Really dumb ASA5506 multiple trunk question

Started by KDog, June 06, 2018, 09:11:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

KDog

June 06, 2018, 09:11:01 PM Last Edit: June 06, 2018, 10:36:09 PM by KDog
I've only played with 5505s, so the interface setup on the ASA5506 is confusing me and the more I think about it the stupider I become. :(
I'm sure this is simple and I'm missing something.

I want to have trunks containing the same IP subnets/VLANs on more than one physical interface:
VLAN100 - subnet 10.10.100.254/24
VLAN200 - subnet 10.10.200.254/24
VLAN300 - subnet 10.10.300.254/24

gigabit ethernet 1/1 - outside
gigabit ethernet 1/2 - Trunk  VLAN/subnet .100 .200 .300
gigabit ethernet 1/3 - Trunk VLAN/Subnet .100 .200

I can get it functioning fine for just one physical interface, but not for more than one.
I've tried doing it using BVI and by just using subinterfaces for subnets. If I try to put a VLAN on more than one physical interface it errors telling stating VLAN is already in use. With BVI I can't assign VLANs, but interestingly if create a VLAN for any interface the BVI become listed as having the native VLAN.
Can I add the subnets as sub interfaces and ignore the VLANs?

The trunk ports will connect to a Cisco router already configured as trunk with VLAN / subnets.

Any help greatly appreciated!
Never argue with an idiot.
They will bring you down to their level and beat you with experience.

Dieselboy

#1
June 06, 2018, 10:08:23 PM Last Edit: June 06, 2018, 10:10:13 PM by Dieselboy
Hi KDog, not a dumb question at all. You're just missing some info I believe.

To do what you are trying to do, you do need to use a bridge group. I don't have access to a 5506 for this so I cannot test this but I think this config might help get you going at least.

Code Select

interface GigabitEthernet1/3.100
description vlan100 sub-int
vlan 100
bridge-group 100
nameif vl100-inside
security-level 100
!
interface GigabitEthernet1/4.101
description vlan100 sub-int
vlan 101
bridge-group 100
nameif vl100-inside
security-level 100


Code Select

interface BVI100
bridge-group 100
description VLAN100 BVI
ip address 10.10.100.254 255.255.255.0


So the caveat is that you cant add the same vlan to multiple interfaces which is what you want (like a switch). However the firewall doesn't switch, so you can use a virtual bridge instead to link a fake VLAN to VLAN 100. I don't really like it ... I bought a 5506 for one of our sites with a 5-vlan limit not knowing about this caveat at the time. I have 3 VLANs and this makes the number of VLANs required in the ASA 6. It's a bit annoying.

Let us know how you go? Hopefully not many mistakes with the above config.

KDog

#2
June 06, 2018, 10:30:53 PM
Ah, thanks for that, I didn't think of creating a fake VLAN for the subinterface to add to the BVI.

Will give it a try and see how it goes. Will have to get the sec-plus license added though for the final config as I also only have the base license.
Never argue with an idiot.
They will bring you down to their level and beat you with experience.

Dieselboy

#3
June 06, 2018, 11:34:40 PM
Had another thought, this might not work with subinterfaces if you want more than one vlan on the physical interface, because the vlan IDs wont match your real network. You could use the whole interface and set the vlan as native to workaround.

KDog

#4
June 07, 2018, 05:32:33 PM
I solved the issue by getting the creds for the router and changing it's crazy setup so that I only need a single subnets per interface on the ASA. lol
Never argue with an idiot.
They will bring you down to their level and beat you with experience.

Dieselboy

#5
June 08, 2018, 01:54:57 AM
 ;D
Print
Go Up Pages1
User actions