Catalyst Express and Trunking from ASA 5505

Unanswered Question
Feb 22nd, 2008


I'm trying to setup trunking from an ASA 5505 to a Catalyst Express CE-500.

Unfortunately, I'm confused as to what "smartport" role to use. I've tried both "switch" and "router" because I need something that turns on trunking. The problem is, the ASA will NOT send untagged traffic, so there is no native vlan (untagged). However, on the CE-500, I have to put in something for a "native vlan". Since I don't use vlan 1 for anything, I put that in as the native vlan.

This actually seems to work just fine for my tagged traffic VLANs. However, the Catalyst Express freaks out and generates an alarm light on the panel of the switch and when I read why in the gui, it says that "there is a smartport mismatch" on the port that I've got trunked to the ASA 5505.

I want to pull my hair out - everything is fine - speed and duplex match (I've got that hardcoded on both sides), and the VLANs that are active on the 5505 work to the CE500. The only thing I can assume is that it's freaking out because it's not seeing any untagged traffic?

Any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Fri, 02/22/2008 - 18:03

You are correct. The ASA 5500 Series does not support untagged packets even with version 8.0 as indicated on this document

This switch port cannot pass traffic until you assign at least one VLAN to it. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.

I suggest to ignore the alarm light in the CE-500.

I'm not sure if the CE-500 supports the vlan dot1q tag native command,

If it does, that should correct this issue.




maltuna Sun, 02/24/2008 - 12:46

Thanks for the reply !

Unfortunately, the CE-500 is gui based, meaning there technically is no CLI access. There is a way to "see" some cli output, by throwing /exec on the end of the gui url. However, this isn't actually CLI, and some commands are not there or ignored. I'm not sure if this is a limitation of the gui itself or of the actual IOS version on these switches.

In any case, while I can "configure" the interface in question, the "vlan" command is invalid. Looking through the available commands, I can set allowed VLANs, set trunking to nonegotiate, etc. but the look is more like the 2900 syntax rather than the 3600 syntax.

Sadly, it appears that you may be right and I just have to ignore the alarm light. That's always fun to explain to a customer !

Thanks a lot for your time and help !!!



This Discussion