Interface towards router has security level 0 and Switch side interface have 100.

I have allowed all traffic. Normal BGP neighborship comes up when I am not using VRF, but when I switch it to VRF then it never comes up moreover I am not able to ping router from switch.
 

When you say you are running multiple VRF do you mean -

1) that is one vlan and BGP is just passing the VPN information using MP-BGP

or

2) you are running multiple subinterfaces in effect, one per VRF between the router and switch

Jon

Its ebgp Neighborship and Subinterfaces.

5 vrfs and 5 VLAN. In between I have ASA.

I did Show ASP Drop and found traffic is being dropped at inside interface.

"FP L2 rule drop (l2_acl)"

Looks like I have to create an Ethertype Access list.

But I am confused why this is happening? When I am not using subinterface (Dot1q Encapsulation) everything works fine, but as soon as I convert the port to subinterface then everything blocks and even Ping stops.

Still working on this issue. If you need any output I can get that from ASA. Please let me know why this is happening and how can I resolve this.
 

-Ashwini

I have taken following output from Firewall will this be any help?

sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 7c69.f68f.df78, MTU 1500
        IP address 175.4.8.35, subnet mask 255.255.255.248
        8435 packets input, 680680 bytes, 0 no buffer
        Received 8135 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        8138 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 1 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (476/461)
        output queue (blocks free curr/low): hardware (511/511)
  Traffic Statistics for "OUTSIDE":
        297 packets input, 118503 bytes
        0 packets output, 0 bytes
        297 packets dropped
      1 minute input rate 0 pkts/sec,  13 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  6 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

ciscoasa# show asp drop

Frame drop:
  FP L2 rule drop (l2_acl)                                                   297

ASA Version 9.0(1)

firewall transparent

ciscoasa# show module all

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ------------ ---------------
  0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS                            Up               7.1(4)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable
ips Up                 Up

Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Enabled         perpetual

ciscoasa#

I have create Ehtertype ACL and permit any traffic.

cdp traffic has passed through but I am still not able to ping :(

I was assuming a single vlan and you were using MP-BGP to exchange VPN information but that was my mistake as you did specifically mention VRFs.

I think you need a subinterface per VRF on the firewall and each side of the firewall would need a different vlan ID per VRF.

Is this what you have tried ?

Jon

its not MP-BGP it EBGP. My MPLS traffic is from router towards WAN side. This one is on LAN side.

Trying to keep separate traffic for VOIDE VIDEO DATA and MGMT. For which I have Multi VRF and same mapped on WAN Side VPN.

WAN----------Router-------ASA (Transparent Mode)--------Switch----User

Design is something like this.

Now from router I have configured 4 Subinterface all in different network different VRF and different dot1q enacapsulation

On ASA single interface for out going traffic and single interface for incoming traffic (No subinterface) as ASA is in Transparent mode.

On switch again I have subinterface configured.

and BGP running on switch and router on different AS.

Well BGP comes on later part but right now I am not able to ping from router to Switch.

And this is where I am stuck at. What I have found issue comes only when packets at tagged with dot1q encapsulation else everything is good.

Need help with this. What should I do to solve this? :(

-Ashwini

Thanks Jon, This worked except one VLAN.

I can ping to ASA from switch via that VLAN but not router for Switch or ASA. Rest all is good.

What can be issue?

-Ashwini