Configuring the Cisco ASA with 802.1Q VLAN trunk to Extreme Summit 400-48t Network Switches
Quick and dirty for configuring a 802.1q VLAN trunk between an Extreme Summit 400-48t nework switch and a Cisco ASA 5510. Some other tips as well.
). There are multiple subnets sitting directly behind the ASA. To set up a trunk with the Extreme 400-48t I have created multiple sub interfaces (1 for each subnet/VLAN infact ) below the physical interface Ethernet0/1.interface Ethernet0/1 no nameif security-level 100 no ip address ! interface Ethernet0/1.1 description Subnet1 shutdown vlan 50 nameif V_Sub1 security-level 100 ip address 192.168.55.1 255.255.255.0 ! interface Ethernet0/1.2 description Subnet2 shutdown vlan 100 nameif V_Sub2 security-level 100 ip address 10.150.150.1 255.255.255.0 ! interface Ethernet0/1.3 description Subnet3 shutdown vlan 150 nameif V_Sub3 security-level 100 ip address 192.168.0.2 255.255.255.0 ! interface Ethernet0/1.4 description Subnet4 vlan 200 nameif V_Sub4 security-level 100 ip address 192.168.29.1 255.255.255.128 ! interface Ethernet0/1.5 description Subnet5 shutdown vlan 250 nameif V_Sub5 security-level 100 ip address 192.168.29.129 255.255.255.128
On the Extreme Summit 400-48t side of things the configuration is pretty simple. For each VLAN on the 400-48t and the ASA you simply add each VLAN to the trunk port (the port connect to the ASA on the switch side) with the “tagged” option. The commands for this on the extreme look like so:
configure vlan V_Sub1 add ports 1:2 tagged
Where port 1:2 is the trunk port connected to the ASA’s Ethernet0/1 port. Simply repeat this for each VLAN. Also ensure that you configure the corresponding VLAN 802.1Q tag on the extreme 400-48t
configure vlan V_Sub1 tag 100
For each port you wish to place in the VLAN’s on the extreme 400-48t simply add them in with the same command however make them “untagged”.
configure vlan V_Sub1 add ports 1:2 untagged
If you need a particular port to be in more than one VLAN at the same time you must use the “tagged” option however. While doing so you must configure the VLAN 802.1Q tag on the server NIC itself, normally in the NIC managment software or advanced properties.
The same configuration for a Cisco switch looks something like this on the trunk port:
interface FastEthernet1/0/1 description ASA 5510 Ethernet0/1 Trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 50,100,150,200,250 switchport mode trunk no ip address
Mirroring ports on the extreme switch
The following example selects port 3 as the mirror port and sends all traffic coming into or out of the switch on port 1 to the mirror port:
enable mirroring to port 3 configure mirroring add port 1 configure mirroring delete ports 1 disable mirroring
If you receive ”ERROR: Delete mirrored port(s) before disabling mirroring” you need to run the configure mirroring delete ports x then disable mirroring.
References:
