Cisco ASA 5505 and Cisco SG300 Switch VLAN Setup

Posted on 2013-12-05
Last Modified: 2013-12-05
I'm trying to setup a new vlan and I'm having some issues.

Here's the setup...

- We have a Cisco ASA 5505 with three interfaces - outside, inside and proxy.
- The default inside interface (ID 1) with the IP (subnet
- The 'proxy' vlan (ID 12) is the new vlan we just added to the ASA (and, yes, we do have the license for the additional vlans) with the IP (subnet
- We do NOT want/need hosts on these two different subnets to talk to each other.
- Both interfaces (vlan 1 and 12) are connected via one cable for each interface to the same Cisco SG300-28 switch.
- The switch is currently in L2 mode.
- I created a new vlan on the switch with ID 12 and name 'proxy'.
- I then assigned vlan membership to every port on the switch. The mode of every port is "Trunk" and the Operational VLANs for every port is "1UP,12T".

As far as I know, this is all I need to do. But here's the problem...

- In this setup, with a client computer attached to the SG300 with an IP of, I cannot get on the web. I can't even ping the ASA proxy interface ( NOTE: When running a ping, it is successful about 1 or 2 times out of every 15.
- If I connect the client computer directly to the proxy interface on the ASA, it works perfectly - web and pings.
- If I disconnect the cable for the INSIDE interface from the ASA to the switch, then the proxy vlan works fine.

So apparently when both cables from the two ASA interface to the switch are plugged in, it appears (based on the ping working every once in a while) as though only a tiny fraction of the traffic is going to the correct interface on the ASA.

I've been on the phone with Cisco for both the ASA and switch and they aren't sure why it wouldn't be working as everything appears to be configured correctly.

Please help!!!
Question by:graphicodyssey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39699067
A computer, by default, does not use VLAN's and thus is always sending traffic untagged and dropping tagged traffic.

If you want to have PC in the proxy VLAN you should configure that port on the SG300 untagged in VLAN 12!

On the ASA you should connect one cable with the SG300 and configure it as trunk.

Author Comment

ID: 39699191
sorry, but if it's not obvious - vlans are still very new to me.

So, let me see if I have this right... the port with the cable that connects the switch to the ASA for vlan 12 should be in tagged operational mode with the vlan of 12. And the port for the client computer should be in untagged access mode? Then the switch knows to tag traffic coming from that client computer (which by default is untagged) as vlan 12 and then the switch knows that the port configured as a vlan 12 trunk is a bridge to get to the rest of the vlan 12 network (which in my case is the asa).

Is this correct?
LVL 12

Accepted Solution

Henk van Achterberg earned 500 total points
ID: 39699218
Let me explain this a little but more in detail.

By default the native vlan is 1. native means untagged. When you configure a port on the ASA 5505 as trunk then packets in vlan 1 will be sent untagged. Packets in other vlans will be tagged with the vlan number.

The SG300 has also configured vlan 1 untagged and vlan 12 tagged on the port to the ASA.

If you need your computer to be in vlan 1 then configure the port with vlan 1 untagged. When you need it to be in vlan 12 configure it as vlan 12 untagged.

The switch will combine all tagged and untagged ports for the vlans so it will appear as one network per vlan.

In short, you are correct.
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.


Author Comment

ID: 39699493
Ok, I think we're on the same page, but I have a couple questions...

Aren't untagged packets automatically tagged by the switch as the default vlan of 1 when they hit a managed switch? Thus, aren't untagged packets coming from the ASA automatically tagged as 1 or 12 (based on the interface they're coming from) when they leave the device?

Here's what I've done... left the switch in system mode L2. Reverted all ports to just vlan 1UP. Then I configured the port leading to the ASA as 12UP (so vlan 12, untagged, primary) and the port to the client computer also as 12UP. Doing this, everything started working perfectly. However, this is slightly different than what you recommended - which was that the port leading to the ASA should be configured as TAGGED vlan 12. But the SG300 won't allow me to do that - I must define some vlan as the untagged default. What do you think? Is this configuration good???

Author Comment

ID: 39699498
By the way, I've also left all ports in "TRUNK" mode instead of "ACCESS". From what I can tell, ACCESS mode may only be available in L3 mode???
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39699517
if you use two cables from the ASA to the switch you can use 12 untagged. if you want to use one cable you should use vlan 1 untagged and vlan 12 tagged.

access mode is allowing only the untagged vlan over the port.

Author Comment

ID: 39700232
I have a second SG300 that connects to the main SG300 over a single wire. There will be vlan 1 and 12 traffic coming from this second switch. So, based on your last comment, I need to configure the connecting ports on both of these two switches as 1UP and 12T, correct?

[HOST] --> 12UP [SWITCH] 1UP/12T --> 1UP/12T [SWITCH] 12UP --> vlan12 interface [ASA]

So basically anytime I want to transverse from one switch to another, I need untagged clan 1 and tagged 12 setup on the ports connecting the switches together. Is this correct?
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39700245
Yes it is!

Author Comment

ID: 39700249
Ok, thx so much for your help!

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VTP Setup 4 35
Connectivity drops 9 77
Access-List 15 62
Wireless router under network , where it from connected to my windows ? 10 62
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question