Problem with trunk between ASA and Catalyst 3560

baskervi · ‎05-21-2007

We have an ASA 5510 running 7.2(1)24 and a Catalyst 3650 running c3560-ipbase-mz.122-25.SEE2.bin. I need to create trunks between the two, but so far I've had no luck.

Here are the lines of configuration that have been added, but traffic cannot be passed on any VLAN. Any guidance would be appreciated.

=== ASA ===

interface Ethernet0/1

description Trunk to Cisco Catalyst switch

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

nameif inside

vlan 1

security-level 100

ip address 192.168.0.5 255.255.255.0

!

interface Ethernet0/1.5

nameif wireless

vlan 5

security-level 70

ip address 192.168.5.1 255.255.255.0

===Catalyst===

vlan 5

name wireless

!

interface FastEthernet0/48

description To ASA Port E0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,5

switchport mode trunk

m.sir · ‎05-22-2007

Try to add command for ASA subinterfaces

VLAN vlan number

interface Ethernet0/1.1

nameif inside

vlan 1

security-level 100

ip address 192.168.0.5 255.255.255.0

interface Ethernet0/1.5

nameif wireless

vlan 5

security-level 70

ip address 192.168.5.1 255.255.255.0

Command VLAN vlan number associate subinterface with VLAN (its difference from routers - where subint number associate subinterface with VLAN)...Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.

Check this link for mor info

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

M.

Hope that helps rate if it does

baskervi · ‎05-22-2007

I pasted the initial config script, forgetting it wasn't the final script I used off the laptop. The final script did have the vlan command, so the failure occurred with the vlans defined on the ASA. My bad, and thank you for the response.

The article brings up a thought I've had a couple of times. I understand the ASA tags VLAN 1 but the Catalyst doesn't for the trunk. Could there be a tagging problem here? I set up a trunk between a different ASA and Catalyst about 2 months ago, but the trunk did not include VLAN 1.

baskervi · ‎05-23-2007

I ended up moving the trunk to E0/2 on the ASA and kept the above configuration with the exception that VLAN 1 became VLAN 3 and the IP addressing change associated with the other VLAN. This came up with no problems. Ethernet 0/2 of the ASA is also plugged into a different Catalyst switch (Cat 4948). Given both ends of the trunk changed, I'm not sure what fixed it, but I don't want to mess around with a production firewall in attempting to figure out why this works while the old one didn't.

srue · ‎05-23-2007

This is just a guess, but....

Vlan 1 is the native vlan by default on most switches. On trunks, what this means is that it's expected that Vlan1 *not* be tagged with dot1q. For the ASA, not tagging frames only occurs with the physical interface.

ie, if you wanted to use Vlan 1 (ie the native vlan), simply use the 'nameif' command on the asa physical interface. (since you used 'no nameif' on the physical interface, the physical interface will not pass traffic).

this is all just a guess (:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/intrface.htm

rauvil · ‎05-24-2007

Try to move your E 0/1.1 interface to E0/1.2 and use vlan tag2. Perhaps Dot1q on the ASA is having issues with VLAN1. Most devices use VLAN1 as a native vlan. Also ensure your vlan's are active on the 3560.

We are using an almost idential config, with the exception of VLAN1 and the configuration works fine.

We found that during deployment that when using Dot1Q trunks on a PIX/ASA the Native VLAN not very friendly.

srue · ‎05-24-2007

The other option is to use the current configuration and simply assign a different native vlan on the switch port trunk. maybe.