Hi Brandon If I remove vlan 12 and configure as following, the ping to 192.1.12.10 fails.
switch trunk allowed vlan123 I am wondering, is vlan 12 in the allowed vlan list a must? With regards Kings On Tue, Apr 13, 2010 at 10:21 PM, Brandon Carroll <[email protected]>wrote: > Here's a sample: > > Interface E0/0 ------------------------>>> This traffic is NOT tagged by > the ASA since its on the main interface its assumed that its native. > nameif outside > sec 0 > ip add 192.1.12.10 255.255.255.0 > no shut > > Interface e0/0.1 ------------------------>>> This traffic is Tagged. > vlan 123 > nameif DMZ > security-level 50 > ip add 10.2.2.200 255.255.255.0 > > > On the switch: > > Interface f0/1 (or whatever interface it connected to on the switch) > swi tr en dot1q > swi mode tr > swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on this > vlan > swi tru allowed vlan 12,123 ------------>>> This just allows tagged vlan > traffic on the trunk, it does not force traffic for these vlans to be > tagged. > > > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote: > > H Brandon > > I am not getting your point. Please find my understanding: > > > *Point 1* > > With IOS router, by default the physical interface will handle all the > untagged frames and put them in vlan 1. > > or > > You can configure a default vlan for physical interface using > "encapsulation dot1Q 2 native" > > > But with ASA, there is no option to specify a native vlan. > > I am wondering, will support ASA receive untagged frames. > > > *Point 2* > > If is true that ASA supports untagged frame, I am not getting why we need > to add the native vlan in the allowed list. For what purpose are we adding a > native vlan in allowed list? > > > > > With regards > Kings > > On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll <[email protected]>wrote: > >> Vlan 12 in the allowed list does not make it tagged if its the native >> vlan. You would need it in the allowed list if the switch was tagging all >> vlans including the native. >> >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote: >> >> That is what we need, right? >> >> The traffic to the phsyical interface should not be tagged. The physical >> interface can't understand tagged traffic. Only the sub-interface can >> understand tagged traffic with the "vlan" keyword. >> >> vlan 12 in the allowed vlan list, makes it tagged. >> >> With regards >> Kings >> >> On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini <[email protected]>wrote: >> >>> To allow the trunk to pass vlan 12 traffic. specifying it a the native >>> vlan is just telling the switch to not TAG vlan 12 traffic. >>> >>> Regards >>> >>> ------------------------------ >>> *From:* Kingsley Charles <[email protected]> >>> *To:* [email protected] >>> *Sent:* Tue, April 13, 2010 9:56:31 AM >>> *Subject:* [OSL | CCIE_Security] Native vlan mapped to physical >>> interface >>> >>> Hi all >>> >>> Vol 2 > Lab 15 > Section 1.0 >>> >>> ASA1's e0/0 is connected to cat 3 f0/10. >>> vlan 12's subnet address is 192.1.12.0. >>> e0/0's IP address is 192.1.12.10. >>> >>> "switchport trunk native vlan 12" alone is suffice to route traffic from >>> "192.1.12.0" to ASA1's e0/0. >>> >>> Why are we adding vlan 12 in the trunk allowed list? >>> >>> >>> >>> *ASA 1 config* >>> >>> interface Ethernet0/0 >>> nameif outside >>> security-level 0 >>> ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 >>> ! >>> interface Ethernet0/0.55 >>> vlan 55 >>> nameif DMZ55 >>> security-level 55 >>> ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 >>> >>> *Cat3 config* >>> >>> interface FastEthernet0/10 >>> description ASA1 F0/0 >>> switchport trunk encapsulation dot1q >>> switchport trunk native vlan 12 >>> switchport trunk allowed vlan 12,55 >>> switchport mode trunk >>> >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
