05-08-2013 07:25 PM - edited 03-11-2019 06:41 PM
Hi Everyone,
Need to understand the network here
Say we have ASA which has gi0/0 interface and we do subinterfaces of this and it has trunk connection to switch.
gi0/0.1 outside vlan 10
gi0/0.2 visitor vlan 20
gi0/0.3 wi fi vlan 30
say we have 2 dhcp pools for interface visitor and wi fi.
Say users on visitor dhcp pool has gateway of 192.168
say users on wi fi dhcp pool has gateway of 172.x.x.x
gi 0/0.1 has public ip address and it has default route to edge router.
ASA--------Switch 1------------switch2-------------edge eouter ---------ISP
Switch2 is learning about vlans 10,20,30.
But connection between switch2 and edge router carries only vlan40.
Need to understand how users on vlan 20 and 30 reach the edge router and access the internet as switch2 port connected to edge router carries only
vlan10 as allowed traffic on trunk link?
Thanks
Mahesh
Solved! Go to Solution.
05-08-2013 10:05 PM
Hello Mahesh,
For what I can understand from here,
When a host on vlan 20 sends a packet, SW1 or SW2 will receive the traffic with no tags on their access-ports ..
Depending on the host destination IP address the packet will be send to the ASA as this is the 802.1Q routing guy in the picture and the default gateway for them ...
The ASA has an ARP entry for the IP and MAC address of the ISP router ( The default gateway which is in vlan 10 )
When the ASA receives a packet from VLAN 20 that needs to go to an IP address that is unknown to it, it will send it to it's default gateway, checks the IP address and sees that it must go out vlan 10 interface, so it will tag it with a TAG value of 10, it will then reach SW1 with a TAG of 10, it will move like this up to the ISP router,
Let me know if I was clear,
05-11-2013 04:26 AM
Hi,
Sounds about right to me Mahesh
Traffic on access ports is not tagged with any Vlan ID
Traffic on Trunk links is tagged with Vlan ID
Finally the traffic arriving to the Edge Router removes the tag.
Naturally the way towards the Internet from there depends on how its implemented. Usually there is no subinterfaces involved on the customer side equipment.
- Jouni
05-08-2013 09:18 PM
Hello Mahesh,
Are you telling us that the trunk port between switch 2 and 1 only allows packets tagged with an 802.1Q header making reference to vlan 40?
My question actually would be , is that link a trunk or it's an access port ?
Cause if it's a trunk it would not be allowed.
Regards
05-08-2013 09:22 PM
Hi julio,
Let me check on this
Mahesh
05-08-2013 09:27 PM
Sure,
keep me posted
05-08-2013 09:33 PM
Hi julio,
Trunk between switch 1 and 2 carries all the vlan 10,20 and 30
thanks
mahesh
05-08-2013 09:35 PM
Hi julio
ASA----------------Trunk vlan 10,20,30 allowed----sw1-------- trunk vlan 10,20,30-------------sw2---------------Trunk only vlan10--edge router
Thanks
MAhesh
05-08-2013 09:46 PM
Hello Mahesh,
You sure it's a trunk what you are using between switch 2 and Edge router? Is not an access-port?
Is the ASA the only device performing 802.1Q routing?
05-08-2013 09:53 PM
Hi julio,
yes there is trunk connection to edge router.
ASA has only static routes no routing.
when you say ASA the only device performing 802.1Q routing?
what do you mean?
thanks
mahesh
05-08-2013 10:05 PM
Hello Mahesh,
For what I can understand from here,
When a host on vlan 20 sends a packet, SW1 or SW2 will receive the traffic with no tags on their access-ports ..
Depending on the host destination IP address the packet will be send to the ASA as this is the 802.1Q routing guy in the picture and the default gateway for them ...
The ASA has an ARP entry for the IP and MAC address of the ISP router ( The default gateway which is in vlan 10 )
When the ASA receives a packet from VLAN 20 that needs to go to an IP address that is unknown to it, it will send it to it's default gateway, checks the IP address and sees that it must go out vlan 10 interface, so it will tag it with a TAG value of 10, it will then reach SW1 with a TAG of 10, it will move like this up to the ISP router,
Let me know if I was clear,
05-10-2013 10:00 PM
Hi julio,
Below is my understanding ---
Let me know if i am wrong anywhere---
The switch 1 and switch 2 have vlan 20,30 where user connect ther PC and access the internet.
Remember switch 1 and 2 does not have SVI vlan 20 and 30.So when user connect to access port vlan 20 or 30 on switch 1 or 2 PC gets IP address from DHCP pool defined on ASA.
and it has default gateway of ASA interface of gi0/0.2 or 0.3
When user need to access the internet traffic goes to ASA interface gi0/0.2 as thats default gateway for user PC.
Then ASA has default static route that points to the ASA Edge Router.
So traffic from say PC to switch 2 is untagged then from switch 2 to ASA it goes tagged due to trunking.
Then return traffic from ASA to edge router is
ASA to SW1 -----------trunk tagged.
Sw1 to sw2 ----trunk tagged
Sw2 to edge router tagged with vlan 10.
Edge router has 802.1q trunking for vlan 10
sw2 to edge router comes as tagged then edge router removes the vlan 10 tag.
Regards
MAhesh
05-11-2013 04:26 AM
Hi,
Sounds about right to me Mahesh
Traffic on access ports is not tagged with any Vlan ID
Traffic on Trunk links is tagged with Vlan ID
Finally the traffic arriving to the Edge Router removes the tag.
Naturally the way towards the Internet from there depends on how its implemented. Usually there is no subinterfaces involved on the customer side equipment.
- Jouni
05-11-2013 06:47 AM
Hi Jouni,
Thanks again for confirming me i am correct.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide