10-27-2010 08:35 AM - edited 03-11-2019 12:01 PM
Hi
Ran into a troublesome thing today that I really cant explain.
<CPE> - <ASA5510> - <Catalyst 3750>
Vlan's 1,5,100
3750 has SVI's on all those vlans, one physical interface configured as trunk towards the ASA5510
ASA5510 has the following setup
ETH0/0 - inside (towards CPE)
ETH0/3 - no configuration (Towards 3750)
ETH0/3.1
vlan 1
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
ETH0/3.5
vlan 5
nameif vlan5
security-level 0
ip address 10.0.5.1 255.255.255.0
ETH0/3.1
vlan 100
nameif vlan100
security-level 0
ip address 10.0.100.1 255.255.255.0
The SVI's on the 3750 has
Vlan1 10.0.1.2
Vlan5 10.0.5.2
Vlan100 10.0.100.2
Every access-list has "permit ip any any" statements.
Now, I can ping -From the switch- Vlan5 and Vlan100 on the ASA5510
BUT, vlan 1 doesnt work.
The ASA can ping vlan5 and vlan100 interfaces on the switch, but not vlan 1 SVI
Switch can see the ASA5510's mac address on vlan1, as same as it sees vlan5,vlan100
If I change the eth0/3.1 interface into vlan 2 instead of vlan 1 and also creating vlan2 SVI on the switch (and put vlan2 on the trunk) it works..
But why cant I use vlan 1? Since its a subinterface, it should treat vlan 1 as a trunk
So, anyone got answers?
Thanks
Regards
Anders
Solved! Go to Solution.
10-27-2010 08:46 AM
Hi,
The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.
On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.
From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.
So we have 2 options here:
1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).
2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.
no interface ETH0/3.1
interface eth0/3
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3 like under other sub-interfaces as this will process only untagged packets on the trunk link.
Let me know if this works and if it clarifies things.
Thanks and Regards,
Prapanch
10-27-2010 08:46 AM
Hi,
The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.
On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.
From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.
So we have 2 options here:
1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).
2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.
no interface ETH0/3.1
interface eth0/3
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3 like under other sub-interfaces as this will process only untagged packets on the trunk link.
Let me know if this works and if it clarifies things.
Thanks and Regards,
Prapanch
10-27-2010 01:23 PM
Prapanch, thanks for you answer.
You are correct I belive, I was googling for how ASA handled native vlan support but only found stuff for the 5505 model.
Thank so much for the fast assistance and good explaning
10-27-2010 08:42 PM
Hi Anders,
Glad i could be of help!!
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide