Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
0
Helpful
6
Replies

Native VLAN errors on Pix 506

naresh.narang
Level 1
Level 1

‎03-21-2005 01:24 PM - edited ‎02-21-2020 12:01 AM

Hi

Any ideas why I am getting native VLAN errors on Pix and how to fix it. Everything is working as it should using virtual DMZ.

Thanks

--Naresh

0 Helpful
6 Replies 6

Patrick Iseli
Level 7
Level 7

‎03-22-2005 09:55 AM

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

see:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

Might that be the problem ?

Example config:

interface ethernet1 vlan9 physical

interface ethernet1 vlan14 logical

interface ethernet1 vlan16 logical

interface ethernet1 vlan129 logical

nameif ethernet1 inside security100

nameif vlan14 interne security90

nameif vlan16 public security50

nameif vlan129 voip security80

ip address inside 192.168.9.1 255.255.0.0

ip address interne 192.168.14.1 255.255.0.0

ip address public 192.168.16.1 255.255.0.0

ip address voip 192.168.129.1 255.255.0.0

Switch setup:

------------------------------------------------------

vlan 9,14,16,129

!

interface FastEthernet0/1

description port uplink via PIX VPN

switchport trunk encapsulation dot1q

switchport trunk native vlan 9

switchport trunk allowed vlan 9,14,16

switchport mode trunk

no ip address

spanning-tree portfast

!

interface FastEthernet0/2

description port IP phone

switchport trunk encapsulation dot1q

switchport trunk native vlan 14

switchport mode trunk

switchport voice vlan 129

no ip address

spanning-tree portfast

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan9

ip address 192.168.9.254 255.255.255.0

no ip route-cache

sincerely

Patrick

0 Helpful

naresh.narang
Level 1
Level 1
In response to Patrick Iseli

‎03-22-2005 03:00 PM

Thanks for the response Patrick, I was suspecting it could be due to native vlan being 1 and is not shutdown. I have vlan 2 and vlan 4 going tagged on that trunk port but vlan 1 is untagged.

I tried making the native vlan to be vlan 2 for this trunk port and add VLAN 4. In this case since native vlan is vlan 2, it goes untagged and VLAN 4 is tagged. This setup didn't work for untagged vlan. Since trunking port encapsulates using 802.1q protocol, it shouldn't matter if the switch is a Dell and not Cisco.

Probably, I'll try and see if shutting down vlan 1 helps.

Regards,

--Naresh

0 Helpful

naresh.narang
Level 1
Level 1
In response to naresh.narang

‎03-28-2005 11:00 AM

Scenario 1. Switch is Native vlan is 1. Port configured as trunk and allowed vlans are 2 and 4. Everything works correctly but I see native vlan errors on Pix.

Scenario 2: Switch port put in vlan 2 so it becomes native vlan (goes untagged). Configured as trunk and added vlan 4. I am able to go out to Internet through Pix from "inside" and "dmz" but in this case I am unable to reach from server on inside to server in the dmz. This is the preferred configuration for me but I am not sure why I lose connectivity between inside and dmz.

Pix inside port is configured to carry vlans 2 and 4.

Any help is greatly appreciated.

0 Helpful

fedrodri
Level 1
Level 1
In response to naresh.narang

‎03-28-2005 04:43 PM

Naresh, did you define the inside interface as the physical interface on the PIX? Remember that the "physical" interface (as opposed to the "logical" interface) is going to be defined as the native VLAN going through that trunk on the PIX side. So, if you have VLAN2 as the native VLAN defined on your switch, you should do the same on the PIX; again, you would do it by setting it up as the physical one:

interface ethernet1 vlan2 physical

interface ethernet1 vlan4 logical

nameif ethernet1 inside security100

nameif vlan4 dmz security50

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 172.16.35.1 255.255.255.0

Then on the switch, define the port as trunk, set VLAN2 as the native VLAN, and configure the trunk so it allows VLAN2 and VLAN4 only through it. That should take care of the problem.

Federico Rodriguez

0 Helpful

naresh.narang
Level 1
Level 1
In response to fedrodri

‎03-28-2005 05:34 PM

Hi Federico,

This is how I expected it to work and when I set it up this way, "inside" is unable to access DMZ. I have following in place:

interface ethernet1 vlan2 physical

interface ethernet1 vlan4 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan4 dmz security80

static (inside,dmz) 192.168.210.41 192.168.2.41 netmask 255.255.255.255

Now, if I have Switch port in trunk mode, with native vlan 2 and carrying vlan 4, I am unable to access DMZ.

If I have switch port in trunk mode with native vlan as vlan 1 and carrying vlan 2 and 4, everything works fine but I get vlan errors on Pix.

Any ideas are appriciated.

Thanks & Regards,

--Naresh

0 Helpful

fedrodri
Level 1
Level 1
In response to naresh.narang

‎03-28-2005 11:07 PM

Hi, Naresh

The native VLANs errors are because you have two different native VLANs on both devices (VLAN1 on the switch, and VLAN2 on the PIX). Have you tried leaving native VLAN1 on the switch and then define VLAN2 on the PIX not as physical but logical? Not that it should work that way (I believe it should work with the setup you have), but you can give it a try... :0)

Thanks,

Federico Rodriguez

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card