cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
534
Views
0
Helpful
6
Replies

Identical VLANs on two ASAs

hstf_techy
Level 1
Level 1

I have two ASA 5505 (A and B) configured with IPSec site-to-site VPN, both can talk to each other.

I am planning to adding identical VLANs on both of them, is there any concern for using same VLANs?

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

There is no problem in having the same Vlan configured on 2 different networks ASA5505 firewalls.

- Jouni

Thanks. I am looking for an explaination if you don't mind. It has no issue because the tag is not carry over between the ASAs?

Hi,

The network are not connected by L2 and in a typical setup also all the interfaces are typically Access mode ports so no Vlan tagging is used. The Vlan in this case is nothing more than a port ID basically.

Even if the devices were connected to the same L2 network there should be no problem.

A more likely scenario that you might have to worry about with regards to L2L VPN is overlapping networks. Though naturally in your situation you probably manage both devices so no such problem can arise. Naturally keeping in mind possible future connections to 3rd party sites its good to avoid using any typical networks/subnets on your LAN.

- Jouni

The interfaces in each ASA are trunked but I do not have dot1q configured -

interface Ethernet0/3
description hsesx1-vmnic1-uplink
switchport trunk allowed vlan 50,100,500,800
switchport mode trunk
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
description poe-apce01
switchport trunk allowed vlan 50,80,100,800
switchport trunk native vlan 800

I will add the vlans tonight. Thanks!!

Hi,

I would imagine they use Dot1Q since you have configured them as Trunk. I dont think you can even use ISL (or whatever it was named)

Still, both ends of the network will not have any knowledge of the Vlan used at the other site.

- Jouni

Hello,

As a recomendation:

As you are using the same VLANs you might also use the same IP subnets,

Try to use a dedicated IP address space on each site for ease of configuration and troubleshooting.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: