Trunk mode vlan to a VM with 8 vNIC's - targetting one specific vNIC
Hi all
I've popped a question into the Powerhsell forum this morning, and realised it may have been more suitable in Hyper-V section due to the nature of the question. Apologies if dual posting is not the done thing.
My original question can be seen here:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/5b12e416-ffc9-4391-b3f1-91fdb192f11a/hyperv-trunk-mode-to-vm-how-to-target-a-specific-virtual-nic-using-powershell?forum=winserverpowershell
Essentially, my question is around a VM that currently has 8 x vNIC's, but needs to communicate over 9 x vlans at present. I have attempted the following command in a test environment, but I can't see how this would comms over a specific vNIC; it looks like
its a global command to the target VM:
Set-VMNetworkAdapterVlan -VMName test1 -Trunk -AllowedVlanIdList "1-5" -NativeVlanId 6
Is there a way to target a specific vNIC on a VM with the above command at all, or is there a better way to enable trunk mode to the intended VM please?
Thanks
Paul
Hi Eric
Thanks for reply.
Thanks - your reply got me thinking a little more about this, and I found another article (which was also a reply from yourself when someone asked about how you rename a network adaptor when every adaptor is called "Network Adapter"),
that lead to a working command for what I would like to achieve.
So, here is my working command now:
Get-VMNetworkAdapter -VMName test2 | Where-Object -Property MacAddress -eq "000000000098" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "2214-2217" -NativeVlanId 22
Upon running Get-VMNetworkAdapterVlan I can see how the various adaptors are now configured:
test2 Network Adapter Untagged
test2 Network Adapter Untagged
test2 Network Adapter Trunk 22,2214-2217
test2 Network Adapter Untagged
I appreciate my command may not be pretty, but it completes successfully in my lab in terms of applying the settings. Is there any obvious problems that you can see with the above?
Lastly, the reason for the vlans in this way is because the server is NetBackup Master Server, and needs comms over all the relevant vlans. I'm intending on configuring a secondary interface through the teaming GUI in Server 2012, and specifying vlan ID's
there.
Thanks
Paul
Similar Messages
-
if we have a primary vlan 100 associate with it
vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
andPrivate vlan's are all on the same subnet, so from what you are writing I see:
100-------------------------------
| | |
| | |
11 12 13
Fa0/2 fa/03 fa0/4
and you want to route to Vlan 50, correct?
In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device. -
Two VLANs on same Switch with NAT problem.
Hello all.
I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
NAT Solution 1
ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool INET overload
access-list 1 permit any
NAT Solution 2
ip nat inside source list 100 interface fa1/0 overload
access-list 100 permit ip any any
Router config
R1#sh run
Building configuration...
Current configuration : 1470 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname R1
boot-start-marker
boot-end-marker
enable secret
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.5
encapsulation dot1Q 5 native
ip address 172.16.1.6 255.255.255.248
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.20.0.254 255.255.255.0
ip nat inside
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 172.20.1.254 255.255.255.0
ip nat inside
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial0/2
no ip address
shutdown
interface Serial0/3
no ip address
shutdown
interface FastEthernet1/0
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.7 area 0
network 172.20.0.0 0.0.0.255 area 0
network 172.20.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
no ip http server
ip classless
line con 0
exec-timeout 0 0
password
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
password
logging synchronous
login
line vty 5 181
exec-timeout 0 0
password
logging synchronous
login
end
Switch Config
SW1#sh run
Building configuration...
Current configuration:
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SW1
ip subnet-zero
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 1,5,10,20,1002-1005
switchport mode trunk
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
switchport access vlan 10
interface FastEthernet0/5
switchport access vlan 10
interface FastEthernet0/6
switchport access vlan 10
interface FastEthernet0/7
switchport access vlan 10
interface FastEthernet0/8
switchport access vlan 10
interface FastEthernet0/9
switchport access vlan 10
interface FastEthernet0/10
switchport access vlan 10
interface FastEthernet0/11
switchport access vlan 10
interface FastEthernet0/12
switchport access vlan 20
interface FastEthernet0/13
switchport access vlan 20
interface FastEthernet0/14
switchport access vlan 20
interface FastEthernet0/15
switchport access vlan 20
interface FastEthernet0/16
switchport access vlan 20
interface FastEthernet0/17
switchport access vlan 20
interface FastEthernet0/18
switchport access vlan 20
interface FastEthernet0/19
switchport access vlan 20
interface FastEthernet0/20
switchport access vlan 20
interface FastEthernet0/21
switchport access vlan 20
interface FastEthernet0/22
switchport access vlan 20
interface FastEthernet0/23
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
interface VLAN5
ip address 172.16.1.1 255.255.255.248
no ip directed-broadcast
no ip route-cache
ip default-gateway 172.16.1.6
line con 0
transport input none
stopbits 1
line vty 0 4
login
line vty 5 15
login
endYou need to change your acl because NAT doesn't usually work with "any" as the source.
I tend to use extended acls so -
access-list 101 permit 172.20.0.0 255.255.255.0 any
access-list 101 permit 172.20.1.0 255.255.255.0 any
and then use your second solution ie. overload on the interface.
If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
Jon -
Switchport comparision, "trunk native vlan" versus "access vlan"
I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
switchport access vlan 100
switchport voice vlan 200
versus
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport voice vlan 200
switchport mode trunk
Thanks in adance,The difference is that these applies to two different set of switches.
The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
Regards,
Anup -
Cisco ASA 55XX Transparent mode VLAN traversing
Hello Cisco Forum Team!
In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan).
Thanks in advanced for your support and comments!Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution. The catch is that you will need to have different VLANs for the same subnet at either end of the ASA.
To clarify this, lets say you are using interface Gig0/1 and Gig0/2. On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4. Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error.
So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7. you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3. Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
Please remember to select a correct answer and rate helpful posts -
%EC-SP-5-CANNOT_BUNDLE2 - Switch incorrectly sees port in Dynamic Trunking Mode
Take this configuration on a 6500 with 2 WS-X6716-10-GE modules installed.
interface Port-channel1
description Switch02:Po1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface TenGigabitEthernet1/1
description Switch02:Te1/1
switchport
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
interface TenGigabitEthernet2/1
description Switch02:Te2/1
switchport
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
shutdown
Now I do this:
conf t
int Te2/1
no shut
This error message is generated:
%EC-SP-5-CANNOT_BUNDLE2: Te2/1 is not compatible with Te1/1 and will
be suspended (trunk mode of Te2/1 is trunk, Te1/1 is dynamic)
The million dollar question - Why would it see Te1/1 as being in dynamic trunking mode?glen.grant wrote: Shutdown the port channel by shutting down the port channel SVI . Then try to bring it up , with a no shut on the port channel SVI , this will bring both ports up at the same time. Sometimes they do not like having a single port in the channel being brought up by itself. Also make sure the other end matches exactly seeing you are forcing the port channel to an on state.
I agree this may work, but it doesn't really address the problem. If both the logical and physical interfaces have 'switchport nonegotiate' configured, why would the switch see it in Dynamic Trunking mode?
One thing I did try was removing 'switchport nonegotiate' from Te2/1. Then I got this:
%EC-SP-5-CANNOT_BUNDLE2: Te2/1 is not compatible with Te1/1 and will be suspended (dtp nonegotiate of Te2/1 is 0, Te1/1 id 1)
It's now saying DTP is disabled for Te1/1. In other words, it is NOT in dynamic trunking mode. Since that directly contradicts the earlier message, my conclusion is this is a software bug. -
Здравствуйте!
У меня возникла проблема с коммутатором Cisco SF302-08P. В частности проблема заключается в настройке порта для IP phone и ПК.
Как известно это PoE коммутатор.
vlan database
vlan 47,147
exit
voice vlan id 147
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname DepGrajdIniciativ
ip ssh server
snmp-server server
ip telnet server
interface vlan 47
ip address 172.27.47.253 255.255.255.0
no ip address dhcp
interface fastethernet1
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 147
switchport trunk native vlan 47 <-----
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
147 влан для Ip phone. 47 влан для компьютера.
Дело в том, что когда, например, на 1 порт подключаю IP phone (cisco 6921), с порта пропадает настройка "switchport trunk native vlan 47", соотвественно, на компьютере, который подключен к телефону на порт "computer", пропадает связь (теряется vlan 47?). Приходится по новой прописывать, но он сохраняется до следующей перезагрзуки коммутатора или телефона.
P.S. настройки на коммутаторе сохраняем командой "copy run start" или "wr". На телефоне "admin vlan" указан 147.
P.S.S. телефон питается по PoE.
В чем может быть проблема? я работал со многими cisco коммутаторами, но нигде такой картины не видел.... -
Hi,
One of the Server ports (pointing towards a UCS Chassis) on my fabric interconnect is currently showing as down as it is Trunk mode not Fabric Mode as per all the other server ports.
For some reason when I look under the LAN tab this one interface is showing under "internal LAN". I have tried disabling and/or deleting the interface from under "internal LAN" however every time I re-configure the port as a Server Port it is showing back under and the mode remains in Trunk.
Does anyone have some advice how I can get this port out of Trunk Mode and into Fabric Mode?
Many Thanks, PaulHi Cristian,
As requested please see outputs below:
UCS1-A(nxos)# sh run int e1/22
interface Ethernet1/22
description S: Server
no pinning server sticky
switchport mode trunk
switchport trunk native vlan xxx4
switchport trunk allowed vlan xxx4,xxx7
no shutdown
UCS1-A(nxos)# show int fex-fabric
Fabric Fabric Fex FEX
Fex Port Port State Uplink Model Serial
1 Eth1/1 Active 1 N20-C6508 xx
1 Eth1/2 Active 2 N20-C6508 xx
2 Eth1/3 Active 1 N20-C6508 xx
2 Eth1/4 Active 2 N20-C6508 xx
3 Eth1/5 Active 1 N20-C6508 xx
3 Eth1/6 Active 2 N20-C6508 xx
4 Eth1/7 Active 1 N20-C6508 xx
4 Eth1/8 Active 2 N20-C6508 xx
5 Eth1/9 Active 1 N20-C6508 xx
5 Eth1/10 Active 2 N20-C6508 xx
6 Eth1/11 Active 1 N20-C6508 xx
6 Eth1/12 Active 2 N20-C6508 xx
7 Eth1/13 Active 1 N20-C6508 xx
7 Eth1/14 Active 2 N20-C6508 xx
8 Eth1/15 Active 1 N20-C6508 xx
8 Eth1/16 Active 2 N20-C6508 xx
9 Eth1/17 Active 1 N20-C6508 xx
9 Eth1/18 Active 2 N20-C6508 xx
10 Eth1/19 Active 1 N20-C6508 xx
10 Eth1/20 Active 2 N20-C6508 xx
11 Eth1/21 Active 1 N20-C6508 xx
12 Eth1/23 Active 1 N20-C6508 xx
12 Eth1/24 Active 2 N20-C6508 xx
13 Eth1/25 Active 1 N20-C6508 xx
13 Eth1/26 Active 2 N20-C6508 xx
14 Eth1/27 Active 1 N20-C6508 xx
14 Eth1/28 Active 2 N20-C6508 xx
UCS1-A(nxos)# show fex 1 detail
FEX: 1 Description: FEX0001 state: Online
FEX version: 5.0(3)N2(2.11.3a) [Switch version: 5.0(3)N2(2.11.3a)]
FEX Interim version: 5.0(3)N2(2.11.3a)
Switch Interim version: 5.0(3)N2(2.11.3a)
Chassis Model: N20-C6508, Chassis Serial: XXX
Extender Model: UCS-IOM-2204XP, Extender Serial: XXX
Part No: 73-14488-03
Card Id: 184, Mac Addr: c0:67:af:84:a6:5a, Num Macs: 38
Module Sw Gen: 21 [Switch Sw Gen: 21]
post level: complete
pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth1/1
Fabric interface state:
Po1025 - Interface Up. State: Active
Eth1/1 - Interface Up. State: Active
Eth1/2 - Interface Up. State: Active
Fex Port State Fabric Port
Eth1/1/1 Down Po1025
Eth1/1/2 Down Po1025
Eth1/1/3 Down None
Eth1/1/4 Down None
Eth1/1/5 Down None
Eth1/1/6 Down None
Eth1/1/7 Down None
Eth1/1/8 Down None
Eth1/1/9 Down Po1025
Eth1/1/10 Down Po1025
Eth1/1/11 Down None
Eth1/1/12 Down None
Eth1/1/13 Down None
Eth1/1/14 Down None
Eth1/1/15 Down None
Eth1/1/16 Down None
Eth1/1/17 Up Po1025
Logs:
01/03/2014 11:23:14.295257: Module register received
01/03/2014 11:23:14.296133: Registration response sent
01/03/2014 11:23:14.580311: Module Online Sequence
01/03/2014 11:23:17.47105: Module Online
If possible would you be free to discuss this on a WebEx?
Kind Regards, Paul -
Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
https://en.wikipedia.org/wiki/VLAN_hopping
Edit:SpellingHello,
I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
So for example, if I have say 3 vlans and a native vlan
vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
Also how do I change the native vlan?
Thanks.
This topic first appeared in the Spiceworks Community -
Authenticating Trunk Ports - VLAN list
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
JohnHello
I would suggest the following:
>> Arrange for some physical enclosure (locked) or any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
>> Change the NATIVE VLAN from the default (VLAN 1)
>> Disable Trunk negotiation (ON mode)
Regards
Farrukh -
VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1
Hi All,
L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
Thanks,
HCHi HC,
the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
Simon -
Switchport trunk native vlan question...
What am I missing in regards to the following two lines assigned to a sw interface:
switchport trunk native vlan 80
switchport mode trunk
Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
Thank you.By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state. -
Switchport trunk native vlan & switchport access vlan dual configuration
I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
port configuration:
interface FastEthernet0/3
duplex full
speed 100
switchport access vlan 203
switchport trunk encapsulation dot1q
switchport trunk native vlan 203
switchport trunk allowed vlan 1,203,204,220,1002-1005
switchport mode trunk
spanning-tree portfastHi,
The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
Hope that helps ...
Paresh -
What is the effect of the command switchport trunk native vlan x
Hello all,
I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
switchport trunk native vlan 70
I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
Please Help :)Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
Access port can only be in one vlan (Say vlan 70)
So if you configured as trunk and connect the server, and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
Thanks -
ASA transparent mode vlan question
Hi i was going through ASA 5505 doco and i found the follwoing
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i thought that we can use a failover using a IP address on interface???
my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.As per:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
Only two interface can be used for data, and a 3rd one for failover.
Regards,
Felipe.
Remember to rate useful posts.
Maybe you are looking for
-
Intrastat Germany Free Goods comes error "invoice value to be filled"
Hi Gurus, I am running Intrastat in GTS for Germany. For free goods we are entering the statistical value but invoice value must be zero, because these are free goods. But GTS does not allow a Zero value as invoice value. What to do? Please help Than
-
For some time now I have been unable to install applications onto my computer[Mac Pro/OS X 10.4]. I've checked the system with the disk utility without any positive result[system did not need repair]. System Updater seems to work when something comes
-
Problems opening DNG converted file in Photoshop CS3
I have used Adobe DNG Converter 5.4 to convert my Panasonic DMC-FX150 raw images. The conversion goes well, but the resulting file throws an error when opening in PSCS3: Could not complete your request because Photoshop does not recognize this type o
-
No video through ipod touch remote app?
i've connected my ipod touch to my tv using apple-branded dock and tv cables. for media stored on the touch, i can listen to music and watch video on the tv. when i connect in using remote to my mac mini (i am able to negotiate the 4digit pin so it i
-
Ipod Touch 1st gen music problem.
Hello, I have a 1st gen Ipod Touch 16gb running 3.13 and iTunes 10.2.2. Tracks play fine with iTunes, but the same tracks loaded onto my ipod will not play, no matter what format they are in( I have tried mp3 and AAC, 128kps and upwards). Done a rese