10-27-2010 08:35 AM - edited 03-11-2019 12:01 PM
Hi
Ran into a troublesome thing today that I really cant explain.
<CPE> - <ASA5510> - <Catalyst 3750>
Vlan's 1,5,100
3750 has SVI's on all those vlans, one physical interface configured as trunk towards the ASA5510
ASA5510 has the following setup
ETH0/0 - inside (towards CPE)
ETH0/3 - no configuration (Towards 3750)
ETH0/3.1
vlan 1
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
ETH0/3.5
vlan 5
nameif vlan5
security-level 0
ip address 10.0.5.1 255.255.255.0
ETH0/3.1
vlan 100
nameif vlan100
security-level 0
ip address 10.0.100.1 255.255.255.0
The SVI's on the 3750 has
Vlan1 10.0.1.2
Vlan5 10.0.5.2
Vlan100 10.0.100.2
Every access-list has "permit ip any any" statements.
Now, I can ping -From the switch- Vlan5 and Vlan100 on the ASA5510
BUT, vlan 1 doesnt work.
The ASA can ping vlan5 and vlan100 interfaces on the switch, but not vlan 1 SVI
Switch can see the ASA5510's mac address on vlan1, as same as it sees vlan5,vlan100
If I change the eth0/3.1 interface into vlan 2 instead of vlan 1 and also creating vlan2 SVI on the switch (and put vlan2 on the trunk) it works..
But why cant I use vlan 1? Since its a subinterface, it should treat vlan 1 as a trunk
So, anyone got answers?
Thanks
Regards
Anders
Solved! Go to Solution.
10-27-2010 08:46 AM
Hi,
The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.
On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.
From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.
So we have 2 options here:
1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).
2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.
no interface ETH0/3.1
interface eth0/3
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3 like under other sub-interfaces as this will process only untagged packets on the trunk link.
Let me know if this works and if it clarifies things.
Thanks and Regards,
Prapanch
10-27-2010 08:46 AM
Hi,
The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.
On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.
From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.
So we have 2 options here:
1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).
2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.
no interface ETH0/3.1
interface eth0/3
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0
this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3 like under other sub-interfaces as this will process only untagged packets on the trunk link.
Let me know if this works and if it clarifies things.
Thanks and Regards,
Prapanch
10-27-2010 01:23 PM
Prapanch, thanks for you answer.
You are correct I belive, I was googling for how ASA handled native vlan support but only found stuff for the 5505 model.
Thank so much for the fast assistance and good explaning
10-27-2010 08:42 PM
Hi Anders,
Glad i could be of help!!
Cheers,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: