Hi King, For a trunk interface, it pass ALL vlan traffic by default. When you specify "allowed vlan", you limit the number of vlan traffic than can go over that trunk interface.
By default, the trunk interface, because it passes ALL traffic by default, TAGs each except for vlan 1(default native vlan). The two features do not overlap. specifying native vlan only tells the trunk not to tag vlan 12 traffic. But for that traffic to go over the trunk, you need to allow it. Regards. ________________________________ From: Kingsley Charles <[email protected]> To: Brandon Carroll <[email protected]> Cc: 'Segun Daini <[email protected]>; [email protected] Sent: Tue, April 13, 2010 5:59:34 PM Subject: Re: [OSL | CCIE_Security] Native vlan mapped to physical interface Hi Brandon If I remove vlan 12 and configure as following, the ping to 192.1.12.10 fails. switch trunk allowed vlan123 I am wondering, is vlan 12 in the allowed vlan list a must? With regards Kings On Tue, Apr 13, 2010 at 10:21 PM, Brandon Carroll <[email protected]> wrote: Here's a sample: > > > >Interface E0/0 ------------------------>>> This traffic is NOT tagged by >the ASA since its on the main interface its assumed that its native. >nameif outside >sec 0 >ip add 192.1.12.10 255.255.255.0 >no shut > > >Interface e0/0.1 ------------------------>>> This traffic is Tagged. >vlan 123 >nameif DMZ >security-level 50 >ip add 10.2.2.200 255.255.255.0 > > > > >On the switch: > > >Interface f0/1 (or whatever interface it connected to on the switch) >swi tr en dot1q >swi mode tr >swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on this vlan >swi tru allowed vlan 12,123 ------------>>> This just allows tagged vlan >traffic on the trunk, it does not force traffic for these vlans to be tagged. > > > > > > > > >Regards, > > >Brandon Carroll - CCIE #23837 >Senior Technical Instructor - IPexpert >Mailto: [email protected] >Telephone: +1.810.326.1444 >Live Assistance, Please visit: www.ipexpert.com/chat >eFax: +1.810.454.0130 > > >IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio >Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, >Voice, Security & Service Provider) certification(s) with training locations >throughout the United States, Europe, South Asia and Australia. Be sure to >visit our online communities at www.ipexpert.com/communities and our public >website at www.ipexpert.com > > > > >On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote: > >H Brandon >> >>I am not getting your point. Please find my understanding: >> >> >>Point 1 >> >>With IOS router, by default the physical interface will handle all the >>untagged frames and put them in vlan 1. >> >>or >> >>You can configure a default vlan for physical interface using "encapsulation >>dot1Q 2 native" >> >> >>But with ASA, there is no option to specify a native vlan. >> >>I am wondering, will support ASA receive untagged frames. >> >> >>Point 2 >> >>If is true that ASA supports untagged frame, I am not getting why we need to >>add the native vlan in the allowed list. For what purpose are we adding a >>native vlan in allowed list? >> >> >> >> >>With regards >>Kings >> >> >>On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll <[email protected]> >>wrote: >> >>Vlan 12 in the allowed list does not make it tagged if its the native vlan. >>You would need it in the allowed list if the switch was tagging all vlans >>including the native. >>> >>> >>> >>> >>> >>>Regards, >>> >>> >>>Brandon Carroll - CCIE #23837 >>>Senior Technical Instructor - IPexpert >>>Mailto: [email protected] >>>Telephone: +1.810.326.1444 >>>Live Assistance, Please visit: www.ipexpert.com/chat >>>eFax: +1.810.454.0130 >>> >>> >>>IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>>Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>>CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>>training locations throughout the United States, Europe, South Asia and >>>Australia. Be sure to visit our online communities at >>>www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> >>>On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote: >>> >>>That is what we need, right? >>>> >>>>The traffic to the phsyical interface should not be tagged. The physical >>>>interface can't understand tagged traffic. Only the sub-interface can >>>>understand tagged traffic with the "vlan" keyword. >>>> >>>>vlan 12 in the allowed vlan list, makes it tagged. >>>> >>>>With regards >>>>Kings >>>> >>>> >>>>On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini <[email protected]> wrote: >>>> >>>>To allow the trunk to pass vlan 12 traffic. specifying it a the native vlan >>>>is just telling the switch to not TAG vlan 12 traffic. >>>>> >>>>> >>>>>Regards >>>>> >>>>> >>>>> ________________________________ From: Kingsley Charles <[email protected]> >>>>>To: [email protected] >>>>>Sent: Tue, April 13, 2010 9:56:31 AM >>>>>Subject: [OSL | CCIE_Security] Native vlan mapped to physical interface >>>>> >>>>> >>>>> >>>>>Hi all >>>>> >>>>>Vol 2 > Lab 15 > Section 1.0 >>>>> >>>>>ASA1's e0/0 is connected to cat 3 f0/10. >>>>>vlan 12's subnet address is 192.1.12.0. >>>>>e0/0's IP address is 192.1.12.10. >>>>> >>>>>"switchport trunk native vlan 12" alone is suffice to route traffic from >>>>>"192.1.12.0" to ASA1's e0/0. >>>>> >>>>>Why are we adding vlan 12 in the trunk allowed list? >>>>> >>>>> >>>>> >>>>>ASA 1 config >>>>> >>>>>interface Ethernet0/0 >>>>> nameif outside >>>>> security-level 0 >>>>> ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 >>>>>! >>>>>interface Ethernet0/0.55 >>>>> vlan 55 >>>>> nameif DMZ55 >>>>> security-level 55 >>>>> ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 >>>>> >>>>>Cat3 config >>>>> >>>>>interface FastEthernet0/10 >>>>> description ASA1 F0/0 >>>>> switchport trunk encapsulation dot1q >>>>> switchport trunk native vlan 12 >>>>> switchport trunk allowed vlan 12,55 >>>>> switchport mode trunk >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>With regards >>>>>Kings >>>>> >>>>_______________________________________________ >>>>For more information regarding industry leading CCIE Lab training, please >>>>visit www.ipexpert.com >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
