ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 46.4.4.66 YES CONFIG up up
GigabitEthernet0/1 172.30.3.4 YES CONFIG up up
GigabitEthernet0/1.10 172.20.1.7 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 unassigned YES unset administratively down down
GigabitEthernet0/7 172.30.3.254 YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Internal-Data0/3 169.254.1.1 YES unset up up
Management0/0 10.10.6.9 YES CONFIG up up
ciscoasa# show run interface GigabitEthernet0/1
!
interface GigabitEthernet0/1 <<< VLAN 30 ON SWITCH
description | SW G1/0/3 : INSIDE |
nameif inside
security-level 100
ip address 172.30.3.4 255.255.255.0
ciscoasa# show run interface GigabitEthernet0/1.10
!
interface GigabitEthernet0/1.10
description | DMZ |
vlan 10
nameif dmz
security-level 100
ip address 172.20.1.7 255.255.255.248
Since it's a remote site with an IPSec VPN over the Internet via the
native "inside" interface, I had to use the reload command to avoid being locked out. I reconfigured the switch port from an access port (single VLAN 30) to a trunk. I also used the switchport trunk native vlan command in order for the original "inside" interface to work (untagged). Once everything resumed and working, I canceled the reload command.
Switch#reload in 10
Reload scheduled for 10:24:35 UTC Thu Feb 8 2024 (in 10 minutes) by john on vty0 (172.30.3.1)Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface GigabitEthernet1/0/3
Switch(config-if)#switchport trunk native vlan 30
Switch(config-if)#switchport mode trunk
There was about a 5 second outage, then my SSH session resumed.
Switch(config-if)#no switchport access vlan 30
Switch(config-if)#no spanning-tree portfast
Switch(config-if)#end
Switch#show run interface g1/0/3
Building configuration...
Current configuration : 140 bytes
!
interface GigabitEthernet1/0/3
description | FW G0/1 : INSIDE |
switchport trunk native vlan 30
switchport mode trunk
end
Switch#reload cancel
***
*** --- SHUTDOWN ABORTED ---
***
The proper design in the ASA should a sub-interface and VLAN configured away from the G0/1 main interface. Then the switchport is plainly configured as a trunk (no native vlan).
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.30
vlan 30
nameif inside
security-level 100
ip address 172.30.3.4 255.255.255.0
No comments:
Post a Comment