Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5585-X Switchport Trunk ask security expert

Hi, I have ASA5585-X version 9.1 and asdm version 7.1

have alot of diffrent vlans on the asr router. asr router have a subif with vlans. asa 5585 are behind to asr router. want to setting up asa 5585 switch ports trunk mode. is it possible?

Topology are below.

ISP -> Cisco ASR with bgp and subif and gateway for the vlans -> ASA5585 all ip addresses security configrations -> Cisco 6500 aggregations switch -> Cisco 2960 cabinets switchs -> Servers

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA5585-X Switchport Trunk ask security expert

I can't speak to the ASR router configuration, but you can definitely have trunk ports on the ASA side.  What has worked for me between 3750 switches and assorted generations of ASA hardware and software is configurations like:

On the switch you set it to mode trunk with negotiation off:

interface GigabitEthernet1/0/38

switchport trunk encapsulation dot1q

switchport trunk native vlan 400

switchport trunk allowed vlan 1,430-435,543-545

switchport mode trunk

switchport nonegotiate

On the ASA you put the parent physical interface into "no shutdown" state and then set up subinterfaces with vlan tags:

interface GigabitEthernet0/3

description trunk port

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.543

description first subinterface

vlan 543

nameif whatever

security-level 80

ip address 192.0.2.1 255.255.255.0

-- Jim Leinweber, WI State Lab of Hygiene

1 REPLY

ASA5585-X Switchport Trunk ask security expert

I can't speak to the ASR router configuration, but you can definitely have trunk ports on the ASA side.  What has worked for me between 3750 switches and assorted generations of ASA hardware and software is configurations like:

On the switch you set it to mode trunk with negotiation off:

interface GigabitEthernet1/0/38

switchport trunk encapsulation dot1q

switchport trunk native vlan 400

switchport trunk allowed vlan 1,430-435,543-545

switchport mode trunk

switchport nonegotiate

On the ASA you put the parent physical interface into "no shutdown" state and then set up subinterfaces with vlan tags:

interface GigabitEthernet0/3

description trunk port

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.543

description first subinterface

vlan 543

nameif whatever

security-level 80

ip address 192.0.2.1 255.255.255.0

-- Jim Leinweber, WI State Lab of Hygiene

465
Views
0
Helpful
1
Replies
CreatePlease to create content