02-27-2009 05:16 AM - edited 03-06-2019 04:17 AM
Hi,
I have a Cisco ASA 5520 which has a 3750 trunked off it (see diagram, ingore the ASA standby).
Everything is working, but I can see the follwoing vlans are allowed through the trunk - 3,4,6,7,9,10,300, but vlan 2 isn't in this allow list and it still works.
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,4,6,7,9,10,300
switchport mode trunk
I'm doing a packet capture on this port and what to filter traffic based on vlan tag ID, but vlan 2 doesn't show up in the capture only the ones mentioned above.
02-27-2009 05:28 AM
Hi
From looking at your diagram, vlan 2 has a direct connection into the ASA inside interface and doesn't use the trunk so you wont see it tagged.
02-27-2009 05:41 AM
Could I simply add vlan 2 to get it to show up?
02-27-2009 05:46 AM
What information do you need to see ?
If you want to see the traffic coming from vlan 2, then add inside interface to your capture command:-
ASA#capture
then do
show capture
Or if you are doing it from your switch as you said add the vlan or the port going to the ASA to your monitor session.
02-27-2009 08:30 AM
I'm doing it from the switch, so I'm spanning/mirroring the port to port 48.
You said add the port going to the ASA to my monitor session, but you can see I'm already monitoring port 3 on the switch which goes to the ASA
02-27-2009 05:44 AM
check the configuraion on asa. The port on asa would be in access mode vlan2
02-27-2009 08:26 AM
This is all I have for the inside prt which is fas1/0/3 on the switch (VLAN2) and giga0/1 on the ASA:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.50 255.255.0.0 standby 192.168.10.49
ospf cost 10
02-27-2009 08:29 AM
That's fine. It you want to capture packets coming into and leaving this interface, use the capture command as above.
02-27-2009 08:33 AM
I'm using the switch to do all the capturing though to port 48, I'm just mirroring the ports to port 48, no sign of vlan 2, but everything else:
monitor session 2 source interface Fa1/0/1 , Fa1/0/3 , Fa1/0/9
monitor session 2 destination interface Fa1/0/48 encapsulation replicate
02-27-2009 01:30 PM
Then you should be getting the traffic you need, if not, tell me what traffic you want I will tell you how to get it.
02-28-2009 05:41 AM
I want my Observer packet capturing server to "see" vlan tags for Vlan 2 and 3. At the moment it only receives Vlan 1 everything else goes into a vlan called "no Vlan" on Observer because it is no seeig the tags.
Observer is in port 1/0/48 and I span the ports 1/0/3 (indide of ASA) and 1/0/9 (outside of ASA). The Cisco 3750 switch is doing all the work, I added this:
monitor session 2 source interface Fa1/0/3 , Fa1/0/9
monitor session 2 destination interface Fa1/0/48 encapsulation replicate
And here is the port info:
interface FastEthernet1/0/3
description inside ASA
switchport access vlan 2
interface FastEthernet1/0/9
description Outside ASA
switchport access vlan 3
If I change:
monitor session 2 source interface Fa1/0/3 , Fa1/0/9
to
monitor session 2 source interface Fa1/0/1
Which is:
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,4,6,7,9,10,300
switchport mode trunk
which is the trunk to the ASA I see all the Vlan's apart from vlan 2, so I know the NIC on the server and the span config is working ok and picking up the Vlan tags.
I would of thought the span would pickup the Vlan tags and pass wthem over to the Observer packet capturing server on port 1/0/48.
02-28-2009 06:17 AM
Hi
You won't see Tags for vlan 2 as the port it traverses is an access port and not a trunk so does not tag frames. If you want to see the packets coming from vlan 2, you can add a vlan as a montior source, but they still won't go via the trunk because as you have already stated, they are not added as an allowed vlan on the trunk port.
02-28-2009 06:49 AM
Shouldn't I atleast see Vlan 3 then?
Should I add Vlan2 to the allwo list evern though it's not needed and won't make any difference, but is there a chance if it add the tags then.
Or best leave as it is?
02-28-2009 06:55 AM
Don't add vlan 2 to the trunk as it's not needed, if traffic for vlan 3 is passing the trunk interface and vlan 3 is not native you should see tagged in the capture.
02-28-2009 07:13 AM
I think Vlan 1 is native on mine.
It seems no port will show Vlan info apart from the trunks. I just tried it on others in different vlans.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide