mikey250
asked on
asa5505 can i change default vlan 1 to vlan 800
hi i am running a windows 2008 dc /ad/dns/dhcp server plugged into my cisco 2950 switch - int fa0/3..... I have disabled vlan 1 by setting up the native vlan 800 in place of vlan 1 on my switch also. (my server is already running a dhcp server!!!
qns1. I have now connected my cisco 2950 to my asa5505 for internet access but need to know if I can change the asa550 default vlan 1 to 800 ?
qns1. I have now connected my cisco 2950 to my asa5505 for internet access but need to know if I can change the asa550 default vlan 1 to 800 ?
ASKER
hi Daniel,
I setup native vlan 800 to change the well known vlan 1 - which was all it was ie another layer of security.
"the vlan will only apply if you are tagging traffic" - the below command is what tags all traffic I believe from my reading:
- switch(config)#vlan dot1q tag native - my switch does not have this capability
qns1. "I can't remember if you can actually tag traffic on the asa 5505 in such a manner so the vlan probably will not matter" - what do you mean ?
qns2. how do I untag int fa0/1- vlan 800 ?
qns3. dhcp - when looking for example setups of asa5505 it always shows how to setup the dhcp which I do not need. so I assume all I need to do is specifically go and setup 'inside nameif & outside nameif' ?
oh well thanks for some direction.
I setup native vlan 800 to change the well known vlan 1 - which was all it was ie another layer of security.
"the vlan will only apply if you are tagging traffic" - the below command is what tags all traffic I believe from my reading:
- switch(config)#vlan dot1q tag native - my switch does not have this capability
qns1. "I can't remember if you can actually tag traffic on the asa 5505 in such a manner so the vlan probably will not matter" - what do you mean ?
qns2. how do I untag int fa0/1- vlan 800 ?
qns3. dhcp - when looking for example setups of asa5505 it always shows how to setup the dhcp which I do not need. so I assume all I need to do is specifically go and setup 'inside nameif & outside nameif' ?
oh well thanks for some direction.
Switch 2950 supports change of native VLAN
You need to choose your trunk interface (0/x) to change native VLAN
(config)# interface fa0/x
(config-if)# switchport trunk native vlan 800
(config-if)# end
You can verify native VLAN
#show interfaces fa0/x switchport
You need to choose your trunk interface (0/x) to change native VLAN
(config)# interface fa0/x
(config-if)# switchport trunk native vlan 800
(config-if)# end
You can verify native VLAN
#show interfaces fa0/x switchport
ASKER
hi predrag,
qns1. I already have that set on trunks. so not sure what you mean as the asa5505 is default set vlan 1 ?
qns1. I already have that set on trunks. so not sure what you mean as the asa5505 is default set vlan 1 ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have already done the below:
I am currently in the process of getting back to configuring my asa5505, ((but not plugged anything back in yet)).
I have already done the following yesterday:
config t
int fa0/1
description connected to asa5505
switchport mode trunk
switchport trunk native vlan 800
no shut
I am not sure what you mean but I have read url:
qns2. what does the below mean ?
step 2 (optional) for the base license, allow this interface to be the third vlan by limiting it from initiating contact to one other vlan using the following command:
"hostname(config-if)# no forward interface vlan number"
I am currently in the process of getting back to configuring my asa5505, ((but not plugged anything back in yet)).
I have already done the following yesterday:
config t
int fa0/1
description connected to asa5505
switchport mode trunk
switchport trunk native vlan 800
no shut
I am not sure what you mean but I have read url:
qns2. what does the below mean ?
step 2 (optional) for the base license, allow this interface to be the third vlan by limiting it from initiating contact to one other vlan using the following command:
"hostname(config-if)# no forward interface vlan number"
That is optional step you don't need to configure. That refers to ASA with base license, not Security Plus license.
You have explanation with example on page
You have explanation with example on page
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.
Note If you upgrade to the Security Plus license, you can remove this command and achieve full functionality for this interface. If you leave this command in place, this interface continues to be limited even after upgrading.
ASKER
hi predrag,
I already have the 'security plus license'. - thanks for that advice.
qns1. ok then going back to original question below:
I am currently in the process of getting back to configuring my asa5505, ((but not plugged anything back in yet)).
I have already done the following yesterday:
config t
int fa0/1
description connected to asa5505
switchport mode trunk
switchport trunk native vlan 800
no shut
I already have the 'security plus license'. - thanks for that advice.
qns1. ok then going back to original question below:
I am currently in the process of getting back to configuring my asa5505, ((but not plugged anything back in yet)).
I have already done the following yesterday:
config t
int fa0/1
description connected to asa5505
switchport mode trunk
switchport trunk native vlan 800
no shut
Configuration of ASA native VLAN already gave you, and the rest of configuration is on link above.
Quote from link above:
Read that configuration part again, there are optional steps if you need it.
Quote from link above:
To configure a trunk port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign VLANs to this trunk, enter one or more of the following commands.
•To assign native VLANs, enter the following command:
hostname(config-if)# switchport trunk native vlan vlan_id
To assign VLANs, enter the following command:
hostname(config-if)# switchport trunk allowed vlan vlan_range
Step 3 To make this switch port a trunk port, enter the following command:
hostname(config-if)# switchport mode trunk
Read that configuration part again, there are optional steps if you need it.
ASKER
yes the above has accepted on my asa5505. how do I do a: sh ip int brief - on an asa5505 ?
ASKER
please do not delete i will return to this thread.
I am not sure what DHCP has to do with this question. DHCP is irrelevant to the VLANs other then to provide IP addresses to clients. Not applicable with changing the VLAN from VID1 to VID800