Trunk mode vlan to a VM with 8 vNIC's - targetting one specific vNIC

Similar Messages

• Private Vlans and trunk mode

  if we have a primary vlan 100 associate with it
  vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
  and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
  How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
  cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
  and

  Private vlan's are all on the same subnet, so from what you are writing I see:
  100-------------------------------
  | | |
  | | |
  11 12 13
  Fa0/2 fa/03 fa0/4
  and you want to route to Vlan 50, correct?
  In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

• Two VLANs on same Switch with NAT problem.

  Hello all.
  I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
  NAT Solution 1
  ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
  ip nat inside source list 1 pool INET overload
  access-list 1 permit any
  NAT Solution 2
  ip nat inside source list 100 interface fa1/0 overload
  access-list 100 permit ip any any
  Router config
  R1#sh run
  Building configuration...
  Current configuration : 1470 bytes
  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  enable secret
  no aaa new-model
  ip subnet-zero
  ip cef
  interface FastEthernet0/0
   no ip address
   duplex auto
   speed auto
  interface FastEthernet0/0.5
   encapsulation dot1Q 5 native
   ip address 172.16.1.6 255.255.255.248
  interface FastEthernet0/0.10
   encapsulation dot1Q 10
   ip address 172.20.0.254 255.255.255.0
   ip nat inside
  interface FastEthernet0/0.20
   encapsulation dot1Q 20
   ip address 172.20.1.254 255.255.255.0
   ip nat inside
  interface Serial0/0
   no ip address
   shutdown
  interface Serial0/1
   no ip address
   shutdown
  interface Serial0/2
   no ip address
   shutdown
  interface Serial0/3
   no ip address
   shutdown
  interface FastEthernet1/0
   ip address dhcp
   ip nat outside
   duplex auto
   speed auto
   no cdp enable
  router ospf 1
   log-adjacency-changes
   network 172.16.1.0 0.0.0.7 area 0
   network 172.20.0.0 0.0.0.255 area 0
   network 172.20.1.0 0.0.0.255 area 0
   network 192.168.1.0 0.0.0.255 area 0
  no ip http server
  ip classless
  line con 0
   exec-timeout 0 0
   password
   logging synchronous
   login
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   password
   logging synchronous
   login
  line vty 5 181
   exec-timeout 0 0
   password
   logging synchronous
   login
  end
  Switch Config
  SW1#sh run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname SW1
  ip subnet-zero
  interface FastEthernet0/1
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 5
   switchport trunk allowed vlan 1,5,10,20,1002-1005
   switchport mode trunk
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
   switchport access vlan 10
  interface FastEthernet0/5
   switchport access vlan 10
  interface FastEthernet0/6
   switchport access vlan 10
  interface FastEthernet0/7
   switchport access vlan 10
  interface FastEthernet0/8
   switchport access vlan 10
  interface FastEthernet0/9
   switchport access vlan 10
  interface FastEthernet0/10
   switchport access vlan 10
  interface FastEthernet0/11
   switchport access vlan 10
  interface FastEthernet0/12
   switchport access vlan 20
  interface FastEthernet0/13
   switchport access vlan 20
  interface FastEthernet0/14
   switchport access vlan 20
  interface FastEthernet0/15
   switchport access vlan 20
  interface FastEthernet0/16
   switchport access vlan 20
  interface FastEthernet0/17
   switchport access vlan 20
  interface FastEthernet0/18
   switchport access vlan 20
  interface FastEthernet0/19
   switchport access vlan 20
  interface FastEthernet0/20
   switchport access vlan 20
  interface FastEthernet0/21
   switchport access vlan 20
  interface FastEthernet0/22
   switchport access vlan 20
  interface FastEthernet0/23
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface FastEthernet0/24
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet0/1
  interface GigabitEthernet0/2
  interface VLAN1
   no ip address
   no ip directed-broadcast
   no ip route-cache
   shutdown
  interface VLAN5
   ip address 172.16.1.1 255.255.255.248
   no ip directed-broadcast
   no ip route-cache
  ip default-gateway 172.16.1.6
  line con 0
   transport input none
   stopbits 1
  line vty 0 4
   login
  line vty 5 15
   login
  end

  You need to change your acl because NAT doesn't usually work with "any" as the source.
  I tend to use extended acls so -
  access-list 101 permit 172.20.0.0 255.255.255.0 any
  access-list 101 permit 172.20.1.0 255.255.255.0 any
  and then use your second solution ie. overload on the interface.
  If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
  Jon

• Switchport comparision, "trunk native vlan" versus "access vlan"

  I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
  switchport access vlan 100
  switchport voice vlan 200
  versus
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport voice vlan 200
  switchport mode trunk
  Thanks in adance,

  The difference is that these applies to two different set of switches.
  The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
  The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
  In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
  Regards,
  Anup

• Cisco ASA 55XX Transparent mode VLAN traversing

  Hello Cisco Forum Team!
      In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
  The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 
  Thanks in advanced for your support and comments!

  Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 
  To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 
  So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
  Please remember to select a correct answer and rate helpful posts

• %EC-SP-5-CANNOT_BUNDLE2 - Switch incorrectly sees port in Dynamic Trunking Mode

  Take this configuration on a 6500 with 2 WS-X6716-10-GE modules installed.
  interface Port-channel1
  description Switch02:Po1
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  interface TenGigabitEthernet1/1
  description Switch02:Te1/1
  switchport
  switchport mode trunk
  switchport nonegotiate
  channel-group 1 mode on
  interface TenGigabitEthernet2/1
  description Switch02:Te2/1
  switchport
  switchport mode trunk
  switchport nonegotiate
  channel-group 1 mode on
  shutdown
  Now I do this:
  conf t
  int Te2/1
  no shut
  This error message is generated:
  %EC-SP-5-CANNOT_BUNDLE2: Te2/1 is not compatible with Te1/1 and will
  be suspended (trunk mode of Te2/1 is trunk, Te1/1 is dynamic)
  The million dollar question - Why would it see Te1/1 as being in dynamic trunking mode? 

  glen.grant wrote: Shutdown the port channel by shutting down the port channel SVI  . Then try to bring it up , with a no shut on the port channel SVI , this will bring both ports up at the same time.  Sometimes they do not  like having a single port in the channel being brought up by itself.  Also make sure the other end matches exactly seeing you are forcing the port channel to an on state.
  I agree this may work, but it doesn't really address the problem.  If both the logical and physical interfaces have 'switchport nonegotiate' configured, why would the switch see it in Dynamic Trunking mode?
  One thing I did try was removing 'switchport nonegotiate' from Te2/1.  Then I got this:
  %EC-SP-5-CANNOT_BUNDLE2: Te2/1 is not compatible with Te1/1 and will be suspended (dtp nonegotiate of Te2/1 is 0, Te1/1 id 1)
  It's now saying DTP is disabled for Te1/1.  In other words, it is NOT in dynamic trunking mode.  Since that directly contradicts the earlier message, my conclusion is this is a software bug. 

• Cisco SF302-08P пропадает с порта trunk native vlan, когда подключаю IP PHONE.

  Здравствуйте!
  У меня возникла проблема с коммутатором Cisco SF302-08P. В частности проблема заключается в настройке порта для IP phone и ПК.
  Как известно это PoE коммутатор.
  vlan database
  vlan 47,147
  exit
  voice vlan id 147
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname DepGrajdIniciativ
  ip ssh server
  snmp-server server
  ip telnet server
  interface vlan 47
   ip address 172.27.47.253 255.255.255.0
   no ip address dhcp
  interface fastethernet1
   storm-control broadcast enable
   storm-control broadcast level 10
   storm-control include-multicast
   port security max 10
   port security mode max-addresses
   port security discard trap 60
   spanning-tree portfast
   switchport trunk allowed vlan add 147
   switchport trunk native vlan 47                 <-----               
   macro description ip_phone_desktop
   !next command is internal.
   macro auto smartport dynamic_type ip_phone_desktop
  147 влан для Ip phone. 47 влан для компьютера.
  Дело в том, что когда, например, на 1 порт подключаю IP phone (cisco 6921), с порта пропадает настройка  "switchport trunk native vlan 47", соотвественно, на компьютере, который подключен к телефону на порт "computer", пропадает связь (теряется vlan 47?).  Приходится по новой прописывать, но он сохраняется до следующей перезагрзуки коммутатора или телефона.
  P.S. настройки на коммутаторе сохраняем командой "copy run start" или "wr". На телефоне "admin vlan" указан 147. 
  P.S.S. телефон питается по PoE.
  В чем может быть проблема? я работал со многими cisco коммутаторами, но нигде такой картины не видел....

• Server Port - Trunk Mode

  Hi,
  One of the Server ports (pointing towards a UCS Chassis) on my fabric interconnect is currently showing as down as it is Trunk mode not Fabric Mode as per all the other server ports.
  For some reason when I look under the LAN tab this one interface is showing under "internal LAN". I have tried disabling and/or deleting the interface from under "internal LAN" however every time I re-configure the port as a Server Port it is showing back under and the mode remains in Trunk.
  Does anyone have some advice how I can get this port out of Trunk Mode and into Fabric Mode?
  Many Thanks, Paul

  Hi Cristian,
  As requested please see outputs below:
  UCS1-A(nxos)# sh run int e1/22
  interface Ethernet1/22
    description S: Server
    no pinning server sticky
    switchport mode trunk
    switchport trunk native vlan xxx4
    switchport trunk allowed vlan xxx4,xxx7
    no shutdown
  UCS1-A(nxos)# show int fex-fabric
       Fabric      Fabric       Fex                FEX
  Fex  Port      Port State    Uplink    Model         Serial
    1    Eth1/1        Active     1         N20-C6508  xx
    1    Eth1/2        Active     2         N20-C6508  xx
    2    Eth1/3        Active     1         N20-C6508  xx
    2    Eth1/4        Active     2         N20-C6508  xx
    3    Eth1/5        Active     1         N20-C6508  xx
    3    Eth1/6        Active     2         N20-C6508  xx
    4    Eth1/7        Active     1         N20-C6508  xx
    4    Eth1/8        Active     2         N20-C6508  xx
    5    Eth1/9        Active     1         N20-C6508  xx
    5   Eth1/10        Active     2         N20-C6508  xx
    6   Eth1/11        Active     1         N20-C6508  xx
    6   Eth1/12        Active     2         N20-C6508  xx
    7   Eth1/13        Active     1         N20-C6508  xx
    7   Eth1/14        Active     2         N20-C6508  xx
    8   Eth1/15        Active     1         N20-C6508  xx
    8   Eth1/16        Active     2         N20-C6508  xx
    9   Eth1/17        Active     1         N20-C6508  xx
    9   Eth1/18        Active     2         N20-C6508  xx
  10   Eth1/19        Active     1         N20-C6508  xx
  10   Eth1/20        Active     2         N20-C6508  xx
  11   Eth1/21        Active     1         N20-C6508  xx
  12   Eth1/23        Active     1         N20-C6508  xx
  12   Eth1/24        Active     2         N20-C6508  xx
  13   Eth1/25        Active     1         N20-C6508  xx
  13   Eth1/26        Active     2         N20-C6508  xx
  14   Eth1/27        Active     1         N20-C6508  xx
  14   Eth1/28        Active     2         N20-C6508  xx
  UCS1-A(nxos)# show fex 1 detail
  FEX: 1 Description: FEX0001   state: Online
    FEX version: 5.0(3)N2(2.11.3a) [Switch version: 5.0(3)N2(2.11.3a)]
    FEX Interim version: 5.0(3)N2(2.11.3a)
    Switch Interim version: 5.0(3)N2(2.11.3a)
    Chassis Model: N20-C6508,  Chassis Serial: XXX
    Extender Model: UCS-IOM-2204XP,  Extender Serial: XXX
    Part No: 73-14488-03
    Card Id: 184, Mac Addr: c0:67:af:84:a6:5a, Num Macs: 38
    Module Sw Gen: 21  [Switch Sw Gen: 21]
    post level: complete
  pinning-mode: static    Max-links: 1
    Fabric port for control traffic: Eth1/1
    Fabric interface state:
      Po1025 - Interface Up. State: Active
      Eth1/1 - Interface Up. State: Active
      Eth1/2 - Interface Up. State: Active
    Fex Port        State  Fabric Port
           Eth1/1/1  Down      Po1025
           Eth1/1/2  Down      Po1025
           Eth1/1/3  Down        None
           Eth1/1/4  Down        None
           Eth1/1/5  Down        None
                  Eth1/1/6  Down        None
           Eth1/1/7  Down        None
           Eth1/1/8  Down        None
           Eth1/1/9  Down      Po1025
          Eth1/1/10  Down      Po1025
          Eth1/1/11  Down        None
          Eth1/1/12  Down        None
          Eth1/1/13  Down        None
          Eth1/1/14  Down        None
          Eth1/1/15  Down        None
          Eth1/1/16  Down        None
          Eth1/1/17    Up      Po1025
  Logs:
  01/03/2014 11:23:14.295257: Module register received
  01/03/2014 11:23:14.296133: Registration response sent
  01/03/2014 11:23:14.580311: Module Online Sequence
  01/03/2014 11:23:17.47105: Module Online
  If possible would you be free to discuss this on a WebEx?
  Kind Regards, Paul

