cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2375
Views
0
Helpful
3
Replies

Trunking on ASA

EvolutionVI
Level 1
Level 1

Hi all,

Have a question about trunking on an ASA5510. Here is my setup.

3Com switch VLAN300 = ports 5-8 and VLAN301 = ports 9-12. I have both VLANs trunked to port 13.

ASA5510 VLAN300 on ethernet0/3.300 and VLAN301 on ethernet0/3.301. Port 13 on the 3Com switch is attached to ethernet0/3 on the ASA. I assume the next step would be to trunk the two VLANs to ethernet0/3?

I tried to run the following commands:

ciscoasa(config)# interface ethernet0/3

ciscoasa(config-if)# switchport mode trunk

but i get an "Error: % Invalid input detected at '^' marker." The ^ is pointing to the switchport command. Any ideas?

Thanks for your help.

3 Replies 3

chris.lepa
Level 1
Level 1

Hi,

You must do this:

asa(config)#int eth0/3

asa(config)#no shut

asa(config)#int eth0/3.300

asa(config-if)#encapsulation dot1q 300

asa(config-if)#ip add

asa(config-if)#no shut

asa(config)#int eth0/3.301

asa(config)#encapsulation dot1q 301

asa(config-if)#ip add

asa(config-if)#no shut

Hope that helps. Please rate if it does.

-Chris

Hi Chris,

Thanks for the info. I tried the command "encapsulation..." but it came up with the same error.

I was doing more research and apparently the ASA will automatically trunk the physical interface if more than 1 VLAN is added on that inteface. hmm...

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

One more question, I'm trying to get the two VLANs to communicate with each other but i'm having difficulties... here's my config:

interface Ethernet0/1

nameif outside

security-level 0

ip address x.x.x.2 y.y.y.y

ospf cost 10

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Ethernet0/3.300

vlan 300

nameif vlan-inside

security-level 90

ip address 192.168.10.1 255.255.255.0

interface Ethernet0/3.301

vlan 301

nameif vlan-public

security-level 10

ip address 192.168.20.1 255.255.255.0

access-list vlan-inside_access_in extended permit ip any 192.168.20.0 255.255.255.0

access-list vlan-public_access_in extended permit ip any 192.168.10.0 255.255.255.0

nat-control

global (outside) 1 interface

global (outside) 2 x.x.x.3 netmask y,y,y,y

global (outside) 3 x.x.x.4 netmask y.y.y.y

global (vlan-inside) 3 interface

global (vlan-public) 2 interface

nat (vlan-inside) 2 192.168.10.0 255.255.255.0

nat (vlan-public) 3 192.168.20.0 255.255.255.0

access-group outside_access_in in interface outside

access-group vlan-inside_access_in in interface vlan-inside

access-group vlan-public_access_in in interface vlan-public

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

I can get out to the internet on both VLANs and they are going out on the right IPs. I just can't ping or get traffic to flow between VLAN 300 to VLAN301... any ideas?

Thanks for your help in advance.

glen.grant
VIP Alumni
VIP Alumni

Chris is correct you would need to use subinterfaces to trunk whatever vlans you want .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco