168.220.1 255.255.255.0
!
interface Ethernet0/0.100
vlan 100
nameif OfficeNet
security-level 90
ip address 192.168.92.1 255.255.255.0
!
interface Ethernet0/0.200
vlan 200
nameif Automation
security-level 100
ip address 192.168.200.5 255.255.255.0
!
interface Ethernet0/0.201
vlan 201
nameif Enco
security-level 100
ip address 10.107.61.1 255.255.255.0
!
interface Ethernet0/0.202
vlan 202
nameif Traffic
security-level 95
ip address 192.168.202.5 255.255.255.0

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-22-2010 04:21 PM

Hello,

Well, Very much expected.... Since you have done subinterfaces, it means that all packets now will be 802.1 q tagged. Now, The barracuda in what exactly interface is it going to be?

Cheers.

Mike

Mike
0 Helpful

tony.broom
Level 1
Level 1
In response to Maykol Rojas

‎11-23-2010 08:08 AM

the barracuda is supposed to be a network bridge. So Ethernet0/0 would be connected to the barracuda WAN port and then the LAN port of the barracuda would be connected to the switch. Currently Ethernet0/0 is connected directly to the switch.

So can I change the port on the switch so it's not a trunk anymore?  and set switchport access vlan 50,100  etc... so that the barracuda can pass the vlan tagged packets.

Thanks

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to tony.broom

‎11-23-2010 08:54 AM

Hello,

No, if you do that, no tagged packets are going to get to the firewall... Remember that it has sub interfaces, which means that Tagged packets are expected...If the Barracuda cannot handle tagged packets... we are going to have a problem.

Cheers

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card