Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4896
Views
0
Helpful
5
Replies

trunk configuration between asa5505 and a 3750 switch

Go to solution
sansari
Level 1
Level 1

‎09-29-2011 01:39 PM - edited ‎03-11-2019 02:32 PM

Greetings

I am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have. Would you please advise what I am missing?

ASA:

ciscoasa# show run interface Ethernet0/1

!

interface Ethernet0/1

switchport access vlan 11

switchport trunk allowed vlan 10,12,101-103

switchport mode trunk

ciscoasa# show int vlan 11

Interface Vlan11 "inside", is down, line protocol is down

  Hardware is EtherSVI

        MAC address 0027.0d35.ad5c, MTU 1500

        IP address 10.1.1.254, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        2214171 packets input, 1172490074 bytes

        2051690 packets output, 755288140 bytes

        38384 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

ciscoasa# show run int vlan 11

!

interface Vlan11

nameif inside

security-level 100

ip address 10.1.1.254 255.255.255.0

!

On the 3750 I have:

interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
end

As you can see vlan11 on the 5505 is down.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
smsneteng
Level 1
Level 1

‎09-30-2011 09:32 AM

1. All Cisco switches are defaulted to dynamic desirable, so switchport mode trunk is not necessary, as long as the other side is set to trunk, the switch wiill trunk...which brings me to

2. The ASA must have the native VLAN set.

3. Looks like you're good to go

4. Nothing to do with VLAN access

5. As far as 1. goes, if a switchport were set as an access port without "switchport mode access", the trunking is still not shut off until you type "switchport mode access". To disabling dynamic desirable and permanently trunk no matter what (even if the other side is not trunking), you'd use "switchport trunk nonegotiate"

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-30-2011 02:10 AM

Hi,

On your switch interface type: switchport mode trunk

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
sansari
Level 1
Level 1
In response to cadet alain

‎09-30-2011 07:22 AM

Here is what I have in the ASA now..

interface Ethernet0/1

switchport trunk native vlan 11

switchport mode trunk

ciscoasa(config-if)# show run interface vlan

ciscoasa(config-if)# show run interface vlan 11

!

interface Vlan11

nameif inside

security-level 100

ip address 10.1.1.254 255.255.255.0

ciscoasa(config-if)# show int eth

ciscoasa(config-if)# show int ethernet 0/1

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Available but not configured via nameif

        MAC address 0027.0d35.ad55, MTU not set

        IP address unassigned

        2559469 packets input, 1245515455 bytes, 0 no buffer

        Received 32039 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        21474852760 switch ingress policy drops

        2057559 packets output, 796341243 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        0 rate limit drops

        0 switch egress policy drops

ciscoasa(config-if)# show int vlan11

Interface Vlan11 "inside", is up, line protocol is up

  Hardware is EtherSVI

        MAC address 0027.0d35.ad5c, MTU 1500

        IP address 10.1.1.254, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        2215503 packets input, 1173507560 bytes

        2054385 packets output, 755628198 bytes

        38388 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 2 pkts/sec,  224 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 4 pkts/sec,  3390 bytes/sec

      5 minute output rate 3 pkts/sec,  642 bytes/sec

      5 minute drop rate, 0 pkts/sec

Here is what I have in the switch...

Current configuration : 99 bytes
!
interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
end

!

interface Vlan11
no ip address
end

!

Switch(config-if)#do show int GigabitEthernet2/0/1

GigabitEthernet2/0/1 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet, address is ec30.91dd.e981 (bia ec30.91dd.e981)

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 9

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 1000 bits/sec, 1 packets/sec

  5 minute output rate 1000 bits/sec, 2 packets/sec

     693818 packets input, 207178762 bytes, 0 no buffer

     Received 3018 broadcasts (1114 multicasts)

     449 runts, 0 giants, 0 throttles

     449 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 1114 multicast, 0 pause input

     0 input packets with dribble condition detected

     1270324 packets output, 770436396 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

Switch(config-if)#do show int vln

Switch(config-if)#do show int vlan

Switch(config-if)#do show int vlan11

Vlan11 is up, line protocol is up

  Hardware is EtherSVI, address is ec30.91dd.e9c2 (bia ec30.91dd.e9c2)

  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive not supported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:02:57, output 00:17:32, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     2846 packets input, 193668 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     67 packets output, 4288 bytes, 0 underruns

     0 output errors, 4 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Switch(config-if)#

But I still can not ping the vlan 11 ip address on the ASA from the switch, and I am not able to ping the server that is directly connected to the switch

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to sansari

‎09-30-2011 07:43 AM

hi,

you must give an IP address to int vlan11 on the switch also to ping the ASA or server .

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
sansari
Level 1
Level 1
In response to cadet alain

‎09-30-2011 07:57 AM

Greetings-

The issue was the native vlan. Thanks to a knowledgeable CCIE friend. Appreciate the feedback from this group also.

0 Helpful

Go to solution
smsneteng
Level 1
Level 1

‎09-30-2011 09:32 AM

1. All Cisco switches are defaulted to dynamic desirable, so switchport mode trunk is not necessary, as long as the other side is set to trunk, the switch wiill trunk...which brings me to

2. The ASA must have the native VLAN set.

3. Looks like you're good to go

4. Nothing to do with VLAN access

5. As far as 1. goes, if a switchport were set as an access port without "switchport mode access", the trunking is still not shut off until you type "switchport mode access". To disabling dynamic desirable and permanently trunk no matter what (even if the other side is not trunking), you'd use "switchport trunk nonegotiate"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card