01-07-2008 05:28 PM - edited 03-11-2019 04:44 AM
Hi All, We have a PIX 525 running 7.2(2) image with 4 Physical interfaces running a UR license. On one of the interface we have already created 4 sub-interfaces, each assigned to different vlans. This has been working fine. We created an additional sub-interface. Initialy we were unable to communicate with the additional sub-interface and other intarfaces were working fine. We were not able to even ping the ip address that was assigned to the sub-interface. Show interface command output would show that it is transmitting.
While this is situation, problem started affecting already working sub-interfaces also. We lost connectivity to 2 of the working sub-interfaces.
After rebooting the FW, all seemed to be working fine for 5 minutes (including the newly created sub-interface), but one of the already working sub-interface stopped responding after 5 - 10 mins. We were observing that the newly created sub-interface is working fine still.
We removed the newly created sub-interface from configurations and rebooted the FW again and found that it is working fine. So the problem looked to be with he newly created sub-interface.
As per the documentation, PIX 525 with UR can support upto 100 Vlans.
Are there any limitations on number of vlan per physical interface? If yes, what is the maximum no of vlans allowed / recommended?
Regards..
Krishnamurthi Navuda.
01-07-2008 06:55 PM
Hi, first time I see this problem posted,, Im not aware of vlan limitations per interfaces if you read 100 VLANs you can have subinterfaces combination between physical interfaces as long you don't exceed 100 vlans, that is how I understand it unless is different otherwise someone can correct me.
Can you post pix config, strip out public IPs.. and if you could post trunk port configuration from switch end too.
Rgds
Jorge
01-07-2008 08:01 PM
Hi, here is the configurations of the PIX and switch...
PIX Config:-
---------------------
!
interface Ethernet3
no nameif
no security-level
no ip address
!
interface Ethernet3.1
vlan 225
nameif xxx
security-level 30
ip address x.x.x.x
!
interface Ethernet3.2
vlan 205
nameif xxx
security-level 40
ip address x.x.x.x
!
interface Ethernet3.3
vlan 207
nameif xxx
security-level 35
ip address x.x.x.x
!
interface Ethernet3.5
vlan 204
nameif xxx
security-level 60
ip address x.x.x.x
!
Switch Config:-
-----------------
interface FastEthernet0/14
switchport mode trunk
!
Regards...
Krishnamurthi Navuda.
01-07-2008 09:50 PM
Have you tried making switchport trunk more specific in passing vlans. I suspect becuase your trunk port is passing all vlans your subinterfaces have many VLAN ID errors, for sake of troubleshooting I would recommend making switchport0/14 trunk more specific.
As said before first time I see this, suspect there must be config discrepancy somewhere. Don't know whether making a cleaner trunk config may resolve the problem but you could atleast rule out layer 2 config.
create your new vlan in the switch and be more specific in allowed vlans , then make your new subinterface in pix. Once you have all created ping each subinterface from the pix command line.
On switch
interface fastethernet0/14
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 204,205,207,225,xxx
where xxx is the new vlan you have created in side and PIX.
Rgds
Jorge
01-07-2008 10:04 PM
Will try this and update.
Regards..
Krishnamurthi Navuda.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide