Yes dot1 q between the ASA and 7k.

Each VLAN is separetely terminated on ASA with subinterfaces.

Q.    On N7k it's one physical interface (trunk) with multiple vlans - and each in separate VRF ?

Ans Yes

Q And we have a problems with pings between directly connected devices in the same vlan ?

Ans Yes directly connnected device are not pinging.

Firewall Interface configuration:

interface Port-channel13

no vlan

no nameif

no security-level

no ip address

!

interface Port-channel 13.1021

description VRF-X

vlan 1021

nameif inside

security-level 100

ip address x.x.15.5 255.255.255.0

interface Port-channel13.1022
  description VRF-Y

vlan 1022
nameif inside
security-level 100
ip address x.x.11.5 255.255.255.0

Switch Interface is Trunk port and all VLANS are allowed in that

ASA config is correct.

I suspect that traffic from ASA is landing in incorrect VRF on N7K - and that's why N7K can not respond.

1. Check VRF assigment on N7K.

2. Capture traffic on ASA, try to ping from N7K to ASA, can you see those packets ?

---

Michal

What does the meaning of  VRF assignment on 7k and 7K Switch port is trunk port so what does the problem in that?

------

Saurabh

ok, show switch: ports (L2) and vlan interfaces (L3) configuration

--

Michal

Hi,

Both interfaces on the ASA are using the same security-level. Doesn't this require one of the sysopts?

hostname(config)# same-security-traffic permit inter-interface

Regards,
Erik

Sent from Cisco Technical Support iPad App

This command is already in ASA...

Regards

Hi

Please check mac-address of your ASA Interfaces and check switch mac-address table too.

Cheers

Hi,

Mac address of Firewall interface is not reflecting in switch mac-address table...

Regards

Saurabh Goel

Hi Michal Switch Config on interface is as below:-

interface port-channel13

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 1021,1022

  vpc 13

!

port-channel summary

13    Po13(SU)    Eth      LACP      Eth1/1(P)

!

interface Ethernet1/1

  description To EMDC1-ASA01-A

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 1021,1022

  rate-mode dedicated force

  channel-group 13 mode active

  no shutdown

!

interface Vlan1021

  no shutdown

  vrf member VRF-X

  no ip redirects

  ip address 10.11.11.251/24

  ip router ospf 1 area 0.0.0.1

  hsrp version 2

  hsrp 1021

    preempt

    priority 255

    timers  1  4

    ip 10.11.11.254

!

interface Vlan1022

  no shutdown

  vrf member VRF-Y

  no ip redirects

  ip address 10.11.12.251/24

  ip router ospf 1 area 0.0.0.1

  hsrp version 2

  hsrp 1022

    preempt

    priority 255

    timers  1  4

    ip 10.11.12.254

hey, how did you end up fixing this?

thanks

Hi Marek,

we had created three separate SVI in switch for each VRF and correspondingly three subinterface on ASA firewall.

the route the traffic towards VLAN and subinterfaces.

Above soluting is working with static routing and OSPF also.

if you need any help regarding this.. let me know.

Thanks

Saurabh Goel

Hi Saurabh;

We are going to implement virtualized multi-tenancy. I need help on this, it would be great if you can sens/show how to configure it on the 7K (multi vrf, trunking vlans which is members of vrf, routing) and how it is configured on the ASA. need poc this solution. THANKS  -- Adlai