03-06-2009 06:46 AM - edited 03-11-2019 08:01 AM
Hi,
I have a very simple config :
1x PIX 535 firewall running 6.3 and 1x 2960 ethernet switch.
I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.
This is easy right ? But i see thousands of VLAN errors
<--------------PIX conf--------------->
interface ethernet5 100full
interface ethernet5 vlan10 logical
interface ethernet5 vlan12 logical
nameif ethernet5 TRUNK-LINK security9
nameif vlan10 WEB_DMZ security2
nameif vlan12 WEB2_DMZ security16
ip address WEB_DMZ 172.16.10.254 255.255.255.0
ip address WEB2_DMZ 172.16.20.254 255.255.255.0
<-------------2960 config-------------->
interface GigabitEthernet1/15
description *** FIREWALL TRUNK to DMZ 172.16.x.x **
switchport trunk encapsulation dot1q
switchport mode trunk
GS-MLS01#show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/1, Gi1/2, Gi1/41, Gi1/44
10 172.16.10-->DMZ-WEB
12 172.16.20-->DMZ-SMS active
------------------------------------------
Am I missing something ?
I can't get it working and see lots of VLAN errors "25821 invalid VLAN ID errors"
PIX: show int5 ....
interface ethernet5 "TRUNK-LINK" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b601.011c
MTU 1500 bytes, BW 100000 Kbit full duplex
27175 packets input, 1990556 bytes, 0 no buffer
Received 27227 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 180 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/13)
output queue (curr/max blocks): hardware (0/1) software (0/1)
200 aggregate VLAN packets input, 16318 bytes
3 aggregate VLAN packets output, 138 bytes
1154 native VLAN packets input, 69240 bytes
3222509 native VLAN packets output, 154682068 bytes
25821 invalid VLAN ID errors
interface vlan10 "WEB_DMZ" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b601.011c
IP address 172.16.10.254, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
0 packets input, 0 bytes
4 packets output, 184 bytes
interface vlan12 "intf8" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b601.011c
IP address 172.16.20.254, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
200 packets input, 16318 bytes
3 packets output, 138 bytes
Hope you can help, cause I have exhausted all the PIX 6.3 config guides.
thanks for reading
Matt
03-06-2009 07:20 AM
Below configuration steps are from PIX 6.3 configuration guide, You might want to follow these steps
_http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411
Step 1: Assign the interface speed to a physical interface by entering the following command:
interface ethernet0 auto
Step 2: Assign VLAN2 to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan2 physical
By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.
Step 3 : Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan3 logical
This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.
Step 4 : Configure the logical and physical interfaces by entering the following commands:
nameif ethernet0 outside security0
nameif vlan3 dmz security50
ipaddress outside 192.168.101.1 255.255.255.0
ipaddress dmz 192.168.103.1 255.255.255.0
The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces.
After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).
Bind the physical interface to a vlan
interface ethernet5 vlanx physical
03-06-2009 07:50 AM
Hi,
Thank you for the ultra fast response.
I have adjusted my config and now using the "physical" command i.e.
interface ethernet5 vlan2 physical
interface ethernet5 vlan10 logical
interface ethernet5 vlan12 logical
howwver still seeing thousands of VLAN errors :(
---------------------------------------
49239 invalid VLAN ID errors, 53 native VLAN errors
-------------------------------------
pls hope you can help
03-06-2009 07:52 AM
reboot the device and check.
03-06-2009 07:53 AM
Can you post output of "sh int trunk" from the 2960 ?
Jon
03-06-2009 07:59 AM
Hi Jon,
Unfortunately I am not able to reboot: LIVE switch ! Unless I wait untill Sunday at 3am .... Ouch.
Here's the output:
P.S it's interface Gi1/15 ...........
............................
switch#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/7 on 802.1q trunking 1
Gi1/8 on 802.1q trunking 1
Gi1/9 on 802.1q trunking 1
Gi1/10 on 802.1q trunking 1
Gi1/15 on 802.1q trunking 1
Gi1/42 on 802.1q trunking 1
Gi1/45 on 802.1q trunking 1
Gi1/46 on 802.1q trunking 1
Gi1/48 on 802.1q trunking 1
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/7 1-4094
Gi1/8 1-4094
Gi1/9 1-4094
Gi1/10 1-4094
Gi1/15 1-4094
Gi1/42 1-4094
Gi1/45 1-4094
Gi1/46 1-4094
Gi1/48 1-4094
Po1 1-4094
Port Vlans allowed and active in management domain
Gi1/7 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/8 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/9 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/10 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/15 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/42 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/45 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/46 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/48 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Po1 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Port Vlans in spanning tree forwarding state and not pruned
Gi1/7 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/8 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/9 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/10 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/15 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/42 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/45 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/46 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Gi1/48 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Po1 1-3,10,12,18,20,30,35,50,55-57,60,70,100,400,500
Thanks
Matt
03-06-2009 08:07 AM
Matt
I would configure the trunk link on the 2960 to only allow the vlans that are active on the pix and remove the other so -
int gi1/5
switchport trunk allowed vlan remove 1,3,18,20,30,35,50,55-57,60,70,100,400,500
This should not need a switch reboot but i would still do this out of hours as there may be knock on effects to STP.
Jon
03-06-2009 08:13 AM
Matt
Actually it may be better to remove all vlans from the trunk and then add in the ones you want. Simply because if in future you add more vlans to the switch they will go across the trunk link, so
int gi1/5
switchport trunk allowed vlan none
switchport trunk allowed vlan add 2,10,12
Jon
03-06-2009 08:57 AM
Thanks Jon,
I will make the changes and Reload too (out hours).
fingers crossed.
thanks once again.
03-06-2009 09:02 AM
Matt
No problem, let me know how you get on. You should not need to reload either device though for this to take effect.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide