cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
10
Replies

PIX to C2950T Trunking issue

mikespenard
Level 1
Level 1

Hi All,

I am trying to trunk a PIX-515E to a C2950T switch. Both, from my understanding, support (only) 802.1q.

Briefly, vlan1 is for network device management 172.16.1.x ; vlan103 is for workstation data 192.168.32.x

PIX vlan1 IP: 172.16.1.1

PIX vlan103 IP: 192.168.32.3

Switch vlan1 IP: 172.16.1.4

My issue is that, while vlan103 is working fine (I can ping to and from 192.168.32.3; the PIX's vlan103 IP), I cannot ping to or from the PIX on vlan1.

Oddly, on the PIX "native VLAN" errors are being generated despite the native vlanID on the switch being set to 1. This would suggest the PIX is not using vlanID1 for native untagged traffic. But I am unsure if this is really the issue or how to fix it.

interface ethernet1 "IT_LAN" is up, line protocol is up
  IP address 172.16.1.1, subnet mask 255.255.255.0
        ...
        322004 aggregate VLAN packets input, 36029395 bytes
        429874 aggregate VLAN packets output, 281698785 bytes
        0 vlan1 packets input, 0 bytes
        31 vlan1 packets output, 1426 bytes
        43571 invalid VLAN ID errors, 37 native VLAN errors
interface vlan103 "inside" is up, line protocol is up
  IP address 192.168.32.3, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        322004 packets input, 36029395 bytes
        429843 packets output, 281697359 bytes

----switch config----

interface FastEthernet0/1
description PIX-INT TRUNK
switchport mode trunk
no ip address
!

interface Vlan1
ip address 172.16.1.4 255.255.255.0
no ip route-cache
!

------------------------

-----PIX config----

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 IT_LAN security90
nameif ethernet2 intf2 security4
nameif vlan103 inside security100

...

ip address outside 173.162.187.50 255.255.255.240
ip address IT_LAN 172.16.1.1 255.255.255.0
no ip address intf2
ip address inside 192.168.32.3 255.255.255.0 103

----------------

1 Accepted Solution

Accepted Solutions

mikespenard wrote:

Thanks Jon, this does seem to be either a bug or something very non-intuitive.

I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.

Mike

I'm not sure it would kick off errors because it won't be sending anything for vlan 999. If you set the native vlan to 999 then all vlans going to the pix will be tagged including vlan 1. Like i say i have never had an issue with trunking to pix firewalls but i have never used the native vlan as one of the vlans on the trunk.

If you create vlan 999 or any vlan really on the switch and make that the native vlan nothing will ever be sent for that vlan ie. no packets will arrive at the pix without an 802.1q tag. From experience i don't believe you have to have an untagged vlan on the pix physical interface, rather if you are going to use 802.1q and you want to pass the native vlan it must be on the physical interface.

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Mike

Looking through the forums there does seem to be an issue with this. Apparently the vlan you configure as physical (as opposed to logical) must be the native vlan but you have done this already.

I have used trunking many times on pix but not using the native vlan because it is not recommended,

Could you on the 2950 switch -

1) create a dummy vlan ie. one with no ports in and no L3 vlan interface eg. vlan 999

2) on the 2950 -

int fa0/1

switchport trunk native vlan 999

Jon

Thanks Jon, this does seem to be either a bug or something very non-intuitive.

I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.

mikespenard wrote:

Thanks Jon, this does seem to be either a bug or something very non-intuitive.

I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.

Mike

I'm not sure it would kick off errors because it won't be sending anything for vlan 999. If you set the native vlan to 999 then all vlans going to the pix will be tagged including vlan 1. Like i say i have never had an issue with trunking to pix firewalls but i have never used the native vlan as one of the vlans on the trunk.

If you create vlan 999 or any vlan really on the switch and make that the native vlan nothing will ever be sent for that vlan ie. no packets will arrive at the pix without an 802.1q tag. From experience i don't believe you have to have an untagged vlan on the pix physical interface, rather if you are going to use 802.1q and you want to pass the native vlan it must be on the physical interface.

Jon

Gotchya, force native ID to 999. That way I can force vlan1 to be tagged on the PIX; which only seems to support tagged traffic.

Great idea! Many thanks.

Also, any idea how to clear vlan 'sh int' stats?

