Solved: Is VLAN1 unusable when trunking to a 5515X and using LACP?

jomar050485 · ‎05-21-2015

I'm trying to replace a 5510 with a 5515 firewall. I made a port channel to my existing switch and made subinterfaces for all the vlans in my network (1-2,8,10,12,15,20,30-32,51,60-61,101).

interface Port-channel20
 lacp max-bundle 8
 no nameif
 no security-level
 no ip address
!
interface Port-channel20.1
 vlan 1
 nameif inside-vlan1
 security-level 100
 ip address 10.10.1.10 255.255.255.0

interface Port-channel20.2
 vlan 2
 nameif inside-vlan2
 security-level 100
 ip address 10.10.2.1 255.255.255.0
!
interface Port-channel20.8
 vlan 8
 nameif inside-vlan8
 security-level 100
 ip address 10.20.8.1 255.255.255.0
!
interface Port-channel20.12
 vlan 12
 nameif inside-vlan12
 security-level 100
 ip address 10.20.12.1 255.255.255.0
!
interface Port-channel20.15
 vlan 15
 nameif inside-vlan15
 security-level 100
 ip address 10.20.15.1 255.255.255.0
!
interface Port-channel20.20
 vlan 20
 nameif inside-vlan20
 security-level 100
 ip address 10.20.20.1 255.255.255.0
!
interface Port-channel20.30
 vlan 30
 nameif inside-vlan30
 security-level 100
 ip address 10.20.30.1 255.255.255.0
!
interface Port-channel20.31
 vlan 31
 nameif inside-vlan31
 security-level 100
 ip address 10.20.31.1 255.255.255.0
!
interface Port-channel20.32
 vlan 32
 nameif inside-vlan32
 security-level 100
 ip address 10.20.32.1 255.255.255.0
!
interface Port-channel20.51
 vlan 51
 nameif inside-vlan51
 security-level 100
 ip address 10.20.51.1 255.255.255.0
!
interface Port-channel20.60
 vlan 60
 nameif inside-vlan60
 security-level 100
 ip address 10.20.60.1 255.255.255.0
!
interface Port-channel20.61
 vlan 61
 nameif inside-vlan61
 security-level 100
 ip address 10.20.61.1 255.255.255.0
!
interface Port-channel20.101
 vlan 101
 nameif inside-vlan101
 security-level 100
 ip address 10.10.3.254 255.255.255.0

Every single VLAN works except VLAN 1. I can ping everything inside the VLAN but I can't ping 10.10.1.0. I get an ARP reply from the firewall but no data will pass through the firewall even though packet-tracer says it will work. I did a capture and I don't see data.

As a test today, I put the 10.10.1.10 on VLAN 10 and it works fine with no problems. This makes me think I can't use VLAN 1.

Is there something preventing me from using VLAN 1 in this scenario? Now that I think of it more closely, maybe packets for VLAN 1 are going into "interface Port-channel20" and not "interface Port-channel20.1"

The best I can find is this:

The ASA does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the ASA will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch. In multiple context mode, these messages are not included in a packet capture, so you cannot diagnose the issue effectively.

Jon Marshall · ‎05-21-2015

What is the native vlan on the trunk port ?

If it is vlan 1 then try changing it to another vlan eg. vlan 999.

Edit - if you do change it you do not need to allow it on the trunk link.

Jon

View solution in original post

Jon Marshall · ‎05-21-2015

What is the native vlan on the trunk port ?

If it is vlan 1 then try changing it to another vlan eg. vlan 999.

Edit - if you do change it you do not need to allow it on the trunk link.

Jon

jomar050485 · ‎05-21-2015

Yes, that seems to have worked. I guess what I said was true.

Thanks for the insight!