ASA 5545-X SVI/Vlan Interface
I am looking to deploy ASA 5545-X with Layer 3 Vlan Interfaces, the device out of the box dosent let you create vlan interfaces. Is there any module available which enables to create Switch Virtual Interfaces.
I was looking at I/O 6 ports Gigabit Ethernet card, but wanted to make sure before ordering.
Many Thanks
Hi,
You are only able to configure Sub Interfaces for the Vlan ID on your ASA model.
You can only configure actual Vlan interfaces with ASASM and ASA5505 model. This relates to the fact that ASA5505 has a switch module while your model does not.
I have no expirience with the ASASM but I would imagine its similiar to the FWSM which also used Vlan interfaces as its a module in an actual larger switch/router platform.
You can check this limitation from the Command Reference also
interface vlan For the ASA 5505 and ASASM, to configure a VLAN interface and enter interface configuration mode, use the interface vlan command in global configuration mode. To remove a VLAN interface, use the no form of this command. interface vlan number no interface vlan number Syntax Description
number
Specifies a VLAN ID.
For the ASA 5505, use an ID between 1 and 4090. The VLAN interface ID is enabled by default on VLAN 1.
For the ASASM, use an ID between 2 to 1000 and from 1025 to 4094.
- Jouni
Similar Messages
-
HI..
Is there a way to force a svi vlan interface to up if no physical link is connected on a ws-c3650 version 03.03.02se.
/LasseYou will need to have the vlan configured and assigned to an interface before the svi will be up/up.
-
6500 VLAN Interface (SVI) Throughtput
Guys,
Very quick one, does anyone have any stats on throughputs on a VLAN Interface on a 6500 MSFC2
I just remember the old days where if you had an RSM, and it had a VLAN interface, the throughtput was 400Mbps (or sommat like that)
Can a 6500 MSFC2 SVI run at a full gig?
Sorry if this sounds a little crazy.
Kindest regards,
KenThat makes a lot of sense.
I just did some research, and yes it was 400M on a 5500 and now 1000 for the 6500 with an MSFC 2, so yes, they have not increased it that much becuase As you say, it should all be cef-based MLS or traditional MLS based
Many thx all,
Ken
on a 6500 switch
Switch sh port 15/1
* = Configured MAC Address
Port Name Status Vlan Duplex Speed Type
15/1 MSFC connected trunk full 1000 Route Switch
Port Trap IfIndex
15/1 disabled 5
Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
15/1 connected - Enable No Change
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
15/1 0 0 0 0 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
15/1 0 0 0 0 0 0 -
Port Last-Time-Cleared
15/1 Sat Jul 23 2005, 20:11:34
Idle Detection
on a 5505 switch
Console> show port status
A response, similar to the following, is displayed:
Port Name Status Vlan Level Duplex Speed Type
1/1 connected 523 normal half 100 100BaseTX
1/2 notconnect 1 normal half 100 100BaseTX
2/1 connected trunk normal half 400 Route Switch
3/1 notconnect trunk normal full 155 OC3 MMF ATM
5/1 notconnect 1 normal half 100 FDDI
5/2 notconnect 1 normal half 100 FDDI -
Trying to enable/configure an IPS software module on ASA 5545
I've been trying to get our IPS module working on a pair of ASA 5545-X with nothing but grief. First we lost our license paks, then I found then and genned the license files FALCONXXXX.LIC. Cisco told me that I have to config the CX module and use Prime Security Manager to load the *.lic files.
Finally get that done but the IPS module is still inactive. Okay missing IPS image on disk0: copy that on to ASA and try loading it using the
sw-module cmds and return error is can't load image another service is running
So do I have to stop the CX after all this Prime Security manager stuff? I can't use ASDM since it only wants an activation key (hex) which I don't have..
Ideas? suggestions?
od Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545 FCH1831JCXB
ips Unknown N/A FCH1831JCXB
cxsc ASA CX5545 Security Appliance ASA CX5545 FCH1831JCXB
sfr Unknown N/A FCH1831JCXB
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c0e.ceee.d8eb to 7c0e.ceee.d8f4 1.0 2.1(9)8 9.2(2)8
ips 7c0e.ceee.d8e9 to 7c0e.ceee.d8e9 N/A N/A
cxsc 7c0e.ceee.d8e9 to 7c0e.ceee.d8e9 N/A N/A 9.2.1.1
sfr 7c0e.ceee.d8e9 to 7c0e.ceee.d8e9 N/A N/A
Mod SSM Application Name Status SSM Application Version
ips Unknown No Image Present Not Applicable
cxsc ASA CX Up 9.2.1.1
sfr Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Up Up
sfr Unresponsive Not Applicable
Mod License Name License Status Time Remaining
ips IPS Module Disabled perpetualThe thing to keep in mind is what IPS you have purchased. There are three distinct types.
The classic IPS uses the IPS software module. That uses a subscription that is bound to your ASA via your Smartnet support and does not require an license file once the software module is activated using an activation key.
The CX module also has an IPS license option. That is configured from within the PRSM interface and will only be visible in PRSM - not in the "show module" output. Your output indicates the CX module is installed so if you have that IPS license type for CX (i.e. the FALCONXXXX.LIC) you need to follow the CX quick start guide and apply the license file via the PRSM GUI.
There's also an IPS license type for the sfr (FirePOWER service module) which is installed via the separate FireSIGHT Management Center and applied to the module remotely. -
High VLAN Interface utilization (6500/sup720)
Can anyone tell me why a VLAN interface would show 100% utilization for a givin VLAN? This is a sup720 we're talking about.
I understand that the bandwidth of a virtual interface is 1Gig but I thought this was more related to routing metric.
Users were actually seeing performance issues until we changed how the servers on this particular interface were replicating. Once we did this the VLAN interface utilization went down and performance went up.
It doesn't make sense to me that the VLAN interface would limit the actual throughput of the various ports that are mapped to it. Throughput should be related to the switch module 61xx, 65xx, 67xx and how it interfaces to the backplan and the backplan speed itself.
Any insights would be helpful......If the layer 3 SVI was showing 100% that means it had a lot of traffic that was being layer 3 processed switched instead of hardware switched . Normally most traffic is hardware switched within the ASICS and never even gets passed up to that layer . What would cause this I'm not sure .
-
Hello, quick question I hope someone can help with.
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
Hope that makes sense, let me know if you have further questions.
ThanksThanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).
The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..
Thanks again.
Chris -
SNMP polling of VLAN Interfaces on Switches/Routers
Hi,
We were trying to poll VLAN interface traffic using IF-MIB for 6500 Switches/3560 Switches and 7600 Routers. We are getting correct values only for 6500 Switch which shows exactly the traffic passed through that vlan whereas 7600 shows only for SVI interface and 3560 doesn't show for SVI or VLAN.
We would like to know if there are any other MIB files we have to use to get the VLAN traffic statistics of these switches or routers.
Thanks,
NIEG teamWhen you poll the vlan info, what SNMP community are you using? On some devices you have to for example public@20 where 20 is the vlan in question.
Sent from Cisco Technical Support iPad App -
I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.
A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces. -
Mail outgoing problem in ASA 5545-X(IOS version 9.0.3)
Hi,
Last week we have replaced our old firewall (ASA 5540, IOS ver:8.2.5) by ASA 5545-X IOS ver:9.0.3. Everything works fine other than outgoing mail. However, there was no issue in old firewall.
OLD Configuration(ASA 5540, IOS ver:8.2.5):
static (dmz,outside) 203.223.92.38 172.16.252.31 netmask 255.255.255.255
access-list INBOUND extended permit tcp any host 203.223.92.38 eq smtp
access-list DMZ extended permit ip host 172.16.252.31 any
NEW configuration( ASA 5545-X IOS ver:9.0.3):
object network obj-172.16.252.31
host 172.16.252.31
object network obj-203.223.92.38
host 203.223.92.38
nat(dmz,outside) source static obj-172.16.252.31 obj-203.223.92.38
access-list INBOUND extended permit tcp any host 172.16.252.31 eq smtp
access-list DMZ extended permit ip host 172.16.252.31 any
=========================================================
In command prompt it shows 550 5.7.1 Unable to relay. We have tried microsoft,Linux mail server, the issue is not in mail server.
In firewall log it show FIN flag from outside. Please help us to solve the issue.
Regards,
Mirza RakibTry This
object network obj-172.16.252.31
host 172.16.252.31
nat (dmz,outside) static 203.223.92.38
access-list INBOUND extended permit tcp any host 172.16.252.31 eq smtp
access-list DMZ extended permit ip host 172.16.252.31 any -
Missing AVP 29 VSA 23 in the Radius Access-Request sent by ASA 5545-X 8.6
Hello,
we are migrating from ASA 5520 Version 8.4(3) to ASA 5545-X Version 8.6(1)2 with the same configuration ;
we are stuck with a Radius authentication problem related to an ASA clientless ASA access ;
when we compare the Radius dialog between each ASA (the old one and the new one) and the same Radius ACS 5.3 server, we can see that the only difference is there is a missing AVP 29 VSA 23 in the Radius Access-Request sent by the new ASA-5545-X compared to the good one sent by the old ASA 5520;
this AVP 29 VSA 23 carries the tunnel-group name as defined in the ASA configurtion ;
5545-X ad 5520 configuration files have been double-checked and compared : no difference between both files
any help would be appreciated to diagnose this problem
thanks in advanceThis problem was solved by upgrading the 5545-X from version 8.6(1)2 to version 9.1.2;
nothing else changed -
Could I use "vlan interface" as a tunnel source of DMVPN ?
I have a router R2811 with a 9 port FE Switch module(HWIC-D-9ESW).
Could I use vlan interface as a tunnel source when configuring DMVPN ?
The vlan ports is on the 9 port FE Switch module.
Because it's used now in production,I can't try it.Hello.
I think there is no restriction on software routers like 2811.
PS: using loopback could be a better idea. -
Netflow on 6509 in Native Mode from Vlan Interface
I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
Or could it be that MLS is not configured except for a couple commands:
mls netflow interface
mls cef error action reset
netflow setup:
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.31.101.1 (Vlan52)
Destination(1) 10.30.2.196 (2055)
Version 5 flow records
14927339 flows exported in 615072 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
interface:
interface Vlan52
description AN.VDI.stu
ip address 10.31.101.1 255.255.255.0
ip helper-address 10.31.149.200
no ip redirects
ip flow ingress
ip flow egress
ip pim neighbor-filter 98
ip pim sparse-dense-mode
ip cgmpEnabling MLS was the fix.
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls cef error action reset -
Ok, I thought I had the reason for the VLAN interface command down. I thought it was either used for switch management or routing between VLANS? However, now I realized that some communication wont work with out this command which doesnt make sense. If I have a VLAN, then the switch will only switch packets to ports on the same VLAN. The only way, communication would work between VLANS is if I either enabled routing between VLANs with the VLAN Interface command, connected the switch to another multi-layer switch that did do routing between VLANS, or connected the switch to a router which routed between the VLANs.
However, I just got this new 3550 switch in, configured the correct ports with the assigned VLANs, and the only way my cisco ip phone would work is if the VLAN Interface for my voice-ip VLAN was configured. The 3550 is connected to a 4507. Now, can someone tell my why this is? You shouldnt have to configure the VLAN Interface, right?(unless I wanted to route between VLANs, which could be done by the 4507)Sounds to me like you either dont have the dot1q trunk interface between your 4506 and 3550 working properly, or your 3550 is running the enhanced image which allows routing.
It would be nice to see your config on both the 3550 and the 4500 to determine the reason. Just a stab at how it should be configured is that on your 4506, you have it running VTP server or transparent with the defined Data and Voice Vlan's. You have a port configured for trunking (which connects to the 3550). On your 3550, you have configured it as a vtp client or transparent and have verified that it has received (or if transparent VTP you have configured) the appropriate VLAN's. You than specified "interface VLAN #" or whatever number for switch management and configured the port that connects to the 4500 as a trunk. Your port connected to the port has the auxillary or voice vlan configured. If this is how your equipment is configured and it still does not work, than look for the line "ip routing" in your 3550 and negate it with "no ip routing".
If still no worky worky, post your config.
Cheers, -
ACE - Query VLAN Interfaces Status
Hi,
I am wondering what the status of the query vlan interface means in the command 'show ft peer detail':
Query Vlan IF State : UP, Manual validation - please ping peer
I am pretty sure that I did not see this status when I configured query vlan last time. Current version is A2(2.3).
Unfortunately this status does not seem to be documented anywhere on CCO.
I appreciate any help!
Thanks,
DanielHi Daniel,
The FT Query VLAN interface is an optional, yet very good, feature to be used when using redundant ACE modules or appliances. Without it, if the FT VLAN was to go down, the standby ACE will no longer receive FT heartbeats from the active ACE and therefore take the active role. However, if the active ACE is still running fine in the active role, then you don't want the standby ACE to take over as active because that will put them into an active/active scenario, which may lead to connectivity issues.
This is where the FT Query VLAN interface comes in. If the FT VLAN goes down, the standby ACE will notice this, but before taking the active role, it will ping it's peer IP address configured on the interface that is designated as the FT Query VLAN. If the ping is successful, then it will stay in the standby role, thereby saving you some headaches.
The status that you are seeing is the ACE's way of telling you that the interface is UP, but if you want to know if it can successfully ping the peer IP address, then you would have to manually ping the peer IP address from the CLI. The ACE does not periodically check the ping connectivity through any automatic mechanism. The automatic mechanism is only triggered by the FT VLAN going down.
Does this help?
Sean -
How to disable AES CBC encryption on ASA 5545
Hi ,
In our environment having ASA 5545 ( IOS Ver 9.1) Firewall and In there AES 256 CBC cipher encryption is enabled for SSH user access.
we need to disable CBC cipher encryption and enable the CTR Cipher encryption for SSH users.
Kindly help me for the same .
Thanks,
DheerajAES256-ctr was just added in ASA software version 9.1(2). I don't believe the ssh encryption type is configurable in the ASA ssh server. You need to specify it in the client - I did verify it will connect when yo do that (see output below).
SSL encyption ciphers can be specified to exclude the weak ciphersuites.
# sh ssh session det
SSH Session ID : 1
Client IP : <deleted>
Username : <deleted>
SSH Version : 2.0
State : SessionStarted
Inbound Statistics
Encryption : aes256-ctr
HMAC : sha1
Bytes Received : 1824
Outbound Statistics
Encryption : aes256-ctr
HMAC : sha1
Bytes Transmitted : 5632
Rekey Information
Time Remaining (sec) : 3277
Data Remaining (bytes): 996142580
Last Rekey : 07:12:38.807 UTC Tue May 20 2014
Data-Based Rekeys : 0
Time-Based Rekeys : 0
Maybe you are looking for
-
Having the main VI open and close another vi
Here is my problem I need help with. I have a main VI, it has in it a DNET I/O assembly that is reading inputs from a PLC, one of the inputs is connected to a key switch, when that key is turned I want to open another VI then have that VI close down
-
Satellite U300 & Windows XP Pro SP2
Hi, I've installed Windows XP Pro SP2 on U300, I've downloaded all drivers and utilities, everything works fine but I have one device in the Device Manager with Yellow Bang (!) and it's: "PCI Memory Controller". Where can I get the driver fir it? Tha
-
Firefox and Chrome stopped working for apparently no reason. IE works. Have tried proxys, firewalls, and restarting. NOTHING WORKS. Firefox is the oddest as there are no error messages, but just shows practically no movement. Only movement is a quick
-
Hello everyone, I want to know besides dedicated and shared server which other mode of server is available. I know there is one more type but not not getting its name. It's urgent, so i have posted here directly insted of going for documentation and
-
Clarification on differences between Gateway and Generic Services
Hi I am trying to connect an MS SQL Server 7.0 on NT database to Oracle 8.1.7 Release 3. Can I use the standard Oracle Heteregeneous Services OR do I HAVE to use the Transparent Gateway for SQL Server? The documentation implies that the standard Hete