Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FIREWALL VLANS-HOW DOES IT WORK

Hi

I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below

______________________________________

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.40

vlan 40

nameif DMZ-Public

security-level 40

ip address 10.32.240.1 255.255.255.0 standby 10.32.240.2

!

interface GigabitEthernet0/2.50

vlan 50

nameif DMZ-2

security-level 50

ip address 10.32.241.1 255.255.255.0 standby 10.32.241.2

!

interface GigabitEthernet0/2.60

vlan 60

nameif DMZ-3

security-level 60

ip address 10.32.242.1 255.255.255.0 standby 10.32.242.2

3 REPLIES
Gold

Re: FIREWALL VLANS-HOW DOES IT WORK

your config on the ASA looks fine..on the switch, you will need to trunk the port using dot1q, and you will need to create those vlans - 40,50,60 - and allow them on the trunk port of the switch.

New Member

Re: FIREWALL VLANS-HOW DOES IT WORK

these VLANS on the swith need to have same subnet as firewall VLAN interfaces ?

in this case

on switch :

Interface VLAN 40

ip address 10.32.240.3

Interface VLAN 50

ip address 10.32.241.3

Interface VLAN 60

ip address 10.32.242.3

Re: FIREWALL VLANS-HOW DOES IT WORK

You don't need to create L3 vlans in the switch as you already have the firewall as a layer 3 device for those network. You just simply need to do what Steven indicated in his post.

Create the vlans in the switch

exmaple:

switch

WS1(config)vlan database

WS1(vlan)#vlan 40 name 10.32.240.0/24_net

WS1(vlan)#vlan 50 name 10.32.241.0/24_net

WS1(vlan)# vlan 60 name 10.32.242.0/24_net

then create dot1q trunk on the physical port in the switch that connects to the forewall..

SW1(config)#interface fe0/xx

SW1(config)#Description Connection to ASA

SW1(config)#switchport mode trunk

SW1(config)#switchport trunk encapsulation dot1q

SW1(config)#switchport trunk allowed vlan 40,50,60 etc..

then assign ports to respective vlans for hosts in the switch..

Regards

350
Views
0
Helpful
3
Replies