cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2099
Views
0
Helpful
4
Replies

ASA 5505 and Cisco 2960S Routing

AMD_GAMER
Level 1
Level 1

I currently have an ASA5505 with the base license (no trunk ports allowed). The ASA is currently functioning as my router, DHCP server, and VPN device to work. I would like to add a Cisco wireless AP that will serve up two SSID's (a private SSID and a "guest" SSID). I want the private SSID to be on the same vlan as my other devices (computers, servers, printers, and have access to the split tunnel VPN). I want to limit the guest SSID to simply have access to the Internet. Below would be the network configuration:

Private Network

192.168.10.x

Guest Network

192.168.20.x

Cisco ASA 5505

(192.168.1.1) - VLAN 1

Cisco 2960

(192.168.1.2) - VLAN 1 - Management

(192.168.10.1) -VLAN 10 - Private Network

(192.168.20.1) -VLAN 20 - Guest Wireless Network

The Cisco AP will have the SSID's tied to VLAN 10 and 20. The switch port will have both VLAN 10 untagged and VLAN 20 tagged.

I believe I need the Security Plus license to enable trunking on the ASA so that I can pass VLAN 10 and 20 to the ASA and then use ACL to block VLAN 20 to the private network and the VPN tunnel.

Is there a way I can use the switch's SVI to eliminate the need for the Security Plus license on the ASA? I know the new Cisco 2960S switches have the capability to do Layer3 static routing. Thanks.

Dave

4 Replies 4

flokki123
Level 3
Level 3

hi david,

as far as i know 2960S switches dont support L3 at at all, just L2.

the easiest way would be to enable trunking on the ASA create the vlans´s on all devices (switch, ap and asa), connect all of them with a trunk connection and let the ASA do the routing and also create the ACL on the ASA to regulate the inter-vlan routing and the internet access.

if you had an L3 switch you could connect the AP with a trunk and let the switch do the routing, create a routed port for the connection to the ASA, so the way to the ASA would be routed and the other connection to the AP would be switched.

From what I have read, the new 2960S switches have the capability to do Layer 3 static routing with upto 16 static routes. See below:

http://www.cisco.com/en/US/products/ps6406/index.html

David,

I can confirm that the 2960s will do L3 as defined above. You need to run

sdm prefer lanbase-routing global configuration command to set the Switch Database Management (SDM) feature to the routing template.

There is a Cisco config guide "Configuring Static IP Unicast Routing" for the 2960 which has a little throw away section about needing to run this command.

Hope that helps.

thats interesting. didnt know that. so you just need the lan-base feature set in order to do routing?

so if the switch can do routing, you could to it as mentioned above.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco