Hi Segun I totally agree with you and Brandon and that is my understanding too. But my findings confuses me.
Config 1 ----------- Ping fails to the ASA 192.1.12.10 . interface FastEthernet0/10 description ASA1 F0/0 switchport trunk encapsulation dot1q switchport trunk native vlan 12 switchport trunk allowed vlan 55 switchport mode trunk Config 2 ----------- Ping succeeds to the ASA 192.1.12.10 . This means that the ping succeeds only when vlan 12 traffic is tagged and fails when it is untagged. On the ASA, there is no sub-interface configured to get the tagged vlan of 12. I think I am confusing you too. interface FastEthernet0/10 description ASA1 F0/0 switchport trunk encapsulation dot1q switchport trunk native vlan 12 switchport trunk allowed vlan 12,55 switchport mode trunk ASA 1 config interface Ethernet0/0 nameif outside security-level 0 ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 ! interface Ethernet0/0.55 vlan 55 nameif DMZ55 security-level 55 ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 With regards Kings On Tue, Apr 13, 2010 at 11:23 PM, 'Segun Daini <[email protected]> wrote: > Hi King, > > For a trunk interface, it pass ALL vlan traffic by default. When you > specify "allowed vlan", you limit the number of vlan traffic than can go > over that trunk interface. > > By default, the trunk interface, because it passes ALL traffic by default, > TAGs each except for vlan 1(default native vlan). > > The two features do not overlap. specifying native vlan only tells the > trunk not to tag vlan 12 traffic. But for that traffic to go over the trunk, > you need to allow it. > > Regards. > > ------------------------------ > *From:* Kingsley Charles <[email protected]> > *To:* Brandon Carroll <[email protected]> > *Cc:* 'Segun Daini <[email protected]>; > [email protected] > *Sent:* Tue, April 13, 2010 5:59:34 PM > *Subject:* Re: [OSL | CCIE_Security] Native vlan mapped to physical > interface > > Hi Brandon > > If I remove vlan 12 and configure as following, the ping to 192.1.12.10 > fails. > > switch trunk allowed vlan123 > > I am wondering, is vlan 12 in the allowed vlan list a must? > > > With regards > Kings > > On Tue, Apr 13, 2010 at 10:21 PM, Brandon Carroll > <[email protected]>wrote: > >> Here's a sample: >> >> Interface E0/0 ------------------------>>> This traffic is NOT tagged >> by the ASA since its on the main interface its assumed that its native. >> nameif outside >> sec 0 >> ip add 192.1.12.10 255.255.255.0 >> no shut >> >> Interface e0/0.1 ------------------------>>> This traffic is Tagged. >> vlan 123 >> nameif DMZ >> security-level 50 >> ip add 10.2.2.200 255.255.255.0 >> >> >> On the switch: >> >> Interface f0/1 (or whatever interface it connected to on the switch) >> swi tr en dot1q >> swi mode tr >> swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on this >> vlan >> swi tru allowed vlan 12,123 ------------>>> This just allows tagged vlan >> traffic on the trunk, it does not force traffic for these vlans to be >> tagged. >> >> >> >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote: >> >> H Brandon >> >> I am not getting your point. Please find my understanding: >> >> >> *Point 1* >> >> With IOS router, by default the physical interface will handle all the >> untagged frames and put them in vlan 1. >> >> or >> >> You can configure a default vlan for physical interface using >> "encapsulation dot1Q 2 native" >> >> >> But with ASA, there is no option to specify a native vlan. >> >> I am wondering, will support ASA receive untagged frames. >> >> >> *Point 2* >> >> If is true that ASA supports untagged frame, I am not getting why we need >> to add the native vlan in the allowed list. For what purpose are we adding a >> native vlan in allowed list? >> >> >> >> >> With regards >> Kings >> >> On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll >> <[email protected]>wrote: >> >>> Vlan 12 in the allowed list does not make it tagged if its the native >>> vlan. You would need it in the allowed list if the switch was tagging all >>> vlans including the native. >>> >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: [email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote: >>> >>> That is what we need, right? >>> >>> The traffic to the phsyical interface should not be tagged. The physical >>> interface can't understand tagged traffic. Only the sub-interface can >>> understand tagged traffic with the "vlan" keyword. >>> >>> vlan 12 in the allowed vlan list, makes it tagged. >>> >>> With regards >>> Kings >>> >>> On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini <[email protected]>wrote: >>> >>>> To allow the trunk to pass vlan 12 traffic. specifying it a the native >>>> vlan is just telling the switch to not TAG vlan 12 traffic. >>>> >>>> Regards >>>> >>>> ------------------------------ >>>> *From:* Kingsley Charles <[email protected]> >>>> *To:* [email protected] >>>> *Sent:* Tue, April 13, 2010 9:56:31 AM >>>> *Subject:* [OSL | CCIE_Security] Native vlan mapped to physical >>>> interface >>>> >>>> Hi all >>>> >>>> Vol 2 > Lab 15 > Section 1.0 >>>> >>>> ASA1's e0/0 is connected to cat 3 f0/10. >>>> vlan 12's subnet address is 192.1.12.0. >>>> e0/0's IP address is 192.1.12.10. >>>> >>>> "switchport trunk native vlan 12" alone is suffice to route traffic from >>>> "192.1.12.0" to ASA1's e0/0. >>>> >>>> Why are we adding vlan 12 in the trunk allowed list? >>>> >>>> >>>> >>>> *ASA 1 config* >>>> >>>> interface Ethernet0/0 >>>> nameif outside >>>> security-level 0 >>>> ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 >>>> ! >>>> interface Ethernet0/0.55 >>>> vlan 55 >>>> nameif DMZ55 >>>> security-level 55 >>>> ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 >>>> >>>> *Cat3 config* >>>> >>>> interface FastEthernet0/10 >>>> description ASA1 F0/0 >>>> switchport trunk encapsulation dot1q >>>> switchport trunk native vlan 12 >>>> switchport trunk allowed vlan 12,55 >>>> switchport mode trunk >>>> >>>> >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
