Kings
This is a required configuration, trunk native vlan just sets the
native vlan it does not allow the vlan across the trunk link. For this
to happen with vlan pruning enabled, the vlan has to be allowed on the
trunk.
Stu
Sent from my iPhone
On 13 Apr 2010, at 17:59, Kingsley Charles
<[email protected]> wrote:
Hi Brandon
If I remove vlan 12 and configure as following, the ping to
192.1.12.10 fails.
switch trunk allowed vlan123
I am wondering, is vlan 12 in the allowed vlan list a must?
With regards
Kings
On Tue, Apr 13, 2010 at 10:21 PM, Brandon Carroll <[email protected]
> wrote:
Here's a sample:
Interface E0/0 ------------------------>>> This traffic is NOT
tagged by the ASA since its on the main interface its assumed that
its native.
nameif outside
sec 0
ip add 192.1.12.10 255.255.255.0
no shut
Interface e0/0.1 ------------------------>>> This traffic is
Tagged.
vlan 123
nameif DMZ
security-level 50
ip add 10.2.2.200 255.255.255.0
On the switch:
Interface f0/1 (or whatever interface it connected to on the switch)
swi tr en dot1q
swi mode tr
swi trunk native vlan 12 ----------->> Subnet 192.1.12.0/24 is on
this vlan
swi tru allowed vlan 12,123 ------------>>> This just allows tagged
vlan traffic on the trunk, it does not force traffic for these vlans
to be tagged.
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training
for the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United
States, Europe, South Asia and Australia. Be sure to visit our
online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
On Apr 13, 2010, at 9:35 AM, Kingsley Charles wrote:
H Brandon
I am not getting your point. Please find my understanding:
Point 1
With IOS router, by default the physical interface will handle all
the untagged frames and put them in vlan 1.
or
You can configure a default vlan for physical interface using
"encapsulation dot1Q 2 native"
But with ASA, there is no option to specify a native vlan.
I am wondering, will support ASA receive untagged frames.
Point 2
If is true that ASA supports untagged frame, I am not getting why
we need to add the native vlan in the allowed list. For what
purpose are we adding a native vlan in allowed list?
With regards
Kings
On Tue, Apr 13, 2010 at 9:24 PM, Brandon Carroll <[email protected]
> wrote:
Vlan 12 in the allowed list does not make it tagged if its the
native vlan. You would need it in the allowed list if the switch
was tagging all vlans including the native.
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training
for the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United
States, Europe, South Asia and Australia. Be sure to visit our
online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
On Apr 13, 2010, at 3:18 AM, Kingsley Charles wrote:
That is what we need, right?
The traffic to the phsyical interface should not be tagged. The
physical interface can't understand tagged traffic. Only the sub-
interface can understand tagged traffic with the "vlan" keyword.
vlan 12 in the allowed vlan list, makes it tagged.
With regards
Kings
On Tue, Apr 13, 2010 at 2:54 PM, 'Segun Daini
<[email protected]> wrote:
To allow the trunk to pass vlan 12 traffic. specifying it a the
native vlan is just telling the switch to not TAG vlan 12 traffic.
Regards
From: Kingsley Charles <[email protected]>
To: [email protected]
Sent: Tue, April 13, 2010 9:56:31 AM
Subject: [OSL | CCIE_Security] Native vlan mapped to physical
interface
Hi all
Vol 2 > Lab 15 > Section 1.0
ASA1's e0/0 is connected to cat 3 f0/10.
vlan 12's subnet address is 192.1.12.0.
e0/0's IP address is 192.1.12.10.
"switchport trunk native vlan 12" alone is suffice to route
traffic from "192.1.12.0" to ASA1's e0/0.
Why are we adding vlan 12 in the trunk allowed list?
ASA 1 config
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.1.12.10 255.255.255.0 standby 192.1.12.60
!
interface Ethernet0/0.55
vlan 55
nameif DMZ55
security-level 55
ip address 192.168.5.10 255.255.255.0 standby 192.168.5.60
Cat3 config
interface FastEthernet0/10
description ASA1 F0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 12
switchport trunk allowed vlan 12,55
switchport mode trunk
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
