Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Identical VLANs on two ASAs

I have two ASA 5505 (A and B) configured with IPSec site-to-site VPN, both can talk to each other.

I am planning to adding identical VLANs on both of them, is there any concern for using same VLANs?

6 REPLIES
Super Bronze

VLANs on two ASAs

Hi,

There is no problem in having the same Vlan configured on 2 different networks ASA5505 firewalls.

- Jouni

New Member

Re: VLANs on two ASAs

Thanks. I am looking for an explaination if you don't mind. It has no issue because the tag is not carry over between the ASAs?

Super Bronze

Re: VLANs on two ASAs

Hi,

The network are not connected by L2 and in a typical setup also all the interfaces are typically Access mode ports so no Vlan tagging is used. The Vlan in this case is nothing more than a port ID basically.

Even if the devices were connected to the same L2 network there should be no problem.

A more likely scenario that you might have to worry about with regards to L2L VPN is overlapping networks. Though naturally in your situation you probably manage both devices so no such problem can arise. Naturally keeping in mind possible future connections to 3rd party sites its good to avoid using any typical networks/subnets on your LAN.

- Jouni

New Member

Identical VLANs on two ASAs

The interfaces in each ASA are trunked but I do not have dot1q configured -

interface Ethernet0/3
description hsesx1-vmnic1-uplink
switchport trunk allowed vlan 50,100,500,800
switchport mode trunk
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
description poe-apce01
switchport trunk allowed vlan 50,80,100,800
switchport trunk native vlan 800

I will add the vlans tonight. Thanks!!

Super Bronze

Identical VLANs on two ASAs

Hi,

I would imagine they use Dot1Q since you have configured them as Trunk. I dont think you can even use ISL (or whatever it was named)

Still, both ends of the network will not have any knowledge of the Vlan used at the other site.

- Jouni

Identical VLANs on two ASAs

Hello,

As a recomendation:

As you are using the same VLANs you might also use the same IP subnets,

Try to use a dedicated IP address space on each site for ease of configuration and troubleshooting.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
156
Views
0
Helpful
6
Replies
CreatePlease to create content