Here's a sample: Interface E0/0 ------------------------>>> This traffic is NOT tagged by the ASA since its on the main interface its assumed that its native. nameif outside sec 0 ip add 192.1.12.10 255.255.255.0 no shut
Interface e0/0.1 ------------------------>>> This traffic is Tagged. vlan 123 nameif DMZ security-level 50 ip add 10.2.2.200 255.255.255.0 On the switch: Interface f0/1 (or whatever interface it connected to on the switch) swi tr en dot1q swi mode tr swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on this vlan swi tru allowed vlan 12,123 ------------>>> This just allows tagged vlan traffic on the trunk, it does not force traffic for these vlans to be tagged. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote: > H Brandon > > I am not getting your point. Please find my understanding: > > > Point 1 > > With IOS router, by default the physical interface will handle all the > untagged frames and put them in vlan 1. > > or > > You can configure a default vlan for physical interface using "encapsulation > dot1Q 2 native" > > > But with ASA, there is no option to specify a native vlan. > > I am wondering, will support ASA receive untagged frames. > > > Point 2 > > If is true that ASA supports untagged frame, I am not getting why we need to > add the native vlan in the allowed list. For what purpose are we adding a > native vlan in allowed list? > > > > > With regards > Kings > > On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll <[email protected]> > wrote: > Vlan 12 in the allowed list does not make it tagged if its the native vlan. > You would need it in the allowed list if the switch was tagging all vlans > including the native. > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > > > On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote: > >> That is what we need, right? >> >> The traffic to the phsyical interface should not be tagged. The physical >> interface can't understand tagged traffic. Only the sub-interface can >> understand tagged traffic with the "vlan" keyword. >> >> vlan 12 in the allowed vlan list, makes it tagged. >> >> With regards >> Kings >> >> On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini <[email protected]> wrote: >> To allow the trunk to pass vlan 12 traffic. specifying it a the native vlan >> is just telling the switch to not TAG vlan 12 traffic. >> >> Regards >> >> From: Kingsley Charles <[email protected]> >> To: [email protected] >> Sent: Tue, April 13, 2010 9:56:31 AM >> Subject: [OSL | CCIE_Security] Native vlan mapped to physical interface >> >> Hi all >> >> Vol 2 > Lab 15 > Section 1.0 >> >> ASA1's e0/0 is connected to cat 3 f0/10. >> vlan 12's subnet address is 192.1.12.0. >> e0/0's IP address is 192.1.12.10. >> >> "switchport trunk native vlan 12" alone is suffice to route traffic from >> "192.1.12.0" to ASA1's e0/0. >> >> Why are we adding vlan 12 in the trunk allowed list? >> >> >> >> ASA 1 config >> >> interface Ethernet0/0 >> nameif outside >> security-level 0 >> ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 >> ! >> interface Ethernet0/0.55 >> vlan 55 >> nameif DMZ55 >> security-level 55 >> ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 >> >> Cat3 config >> >> interface FastEthernet0/10 >> description ASA1 F0/0 >> switchport trunk encapsulation dot1q >> switchport trunk native vlan 12 >> switchport trunk allowed vlan 12,55 >> switchport mode trunk >> >> >> >> >> >> With regards >> Kings >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
