Friday, July 5, 2024

Changing a Cisco Switchport Mode From Access to Trunk

I had to reconfigure a Cisco switchport mode from access to a trunk in order to run multiple VLANs in a Cisco ASA firewall interface. I configured a new sub-interface on the ASA using VLAN 10.

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         46.4.4.66    YES CONFIG up                    up  
GigabitEthernet0/1         172.30.3.4    YES CONFIG up                    up  
GigabitEthernet0/1.10     172.20.1.7     YES manual up                    up  
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
GigabitEthernet0/7         172.30.3.254  YES unset  up                    up  
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  down                  down
Internal-Data0/2           unassigned      YES unset  up                    up  
Internal-Data0/3           169.254.1.1     YES unset  up                    up  
Management0/0              10.10.6.9   YES CONFIG up                    up  

 

ciscoasa# show run interface GigabitEthernet0/1
!
interface GigabitEthernet0/1    <<< VLAN 30 ON SWITCH
 description | SW G1/0/3 : INSIDE |
 nameif inside
 security-level 100
 ip address 172.30.3.4 255.255.255.0

 

ciscoasa# show run interface GigabitEthernet0/1.10
!
interface GigabitEthernet0/1.10
 description | DMZ |
 vlan 10
 nameif dmz
 security-level 100
 ip address 172.20.1.7 255.255.255.248


Since it's a remote site with an IPSec VPN over the Internet via the native "inside" interface, I had to use the reload command to avoid being locked out. I reconfigured the switch port from an access port (single VLAN 30) to a trunk. I also used the switchport trunk native vlan command in order for the original "inside" interface to work (untagged). Once everything resumed and working, I canceled the reload command.


Switch#reload in 10
Reload scheduled for 10:24:35 UTC Thu Feb 8 2024 (in 10 minutes) by john on vty0 (172.30.3.1)Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface GigabitEthernet1/0/3
Switch(config-if)#switchport trunk native vlan 30
Switch(config-if)#switchport mode trunk

There was about a 5 second outage, then my SSH session resumed.


Switch(config-if)#no switchport access vlan 30
Switch(config-if)#no spanning-tree portfast
Switch(config-if)#end

Switch#show run interface g1/0/3
Building configuration...

Current configuration : 140 bytes
!
interface GigabitEthernet1/0/3
 description | FW G0/1 : INSIDE |
 switchport trunk native vlan 30
 switchport mode trunk
end

Switch#reload cancel


***
*** --- SHUTDOWN ABORTED ---
***
 

The proper design in the ASA should a sub-interface and VLAN configured away from the G0/1 main interface. Then the switchport is plainly configured as a trunk (no native vlan).

interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/1.30
 vlan 30
 nameif inside
 security-level 100
 ip address 172.30.3.4 255.255.255.0 

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)