Mike

Do you mean on the pix ? - if so in config mode,

pix(config)# clear interface counters

Jon

Ahh, I need to be in config mode. That was my issue clearing counters, doh.

------------

Also, I'm having a subsquent issue now that all the vlan traffic is up to the PIX. I can ping nodes on each vlan subnet from the PIX. However, I can't seem to ping from a node on one subnet to a node on the other, using the PIX as a default gateway.

E.g.

PIX IP = 172.16.1.1 on vlan1

PIX IP - 192.168.32.3 on vlan103

Switch IP = 172.16.1.4 on vlan1 default GW = 172.16.1.1

And I cannot ping 192.168.32.3 from the switch

I'm guessing NAT and/or ACL(s) needs tweaking???

----pix config-----------

interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan999 physical
interface ethernet1 vlan1 logical
interface ethernet1 vlan103 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 native security90
nameif ethernet2 intf2 security4
nameif vlan103 inside security100
nameif vlan1 IT_LAN security90

.

ip address outside x.x.x.x 255.255.255.240
no ip address native
no ip address intf2
ip address inside 192.168.32.3 255.255.255.0
ip address IT_LAN 172.16.1.1 255.255.255.0

.

access-list inside_outbound_nat0_acl permit ip any 192.168.32.192 255.255.255.192
access-list vpnlist permit ip 192.168.32.0 255.255.255.0 any
access-list vpnlist permit ip 192.168.52.0 255.255.255.0 any
access-list outside_inbound_acl permit icmp any any

.

global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_inbound_acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.52.0 255.255.255.0 192.168.32.1 1

Mike

interface ethernet1 vlan999 physical
interface ethernet1 vlan1 logical
interface ethernet1 vlan103 logical

interesting that you did it that way. I was assuming you would do -

interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical

however if it works fine.

Anyway on to the problem at hand.

inside interface (vlan 103) has security level 100

IT_LAN interface (vlan 1) has security level 90

so to get from IT_LAN to inside you would need to either do a nat exemption or setup statics. Easiest way is nat exemption because it works both ways so it would also cover inside -> IT_LAN.

Add this to your config

access-list NATEXT permit ip 192.168.32.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NATEXT

Now if you want to initate connections from IT_LAN to inside you will also need an acl because IT_LAN has a lower security level eg.

access-list ITLAN_to_inside permit etc..... (ie. whatever you want to permit)

access-group ITLAN_to_inside in interface IT_LAN

*** Edit - Easiest way is nat exemption because it works both ways so it would also cover inside -> IT_LAN.

Actually, not trying to confuse the issue but statics would also work both ways just to be clear ie you could do -

static (inside,IT_LAN) 192.168.32.0 192.168.32.0 netmask 255.255.255.0

If you only want to allow access between a few devices on both LANs individual static host entries would probably be better ***

Jon

Thanks Jon for the NAT & ACL pointers.

--

[incase someone else gets stuck on this like I did, and stumbles on this thread. To summarize...]

interesting that you did it that way. I was assuming you would do -

interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical

Well, that was what I was trying to do first off; it is how one typically sets up a vlan, i.e., with native traffic on vlan1. But the PIX just would not process native vlan1 traffic (which I have). Apparently PIXs will only process traffic on tagged/logical interfaces if the physical interface is involved in 802.1q at all. So the workaround apparently is to put a dumby vlan on the physical interface for native traffic (of which there is none, i.e. dumby vlan 999 ) and then redirect what was once untagged vlan1 traffic into a tagged/logical interface on the PIX.

Mike

Well, that was what I was trying to do first off; it is how one typically sets up a vlan, i.e., with native traffic on vlan1. But the PIX just would not process native vlan1 traffic (which I have).

Sorry didn't explain myself very well. What i meant was use this config -

interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical

but still tag vlan 1 ie. add the "switchport trunk native vlan 999" config to the the trunk connection on your switch. So vlan 1 and vlan 103 are both tagged going to the pix. There isn't actually any need to pass the vlan 999 traffic so the pix doens't need an interface for vlan 999. So the physical interface can be assigned to vlan 1 which will be tagged. At least that has always worked for me.

Jon

Jon,

I tried adding:

static (inside,IT_LAN) 192.168.32.0 192.168.32.0 netmask 255.255.255.0

...but to no avail. I still can't ping thru the router from vlan1(192.168.32.0) to vlan103(172.16.1.0)

A bit stumped.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco