Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Trunking on ASA

Hi all,

Have a question about trunking on an ASA5510. Here is my setup.

3Com switch VLAN300 = ports 5-8 and VLAN301 = ports 9-12. I have both VLANs trunked to port 13.

ASA5510 VLAN300 on ethernet0/3.300 and VLAN301 on ethernet0/3.301. Port 13 on the 3Com switch is attached to ethernet0/3 on the ASA. I assume the next step would be to trunk the two VLANs to ethernet0/3?

I tried to run the following commands:

ciscoasa(config)# interface ethernet0/3

ciscoasa(config-if)# switchport mode trunk

but i get an "Error: % Invalid input detected at '^' marker." The ^ is pointing to the switchport command. Any ideas?

Thanks for your help.

3 REPLIES
Community Member

Re: Trunking on ASA

Hi,

You must do this:

asa(config)#int eth0/3

asa(config)#no shut

asa(config)#int eth0/3.300

asa(config-if)#encapsulation dot1q 300

asa(config-if)#ip add

asa(config-if)#no shut

asa(config)#int eth0/3.301

asa(config)#encapsulation dot1q 301

asa(config-if)#ip add

asa(config-if)#no shut

Hope that helps. Please rate if it does.

-Chris

Community Member

Re: Trunking on ASA

Hi Chris,

Thanks for the info. I tried the command "encapsulation..." but it came up with the same error.

I was doing more research and apparently the ASA will automatically trunk the physical interface if more than 1 VLAN is added on that inteface. hmm...

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

One more question, I'm trying to get the two VLANs to communicate with each other but i'm having difficulties... here's my config:

interface Ethernet0/1

nameif outside

security-level 0

ip address x.x.x.2 y.y.y.y

ospf cost 10

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Ethernet0/3.300

vlan 300

nameif vlan-inside

security-level 90

ip address 192.168.10.1 255.255.255.0

interface Ethernet0/3.301

vlan 301

nameif vlan-public

security-level 10

ip address 192.168.20.1 255.255.255.0

access-list vlan-inside_access_in extended permit ip any 192.168.20.0 255.255.255.0

access-list vlan-public_access_in extended permit ip any 192.168.10.0 255.255.255.0

nat-control

global (outside) 1 interface

global (outside) 2 x.x.x.3 netmask y,y,y,y

global (outside) 3 x.x.x.4 netmask y.y.y.y

global (vlan-inside) 3 interface

global (vlan-public) 2 interface

nat (vlan-inside) 2 192.168.10.0 255.255.255.0

nat (vlan-public) 3 192.168.20.0 255.255.255.0

access-group outside_access_in in interface outside

access-group vlan-inside_access_in in interface vlan-inside

access-group vlan-public_access_in in interface vlan-public

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

I can get out to the internet on both VLANs and they are going out on the right IPs. I just can't ping or get traffic to flow between VLAN 300 to VLAN301... any ideas?

Thanks for your help in advance.

Purple

Re: Trunking on ASA

Chris is correct you would need to use subinterfaces to trunk whatever vlans you want .

176
Views
0
Helpful
3
Replies
CreatePlease to create content