Hi King, Config 2 is perfect and correct.
See my comments below. Regards ________________________________ From: Kingsley Charles <[email protected]> To: 'Segun Daini <[email protected]> Cc: Brandon Carroll <[email protected]>; [email protected] Sent: Tue, April 13, 2010 7:32:37 PM Subject: Re: [OSL | CCIE_Security] Native vlan mapped to physical interface Hi Segun I totally agree with you and Brandon and that is my understanding too. But my findings confuses me. Config 1 ----------- Ping fails to the ASA 192.1.12.10 . interface FastEthernet0/10 description ASA1 F0/0 switchport trunk encapsulation dot1q switchport trunk native vlan 12 -->this specifies that VLAN 12 must not be tagged. switchport trunk allowed vlan 55 --> this specifies that VLAN 12 traffic be dropped. switchport mode trunk Config 2 ----------- Ping succeeds to the ASA 192.1.12.10 . This means that the ping succeeds only when vlan 12 traffic is tagged and fails when it is untagged. On the ASA, there is no sub-interface configured to get the tagged vlan of 12. I think I am confusing you too. interface FastEthernet0/10 description ASA1 F0/0 switchport trunk encapsulation dot1q switchport trunk native vlan 12 -->this specifies that VLAN 12 must not be tagged. switchport trunk allowed vlan 12,55 --> this specifies that VLAN 12 traffic be allowed over the trunk. switchport mode trunk ASA 1 config interface Ethernet0/0 nameif outside security-level 0 ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 ! interface Ethernet0/0.55 vlan 55 nameif DMZ55 security-level 55 ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 With regards Kings On Tue, Apr 13, 2010 at 11:23 PM, 'Segun Daini <[email protected]> wrote: Hi King, > > >For a trunk interface, it pass ALL vlan traffic by default. When you specify >"allowed vlan", you limit the number of vlan traffic than can go over that >trunk interface. > > >By default, the trunk interface, because it passes ALL traffic by default, >TAGs each except for vlan 1(default native vlan). > > >The two features do not overlap. specifying native vlan only tells the trunk >not to tag vlan 12 traffic. But for that traffic to go over the trunk, you >need to allow it. > > >Regards. > > > ________________________________ From: Kingsley Charles <[email protected]> >To: Brandon Carroll <[email protected]> >Cc: 'Segun Daini <[email protected]>; [email protected] >Sent: Tue, April 13, 2010 5:59:34 PM >Subject: Re: [OSL | CCIE_Security] Native vlan mapped to physical interface > > > >Hi Brandon > >If I remove vlan 12 and configure as following, the ping to 192.1.12.10 fails. > >switch trunk allowed vlan123 > >I am wondering, is vlan 12 in the allowed vlan list a must? > > >With regards >Kings > > >On Tue, Apr 13, 2010 at 10:21 PM, Brandon Carroll <[email protected]> >wrote: > >Here's a sample: >> >> >> >>Interface E0/0 ------------------------>>> This traffic is NOT tagged by >>the ASA since its on the main interface its assumed that its native. >>nameif outside >>sec 0 >>ip add 192.1.12.10 255.255.255.0 >>no shut >> >> >>Interface e0/0.1 ------------------------>>> This traffic is Tagged. >>vlan 123 >>nameif DMZ >>security-level 50 >>ip add 10.2.2.200 255.255.255.0 >> >> >> >> >>On the switch: >> >> >>Interface f0/1 (or whatever interface it connected to on the switch) >>swi tr en dot1q >>swi mode tr >>swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on this vlan >>swi tru allowed vlan 12,123 ------------>>> This just allows tagged vlan >>traffic on the trunk, it does not force traffic for these vlans to be tagged. >> >> >> >> >> >> >> >> >>Regards, >> >> >>Brandon Carroll - CCIE #23837 >>Senior Technical Instructor - IPexpert >>Mailto: [email protected] >>Telephone: +1.810.326.1444 >>Live Assistance, Please visit: www.ipexpert.com/chat >>eFax: +1.810.454.0130 >> >> >>IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE >>(R&S, Voice, Security & Service Provider) certification(s) with training >>locations throughout the United States, Europe, South Asia and Australia. Be >>sure to visit our online communities at www.ipexpert.com/communities and our >>public website at www.ipexpert.com >> >> >> >> >>On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote: >> >>H Brandon >>> >>>I am not getting your point. Please find my understanding: >>> >>> >>>Point 1 >>> >>>With IOS router, by default the physical interface will handle all the >>>untagged frames and put them in vlan 1. >>> >>>or >>> >>>You can configure a default vlan for physical interface using "encapsulation >>>dot1Q 2 native" >>> >>> >>>But with ASA, there is no option to specify a native vlan. >>> >>>I am wondering, will support ASA receive untagged frames. >>> >>> >>>Point 2 >>> >>>If is true that ASA supports untagged frame, I am not getting why we need to >>>add the native vlan in the allowed list. For what purpose are we adding a >>>native vlan in allowed list? >>> >>> >>> >>> >>>With regards >>>Kings >>> >>> >>>On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll <[email protected]> >>>wrote: >>> >>>Vlan 12 in the allowed list does not make it tagged if its the native vlan. >>>You would need it in the allowed list if the switch was tagging all vlans >>>including the native. >>>> >>>> >>>> >>>> >>>> >>>>Regards, >>>> >>>> >>>>Brandon Carroll - CCIE #23837 >>>>Senior Technical Instructor - IPexpert >>>>Mailto: [email protected] >>>>Telephone: +1.810.326.1444 >>>>Live Assistance, Please visit: www.ipexpert.com/chat >>>>eFax: +1.810.454.0130 >>>> >>>> >>>>IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>>>Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>>>CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>>>training locations throughout the United States, Europe, South Asia and >>>>Australia. Be sure to visit our online communities at >>>>www.ipexpert.com/communities and our public website at www.ipexpert.com >>>> >>>> >>>> >>>> >>>>On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote: >>>> >>>>That is what we need, right? >>>>> >>>>>The traffic to the phsyical interface should not be tagged. The physical >>>>>interface can't understand tagged traffic. Only the sub-interface can >>>>>understand tagged traffic with the "vlan" keyword. >>>>> >>>>>vlan 12 in the allowed vlan list, makes it tagged. >>>>> >>>>>With regards >>>>>Kings >>>>> >>>>> >>>>>On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini <[email protected]> wrote: >>>>> >>>>>To allow the trunk to pass vlan 12 traffic. specifying it a the native >>>>>vlan is just telling the switch to not TAG vlan 12 traffic. >>>>>> >>>>>> >>>>>>Regards >>>>>> >>>>>> >>>>>> ________________________________ From: Kingsley Charles <[email protected]> >>>>>>To: [email protected] >>>>>>Sent: Tue, April 13, 2010 9:56:31 AM >>>>>>Subject: [OSL | CCIE_Security] Native vlan mapped to physical interface >>>>>> >>>>>> >>>>>> >>>>>>Hi all >>>>>> >>>>>>Vol 2 > Lab 15 > Section 1.0 >>>>>> >>>>>>ASA1's e0/0 is connected to cat 3 f0/10. >>>>>>vlan 12's subnet address is 192.1.12.0. >>>>>>e0/0's IP address is 192.1.12.10. >>>>>> >>>>>>"switchport trunk native vlan 12" alone is suffice to route traffic from >>>>>>"192.1.12.0" to ASA1's e0/0. >>>>>> >>>>>>Why are we adding vlan 12 in the trunk allowed list? >>>>>> >>>>>> >>>>>> >>>>>>ASA 1 config >>>>>> >>>>>>interface Ethernet0/0 >>>>>> nameif outside >>>>>> security-level 0 >>>>>> ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60 >>>>>>! >>>>>>interface Ethernet0/0.55 >>>>>> vlan 55 >>>>>> nameif DMZ55 >>>>>> security-level 55 >>>>>> ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60 >>>>>> >>>>>>Cat3 config >>>>>> >>>>>>interface FastEthernet0/10 >>>>>> description ASA1 F0/0 >>>>>> switchport trunk encapsulation dot1q >>>>>> switchport trunk native vlan 12 >>>>>> switchport trunk allowed vlan 12,55 >>>>>> switchport mode trunk >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>With regards >>>>>>Kings >>>>>> >>>>>_______________________________________________ >>>>>For more information regarding industry leading CCIE Lab training, please >>>>>visit www.ipexpert.com >>>>> >>>> >>> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
