04-14-2010 06:30 PM - edited 03-06-2019 10:37 AM
Hello's,
So I have what is probably a very dumb question. Here is what I have:
ASA5505 e0/1 ---> switch2960G ge0/24
Laptop ---> switch 2960G ge0/1
Right now I'm able to get out to the WAN, but I want to get VLAN trunking working. This is on the switch:
interface GigabitEthernet0/24
switchport mode trunk
!
interface Vlan1
description Management VLAN
ip address 192.168.1.253 255.255.255.0
no ip route-cache
!
interface Vlan10
description wireless vlan
no ip address
no ip route-cache
!
interface Vlan50
description telecom vlan
no ip address
no ip route-cache
And this is what is on the ASA:
interface Vlan1
description LOCAL VLAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
description WIRELESS GUEST VLAN
nameif guest
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan50
description TELEPHONE VLAN
nameif telecom
security-level 50
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/1
Now, since there is no 'switchport' command configured on Ethernet0/1 on the ASA, I assume it's defaulted to access mode. But since the 2960 is set to TRUNK mode, shouldn't it be failing?
My biggest problem is that when I do "switchport mode trunk" on the e0/1 (ASA), my laptop completely loses connection to the outside. The link goes down. All I did was set both ends to trunks; I haven't done VLAN pruning yet.
My end goal is to be able to assign a few ports on the 2960 to VLAN50 and have them be able to get out to the internet through the ASA.
While letting the rest of the ports be assigned to default VLAN1 and operate as normal.
Am I missing something obvious?
Thanks
Solved! Go to Solution.
04-15-2010 11:28 AM
Hi Scott,
I am assuming something that you didn't specify taking into consideration your saying that the configuration you mentioned is letting atleast your laptop reach outside.
I am assuming your laptop is connected to vlan 1. The configuration you have, looks to me like below.
ASA
-------
interface e0/1
switchport access vlan 1 (this is the default)
!
Switch
--------
interface G0/1
switchport access vlan 1
!
interface G0/24
switchport mode trunk
!
!
ASA e0/1 is connected to Switch port G0/24.
And you mean the above configuration is working.
This probably should be working because ;
Since the port G0/24 on the switch is configured as a trunk, it will try to negotiate ( as you didn't disable DTP) with the other end and try to make a trunk. Even if the other end doesn't oblige, G0/24 on the switch will be made a trunk unconditionally, I mean the operational status will be trunk and the native vlan will be 1(default). I don't think DTP is there on the ASA, so I assume it doesn't become a trunk on the ASA. But this doesn't mean that the link will fail. As long as the speed and duplex are matched the connectivity will be there (as by default this configuration error won't err-disable the port). Now the packet sent from the laptop will be sent untagged and the ASA will recieve it on a port in vlan1 and the ASA will send the reply packet without any tagging as well. The switch receives the untagged packets and consider it as vlan 1 packets ( because of default native vlan 1) and finally the laptop will receive it, so here the communication can happen.
Now when you said "My biggest problem is that when I do "switchport mode trunk" on the e0/1 (ASA), my laptop completely loses connection to the outside. The link goes down.", what do you mean?. Is that the interface status going down or just that the laptop no longer be able to communicate to the outside.
If you are finding the interface status going down, just try adding the command 'switchport nonegotiate' on the trunk interface of the switch as below. If the interface is coming up but communication is lost then put the below configuration as it is and check.
Interface G0/24
switchport nonegotiate
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1, 50
!
And on the ASA,
interface e0/1
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1, 50
!
Specifically put 'switchport trunk allowed vlan 1, 50' on the ASA. As long as the interface status is not going down, even if you didn't create any vlan's on the switch, the vlan 1 should be working and so your laptop should be reachable to the outside.
Regards,
Shahal.
04-14-2010 07:23 PM
Hi Scott,
If you have multiple vlans connecting to the same physical port on the ASA then you have to create a sub-interface for each vlan. Once you create more then one vlan or sub-interface the interface is automatically configured as an 802.1Q trunk.
Have a look at this config guide on how to configure it with examples
HTH
Reza
04-14-2010 08:00 PM
Hi,
As this is ASA5505, the ports are all layer2 and so you cannot create subinterfaces.
You can create a trunk but for that I think you need a security plus license. Can you check what license you are having?.
If you don't have security plus licence what you can do is connect different cables for each vlan to the switch and make it access vlan only.
Regards,
Shahal
04-15-2010 04:26 AM
Hello,
Shahal, you appear to be correct in that I am unable to create sub-interfaces on the ASA (like you can on a router).
I do have Security Plus license installed. I made sure to get this as I knew I'd be utilizing VLANs.
So I do have the license but when I try to turn port Ethernet0/1 into the trunk, the connection goes down.
Is there any other configuration needed?
I've tried just:
"interface ethernet 0/1
switchport mode trunk"
And I've also tried:
"interface ethernet 0/1
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1,10,50"
Neither of those work inconjunction with the 2960's FastEthernet0/24 being "switchport mode trunk"
Thanks
04-15-2010 04:55 AM
Did you create the layer 2 vlans on the 2960 ? I see for some reason you created a not needed layer 3 SVI (interface vlan 10 and 50 )on the 2960 for vlan 10 and vlan 50 ,those aren't doing anything . Do a show vlan and see if those vlans 10 and 50 show up on the 2960. If not create the layer 2 vlans .
04-15-2010 05:02 AM
My thought that since I did:
interface Vlan10
description wireless vlan
no ip address
no ip route-cache
On the 2960, that this would enable Vlan10 on the 2960. And since the 2960 is a Layer2 device, then that Vlan10 interface was Layer2.
What do you mean by creating the Layer2 VLAN?
Also, even if I didn't have the VLANs defined on the switch, but the giga0/24 was defined as a trunk on the switch, shouldn't it still work?
Thanks
04-15-2010 05:39 AM
No that is a layer 3 SVI . On a layer 2 switch you only need one of those which will allow you to manage the switch via telnet or ssh . Thats its only function . You have an address on vlan 1 so I assume thats the address you are using to manage the switch. Do a show vlan and see if vlan 10 and 50 show active , if not do the following.
conf t
vlan 50
vlan 10
exit
exit
wr mem
04-15-2010 09:39 AM
You were correct. I did not do the "vlan 10" and "vlan 50" commands. I just did that and got:
2960G#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22
2 VLAN0002 active Gi0/23
10 VLAN0010 active
50 VLAN0050 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
2960G#
So now I have Gi0/24 connected via trunk:
2960G#sh int status | inc 0/24
Gi0/24 connected trunk a-full a-100 10/100/1000Ba
seTX
*BUT*, this is what Gi0/24 is connected to on the ASA (e0/1):
!
interface Ethernet0/1
!
It is *not* configured as a trunk. Yet everything is okay. The problem occurs when I set e0/1 on the ASA to "switchport mode trunk".
Again, my goal would be to assign, for example, port Gi0/20 and Gi0/21 on the Switch to VLAN50, and still have it all work.
Thanks
04-15-2010 11:19 AM
When you force on the trunks like that all it needs to see is a physical link and it is going to say trunking on the switch side even though it might not be . I can't tell you what the FW side should be but once you get that side ironed out it should be ok . Make sure the native vlans match on both sides , if none was set then the native vlan defualts to vlan 1 . The FW side may need to be set using subinterfaces for the trunking setup but it will still work it is setup correctly. Maybe someone with more FW experience can chime in . Here is blurb in one of the docs about trunking on the ASA
04-15-2010 11:28 AM
Hi Scott,
I am assuming something that you didn't specify taking into consideration your saying that the configuration you mentioned is letting atleast your laptop reach outside.
I am assuming your laptop is connected to vlan 1. The configuration you have, looks to me like below.
ASA
-------
interface e0/1
switchport access vlan 1 (this is the default)
!
Switch
--------
interface G0/1
switchport access vlan 1
!
interface G0/24
switchport mode trunk
!
!
ASA e0/1 is connected to Switch port G0/24.
And you mean the above configuration is working.
This probably should be working because ;
Since the port G0/24 on the switch is configured as a trunk, it will try to negotiate ( as you didn't disable DTP) with the other end and try to make a trunk. Even if the other end doesn't oblige, G0/24 on the switch will be made a trunk unconditionally, I mean the operational status will be trunk and the native vlan will be 1(default). I don't think DTP is there on the ASA, so I assume it doesn't become a trunk on the ASA. But this doesn't mean that the link will fail. As long as the speed and duplex are matched the connectivity will be there (as by default this configuration error won't err-disable the port). Now the packet sent from the laptop will be sent untagged and the ASA will recieve it on a port in vlan1 and the ASA will send the reply packet without any tagging as well. The switch receives the untagged packets and consider it as vlan 1 packets ( because of default native vlan 1) and finally the laptop will receive it, so here the communication can happen.
Now when you said "My biggest problem is that when I do "switchport mode trunk" on the e0/1 (ASA), my laptop completely loses connection to the outside. The link goes down.", what do you mean?. Is that the interface status going down or just that the laptop no longer be able to communicate to the outside.
If you are finding the interface status going down, just try adding the command 'switchport nonegotiate' on the trunk interface of the switch as below. If the interface is coming up but communication is lost then put the below configuration as it is and check.
Interface G0/24
switchport nonegotiate
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1, 50
!
And on the ASA,
interface e0/1
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1, 50
!
Specifically put 'switchport trunk allowed vlan 1, 50' on the ASA. As long as the interface status is not going down, even if you didn't create any vlan's on the switch, the vlan 1 should be working and so your laptop should be reachable to the outside.
Regards,
Shahal.
04-15-2010 12:25 PM
Hello,
So your instructions were correct.
I could have swore that I had all this correct last time, but when I issued the "switchport mode trunk" on the ASA, that the ethernet0/1 went down. The only way I could get it back up was removing the trunk. Weird.
Oh well, it seems that I am routing VLANs! Thanks both of you for all your help!
I need to create an access-list for inter-vlan communication on the ASA, but I'll move over to the other forum for that.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide