02-14-2012 12:29 AM - edited 03-07-2019 04:55 AM
I have following situation: Host connected to switch port 0/1 and address 192.168.139.38 255.255.255.252, and connection between switch port 0/2 and asa port 0/1. Relevant configuration is:
Switch config:
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 131
!
!
interface FastEthernet0/1
switchport access vlan 131
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 131
switchport mode access
!
ASA config:
!
interface Ethernet0/1
nameif line
security-level 100
ip address 192.168.139.37 255.255.255.252
!
In this scenario, host successfully ping ASA. But, as you can see, stp is disabled for vlan 131. If I enable it, my log shows:
Feb 14 09:05:59: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/2 VLAN131.
Feb 14 09:05:59: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/2 on VLAN0131. Inconsistent port type.
switch# sh spa vlan 131 | inc Fa0/2Fa0/2 Desg BKN*19 128.2 P2p *TYPE_Inc
If switch port is in access mode, then BPDU from ASA is got to be VLAN tagged, so I changed switch config to:
interface FastEthernet0/2
switchport trunk native vlan 131
switchport mode trunk!
Feb 14 09:12:56: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1115 on FastEthernet0/2 VLAN131.
Feb 14 09:12:56: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/2 on VLAN0131. Inconsistent local vlan.
If I remove 'switchport trunk native vlan 131', I'm getting similiar error:
Feb 14 09:12:26: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1115 on FastEthernet0/2 VLAN1.
Feb 14 09:12:26: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/2 on VLAN0001. Inconsistent local vlan.
In both cases:
switch# sh spa vlan 131 | inc Fa0/2
Fa0/2 Desg BKN*19 128.2 P2p *PVID_Inc
So, this time port type was correct but VLAN ID was not.
I've tried to change config on ASA:
!
interface Ethernet0/1
nameif line2
security-level 100
no ip address!
And setting on switch:interface Ethernet0/1.1
vlan 131
nameif line
security-level 100
ip address 192.168.139.37 255.255.255.252!
interface FastEthernet0/2
switchport trunk allow vlan 131
switchport mode trunk!
And this time was good:
switch# sh spa vlan 131 | inc Fa0/2
Fa0/2 Desg FWD 19 128.2 P2p
But, in this case, my host can't ping ASA!
How to solve this?
02-14-2012 12:53 AM
Hi,
on the switch is vlan 131 the native vlan ?
if so can you use a physical interface on the asa to configure it as only dot1q tagged vlan is configured on subinterfaces.
Regards.
Alain
02-14-2012 12:58 AM
Hi,
No, vlan 131 is not native on the switch. It's regular vlan, native vlan is VLAN1.
02-14-2012 01:01 AM
Hi,
why did you disable STP for this VLAN on the switch ?
Regards.
Alain
02-14-2012 01:09 AM
At this moment I don't need STP because there are no loops in my network. If I enable STP on that VLAN, port 0/2 is going to blocking state, so I decided to disable stp, for that particular vlan. Now, I have a request for links and devices redundacy, so there will be loops in the network, and therefore I have to enable STP for all VLANs. That implicates that I have to solve this issue.
02-14-2012 01:15 AM
Hi,
ok so now the STP port is forwarding and still not possible to ping ASA from the host in that VLAN, ok ?
can you post the running from ASA.
Regards.
Alain
02-14-2012 01:31 AM
ASA Version 7.2(3)
!
hostname asa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/1
nameif line2
security-level 100
ni ip address
!
interface Ethernet0/1.1
nameif line
security-level 100
ip address 192.168.139.37 255.255.255.252
!
interface Ethernet0/2
no ip address
!
interface Ethernet0/3
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone CET 1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list line_access_in extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list line_access_in extended permit icmp any any
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list capture-line extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging console debugging
logging buffered debugging
logging trap informational
logging asdm informational
mtu line 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
access-group line_access_in in interface line
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide