Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5600
Views
15
Helpful
3
Replies

Subinterface, vlan 1 ASA5510

Go to solution
azore2007
Level 1
Level 1

‎10-27-2010 08:35 AM - edited ‎03-11-2019 12:01 PM

Hi

Ran into a troublesome thing today that I really cant explain.

<CPE> - <ASA5510> - <Catalyst 3750>

Vlan's 1,5,100

3750 has  SVI's on all those vlans, one physical interface configured as trunk towards the ASA5510

ASA5510 has the following setup

ETH0/0 - inside (towards CPE)

ETH0/3 - no configuration (Towards 3750)

ETH0/3.1

vlan 1
nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0

ETH0/3.5

vlan 5
  nameif vlan5
  security-level 0
  ip address 10.0.5.1 255.255.255.0

ETH0/3.1

vlan 100
  nameif vlan100
  security-level 0
  ip address 10.0.100.1 255.255.255.0

The SVI's on the 3750 has

Vlan1                  10.0.1.2

Vlan5                  10.0.5.2     
Vlan100                10.0.100.2

Every access-list has "permit ip any any" statements.

Now, I can ping -From the switch-  Vlan5 and Vlan100 on the ASA5510

BUT, vlan 1 doesnt work.

The ASA can ping vlan5 and vlan100 interfaces on the switch, but not vlan 1 SVI

Switch can see the ASA5510's mac address on vlan1, as same as it sees vlan5,vlan100

If I change the eth0/3.1 interface into vlan 2 instead of vlan 1 and also creating vlan2 SVI on the switch (and put vlan2 on the trunk) it works..

But why cant I use vlan 1? Since its a subinterface, it should treat vlan 1 as a trunk

So, anyone got answers?

Thanks

Regards

Anders

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-27-2010 08:46 AM

Hi,

The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.

On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.

From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.

So we have 2 options here:

1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).

2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.

no interface ETH0/3.1

interface eth0/3

nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0

this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3  like under other sub-interfaces as this will process only untagged packets on the trunk link.

Let me know if this works and if it clarifies things.

Thanks and Regards,

Prapanch

View solution in original post

3 Replies 3

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-27-2010 08:46 AM

Hi,

The reaosn why you are seeing the above is because of how VLAN tagging works on the switch and how the ASA treats those packets.

On a trunk link, all packets beloging to a particular VLAN are tagged "except the native vlan". On the switch, based on the above description, i assume that VLAN 1 is the native VLAN and hence VLAN 1 packets are not tagged across the trunk link.

From the ASA side, when it receives a packet with a VLAN tag attached to it, it processes it with the corresponding sub-interface (as each sub-interface is assigned to a prticular VLAN).Now when it receives an untagged packet (as is the case with VLAN 1 in our case), these packets are processed by the actual interface and not the sub-interface, that is, in our case VLAN 1 packets on the trunk link will be processed by the physical interface E0/3.

So we have 2 options here:

1) On the switch, we can enable native VLAN tagging (i am not sure of the command for that).

2) On the ASA, configure the VLAN 1 on the physical interface Eth0/3 instead of sub-interface Eth0/3.1. That is, use the config below.

no interface ETH0/3.1

interface eth0/3

nameif vlan1
security-level 0
ip address 10.0.1.1 255.255.255.0

this should let you communicate over VLAN 1. Please note that we do not have the "vlan 1" command under eth0/3  like under other sub-interfaces as this will process only untagged packets on the trunk link.

Let me know if this works and if it clarifies things.

Thanks and Regards,

Prapanch

Go to solution
azore2007
Level 1
Level 1
In response to praprama

‎10-27-2010 01:23 PM

Prapanch, thanks for you answer.

You are correct I belive, I was googling for how ASA handled native vlan support but only found stuff for the 5505 model.

Thank so much for the fast assistance and good explaning

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to azore2007

‎10-27-2010 08:42 PM

Hi Anders,

Glad i could be of help!!

Cheers,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card