PIX trunks: invalid VLAN ID errors

mcroft · ‎03-06-2009

Hi,

I have a very simple config :

1x PIX 535 firewall running 6.3 and 1x 2960 ethernet switch.

I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.

This is easy right ? But i see thousands of VLAN errors

<--------------PIX conf--------------->

interface ethernet5 100full

interface ethernet5 vlan10 logical

interface ethernet5 vlan12 logical

nameif ethernet5 TRUNK-LINK security9

nameif vlan10 WEB_DMZ security2

nameif vlan12 WEB2_DMZ security16

ip address WEB_DMZ 172.16.10.254 255.255.255.0

ip address WEB2_DMZ 172.16.20.254 255.255.255.0

<-------------2960 config-------------->

interface GigabitEthernet1/15

description *** FIREWALL TRUNK to DMZ 172.16.x.x **

switchport trunk encapsulation dot1q

switchport mode trunk

GS-MLS01#show vlan br

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/1, Gi1/2, Gi1/41, Gi1/44

10 172.16.10-->DMZ-WEB

12 172.16.20-->DMZ-SMS active

------------------------------------------

Am I missing something ?

I can't get it working and see lots of VLAN errors "25821 invalid VLAN ID errors"

PIX: show int5 ....

interface ethernet5 "TRUNK-LINK" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b601.011c

MTU 1500 bytes, BW 100000 Kbit full duplex

27175 packets input, 1990556 bytes, 0 no buffer

Received 27227 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

3 packets output, 180 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/13)

output queue (curr/max blocks): hardware (0/1) software (0/1)

200 aggregate VLAN packets input, 16318 bytes

3 aggregate VLAN packets output, 138 bytes

1154 native VLAN packets input, 69240 bytes

3222509 native VLAN packets output, 154682068 bytes

25821 invalid VLAN ID errors

interface vlan10 "WEB_DMZ" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b601.011c

IP address 172.16.10.254, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

0 packets input, 0 bytes

4 packets output, 184 bytes

interface vlan12 "intf8" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b601.011c

IP address 172.16.20.254, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

200 packets input, 16318 bytes

3 packets output, 138 bytes

Hope you can help, cause I have exhausted all the PIX 6.3 config guides.

thanks for reading

Matt

vikram_anumukonda · ‎03-06-2009

Below configuration steps are from PIX 6.3 configuration guide, You might want to follow these steps

_http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411

Step 1: Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto

Step 2: Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 : Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

Step 4 : Configure the logical and physical interfaces by entering the following commands:

nameif ethernet0 outside security0

nameif vlan3 dmz security50

ipaddress outside 192.168.101.1 255.255.255.0

ipaddress dmz 192.168.103.1 255.255.255.0

The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces.

After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).

Bind the physical interface to a vlan

interface ethernet5 vlanx physical

mcroft · ‎03-06-2009

Hi,

Thank you for the ultra fast response.

I have adjusted my config and now using the "physical" command i.e.

interface ethernet5 vlan2 physical

interface ethernet5 vlan10 logical

interface ethernet5 vlan12 logical

howwver still seeing thousands of VLAN errors :(

---------------------------------------

49239 invalid VLAN ID errors, 53 native VLAN errors

-------------------------------------

pls hope you can help

vikram_anumukonda · ‎03-06-2009

reboot the device and check.

Jon Marshall · ‎03-06-2009

Can you post output of "sh int trunk" from the 2960 ?

Jon

mcroft · ‎03-06-2009

Hi Jon,

Unfortunately I am not able to reboot: LIVE switch ! Unless I wait untill Sunday at 3am .... Ouch.

Here's the output:

P.S it's interface Gi1/15 ...........

............................

switch#sh int trunk

Port Mode Encapsulation Status Native vlan

Gi1/7 on 802.1q trunking 1

Gi1/8 on 802.1q trunking 1

Gi1/9 on 802.1q trunking 1

Gi1/10 on 802.1q trunking 1

Gi1/15 on 802.1q trunking 1

Gi1/42 on 802.1q trunking 1

Gi1/45 on 802.1q trunking 1

Gi1/46 on 802.1q trunking 1

Gi1/48 on 802.1q trunking 1

Po1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi1/7 1-4094

Gi1/8 1-4094

Gi1/9 1-4094

Gi1/10 1-4094

Gi1/15 1-4094

Gi1/42 1-4094

Gi1/45 1-4094

Gi1/46 1-4094

Gi1/48 1-4094

Po1 1-4094

Port Vlans allowed and active in management domain

Gi1/7 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/8 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/9 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/10 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/15 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/42 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/45 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/46 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/48 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Po1 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Port Vlans in spanning tree forwarding state and not pruned

Gi1/7 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/8 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/9 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/10 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/15 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/42 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/45 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/46 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Gi1/48 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Po1 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500

Thanks

Matt

Jon Marshall · ‎03-06-2009

Matt

I would configure the trunk link on the 2960 to only allow the vlans that are active on the pix and remove the other so -

int gi1/5

switchport trunk allowed vlan remove 1,3,18,20,30,35,50,55-57,60,70,100,400,500

This should not need a switch reboot but i would still do this out of hours as there may be knock on effects to STP.

Jon

Jon Marshall · ‎03-06-2009

Matt

Actually it may be better to remove all vlans from the trunk and then add in the ones you want. Simply because if in future you add more vlans to the switch they will go across the trunk link, so

int gi1/5

switchport trunk allowed vlan none

switchport trunk allowed vlan add 2,10,12

Jon

mcroft · ‎03-06-2009

Thanks Jon,

I will make the changes and Reload too (out hours).

fingers crossed.

thanks once again.

Jon Marshall · ‎03-06-2009

Matt

No problem, let me know how you get on. You should not need to reload either device though for this to take effect.

Jon