Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring VLANs

Hi,

I am very new to Cisco hardware and VLANs in general. We have a very simple network setup (ASA5510 set up as a router/firewall and many switched of which I am only trying to deal with a Cisco Catalyst 2960).

WHat I was hoping to do without any additional wiring is to add a VLAN for an AP that would be used for guest access to the internet, but not the internal network.

So on the ASA i created a subinterface off of the main inside interface and on the 2960 I created a new VLAN. Then i tried to configure the port on the 2960 to which the ASA is connected as a trunk port, but at that moment everybody loses the connection to the outside.

Basically, where can i find any documentation on how to properly set this up with the hardware I have.

I am sure i am missing many things, but I do need some guidance.

Thank you

40 REPLIES

Re: Configuring VLANs

Here is a working example.

=======================================

ASA Config

=======================================

interface Ethernet4

description Trunk Only! DO NOT CONFIGURE!!

speed 100

duplex full

no nameif

security-level 10

no ip address

!

interface Ethernet4.100

description WWW DMZ

vlan 100

nameif http

security-level 10

ip address 192.168.200.254 255.255.255.0 standby 192.168.200.253

!

interface Ethernet4.101

description WiFi DMZ

vlan 101

nameif wifi

security-level 10

ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253

!

=====================================

Switch Config

=====================================

DMZSW45#sh run int fa0/47

interface FastEthernet0/47

description Connection to PIX-FW

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100-101

switchport mode trunk

duplex full

speed 100

end

DMZSW45#

HTH

New Member

Re: Configuring VLANs

please hang in there with me as I am still getting used to the cmd line. I have tried to do this using the ASDM for the ASA and the Cisco Network Assistant.

The 47 interface, is that the one that is connected to the ASA on port 4?

If so, I believe I have done the same thing using the GUI, but the following happens:

on the port connected to the ASA (Gi0/11) I change the administrative mode from Dynamic Auto to 802.1Q Trunk and set Trunk allowed VLANs to "all". At that point everybody on the network loses internet connectivity, but after a few minutes the settings I changed go back to Dynamic Auto and Static Access for the operational mode.

any ideas?

Re: Configuring VLANs

Correct, fa0/47 is the connection between the switch and the firewall (port 4). It must be a trunk port or it will fail. The only vlans on the trunk should be DMZ's vlans or your inside users will lose connectivity.

New Member

Re: Configuring VLANs

so if I understand this right, i need to have two cables going from the witch to the ASA, one for the inside network and one for the ... well the "other" inside network. I am purposely not calling it a DMZ, because I want to explain what was my conceptual mistake, i believe.

i was under the impression that if i create a subinterface on the one that i call my INSIDE interface, give it a different ip network like 192.168.2.1 and configure the port on the witch that connects it to the ASA as a trunk and allow all vlans that it would work that way.

obviously I was wrong

so as said before I will have my port 0/11 on the switch connect to the ASA 0/1 (inside). then I will have port 0/12 on the switch connect to the ASA 0/2 (dmz), configure the 0/12 as a trunk and only allow the VLAN 200 (my dmz vlan) and not the default vlan1. That way I will not have the inside traffic flow through the dmz.

Is that correct? Again many thanks for walking me thru this

Re: Configuring VLANs

You got it.

New Member

Re: Configuring VLANs

First of all thank you for babysitting me on this one.

Second, another stupid question: If I configure the asa and the switch as described before, can i then add another subinterface on the DMZ trunk and make it another VLAN on which i would keep the front end stuff like internet webserver etc, without the WIFI Vlan being able to interact with the new Vlan?

Re: Configuring VLANs

I'm not sure I understand 100%. You can create another VLAN on the switch and another sub-interface on the firewall to create a new DMZ. Restricting/Allowing communications between the DMZ's is handled by the security level and/or ACL's. Does that answer your question?

New Member

Re: Configuring VLANs

yes it does.

Thank you. Now i just have to figure out what I am doing wrong as I cant access anything through my new vlan :-)

i configured the trunk as you said and I configured another port on the switch to belong to the new vlan. but when i try to ping the subinterface on the asa i get nothing. times out

Re: Configuring VLANs

Make sure you have ICMP enabled.

icmp permit any your_dmz_name

Check your ARP cache on the firewall (show arp), you should see the switches' MAC address (from the connected port). If not, something is configured/cabled wrong.

New Member

Re: Configuring VLANs

right now there are only two implicit rules on the DMZ interface and the WIFI subinterface:

any to any less secure network

Re: Configuring VLANs

what about the ARP tables?

New Member

Re: Configuring VLANs

couldn't see anything with the 172 ip. i made some changes to the asa and will test it again now and see what happens. brb

New Member

Re: Configuring VLANs

yeah i have obviously something screwed up as i can't see anything in the ARP table

Re: Configuring VLANs

is it trunking? In the switch show interface trunk

New Member

Re: Configuring VLANs

tboard#show interface trunk

Port Mode Encapsulation Status Native vlan

Gi0/12 on 802.1q trunking 200

Port Vlans allowed on trunk

Gi0/12 200

Port Vlans allowed and active in management domain

Gi0/12 200

Port Vlans in spanning tree forwarding state and not pruned

Gi0/12 200

tboard#

New Member

Re: Configuring VLANs

ASA

!

interface Ethernet0/2

description Trunk Only!!!! DO NOT CONFIGURE

speed 100

duplex full

nameif dmz

security-level 10

no ip address

!

interface Ethernet0/2.200

description WiFi DMZ

vlan 200

nameif WIFI

security-level 10

ip address 192.168.2.1 255.255.255.0

!

New Member

Re: Configuring VLANs

switch

I use port 13 to connect my laptop with a hardcoded IP of 192.168.2.100

tboard#sh running-config interface gig 0/12

Building configuration...

Current configuration : 197 bytes

!

interface GigabitEthernet0/12

description ASA_DMZ

switchport trunk native vlan 200

switchport trunk allowed vlan 200

switchport trunk pruning vlan none

switchport mode trunk

speed 100

end

tboard#sh running-config interface gig 0/13

Building configuration...

Current configuration : 124 bytes

!

interface GigabitEthernet0/13

switchport access vlan 200

switchport trunk allowed vlan 200

switchport mode access

end

New Member

Re: Configuring VLANs

based on what i posted do you see anything obvious I am missing?

Re: Configuring VLANs

That looks OK, can you post the interface config on the FW?

New Member

Re: Configuring VLANs

please look at the post titled ASA...

But i don't believe that is the problem, at least not yet.

I tried to ping my laptop when i had it plugged in the switch at port 0/13 and got timed out. I pinged it from the switch itself, so i have to have something messed up with the port config on the switch

Re: Configuring VLANs

Oops sorry. The IP on the laptop was in the 192.168.2.0/24 network right? Can you give the switch an IP or are you managing it in-band (ie Telnet/SSH)?

New Member

Re: Configuring VLANs

hehe, now you are pointing out something obvious that I missed.

the switch does have an ip 192.168.1.8.

question is how does that affect this whole scenario, if at all?

Re: Configuring VLANs

None really. I'm assuming your using a layer 2 switch and hence can have only 1 IP address. The 192.168.1.8 is part of your management domain. If you have a L3 switch you can have multiple IP addresses on the switch and you could configure vlan 200 with an IP and we could test directly from the switch instead of the laptop. The laptop was int 192.168.2.0/24 right?

New Member

Re: Configuring VLANs

yes it is a L2 switch 2960 model.

the laptop and the VLan were configured for .2.0/24

Re: Configuring VLANs

Hmmm. What version of OS is on the ASA? Can you post a show interface for the ASA?

Re: Configuring VLANs

Add this to your ASAs interface.

switchport mode trunk

switchport trunk allowed vlan 200

New Member

Re: Configuring VLANs

0/2 or 0/2.200

Re: Configuring VLANs

0/2

New Member

Re: Configuring VLANs

can't. the switchport command doesn't appear to exist. i tried it on config-if and just config

428
Views
0
Helpful
40
Replies