Cisco ASA 5510 VLAN, VLAN Trunking or 802.1Q Trunking Expanded
Expanding from the Common Cisco ASA Firewall Configuration Commands article, we'll take an expanded look at VLAN trunking or 802.1Q trunking on the Cisco ASA 5510 firewall.
The ASA 5510 with a basic license will support upto 50 VLANs, and will support upto 100 VLANs with a security plus license. To view this use the command show version. The following assume a security plus license.
Physical interfaces cannot be configured with a VLAN, instead you must create subinterfaces for each VLAN you wish to use. To do this you use the global confiuration command:
ASAFW(config)#interface physical_interface number.subinterface
Where the subinterface ID is an integer between 1 and 4294967293. Example:
ASAFW(config)#interface ethernet 0/0.1
Subinterface can only be attached to one VLAN, and you cannot assign the same VLAN to multiple interfaces. To add an subinterface to a VLAN you use the interface subcommand:
ASAFW(config-if)#vlan vlan_id
Where vlan_id is a number between 1-4096, be sure to verify the vlan_id number isn't a reserved one on the switch you are onnecting to. Once you've configured the VLAN ID, you need to name the interface to allow traffic to pass through it. You use the nameif subinterface command to do this:
ASAFW(config-if)#nameif name
Following that you should set the interface security level which is a number between 0 and 100(highest). To help clarify the security level numbering, you typically would use level 100 on your internal trusted network interface (the most trusted interface), 50 for a dmz and 0 for the internet where 0 is the least trusted interface. By default higher security level interfaces can access lower security level interfaces, but lower security level interfaces cannot access higher level interfaces. You configure the security level using the subinterface command security-level:
ASAFW(config-if)#security-level number
Typically you will now set the IP address for the interface (Routed mode only):
ASAFW(config-if)#ip address ip_address mask
Finally you bring the interface up using the no shutdown command:
ASAFW(config-if)#no shutdown
A complete configuration using the above steps:
ASAFW(config-if)#interface ethernet 0/0.1 ASAFW(config-if)#vlan 50 ASAFW(config-if)#nameif DMZ ASAFW(config-if)#security-level 50 ASAFW(config-if)#ip address 192.168.50.1 255.255.255.0 ASAFW(config-if)#no shutdown