• Trunk Native VLAN

  Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
  http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
  https://en.wikipedia.org/wiki/VLAN_hopping
  Edit:Spelling

  Hello,
  I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
  So for example, if I have say 3 vlans and a native vlan
  vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
  so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
  Also how do I change the native vlan?
  Thanks.
  This topic first appeared in the Spiceworks Community

• Authenticating Trunk Ports - VLAN list

  I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
  My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
  cisp enable
  interface FastEthernet0/2
   description *** Client Device ***
   switchport access vlan 2
   switchport mode access
   no logging event link-status
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 3
   authentication event server alive action reinitialize
   authentication order mab dot1x webauth
   authentication priority mab dot1x webauth
   authentication port-control auto
   authentication fallback GUEST_FALLBACK
   mab eap
   dot1x pae authenticator
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 10
   dot1x max-reauth-req 1
   dot1x timeout auth-period 600
   no cdp enable
   spanning-tree portfast
  Any help will be greatly appreciated. 
  Thanks
  John

  Hello
  I would suggest the following:
  >> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
  >> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
  >> Change the NATIVE VLAN from the default (VLAN 1)
  >> Disable Trunk negotiation (ON mode)
  Regards
  Farrukh

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• Switchport trunk native vlan question...

  What am I missing in regards to the following two lines assigned to a sw interface:
  switchport trunk native vlan 80
  switchport mode trunk
  Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
  Thank you.

  By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
  Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

• Switchport trunk native vlan & switchport access vlan dual configuration

  I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
  port configuration:
  interface FastEthernet0/3
  duplex full
  speed 100
  switchport access vlan 203
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 203
  switchport trunk allowed vlan 1,203,204,220,1002-1005
  switchport mode trunk
  spanning-tree portfast

  Hi,
  The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
  Hope that helps ...
  Paresh

• What is the effect of the command switchport trunk native vlan x

  Hello all,
  I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
  switchport trunk native vlan 70
  I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
  Please Help :)

  Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
  Access port can only be in one vlan (Say vlan 70)
  So if you configured as trunk and connect the server,  and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
  If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
  Thanks

• ASA transparent mode vlan question

  Hi i was going through ASA 5505 doco and i found the follwoing
  In transparent firewall mode, you can configure two active VLANs in the Base license and three active
  VLANs in the Security Plus license, one of which must be for failover.
  So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i  thought that we can use a failover using a IP address on interface???
  my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.

  As per:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
  Only two interface can be used for data, and a 3rd one for failover.
  Regards,
  Felipe.
  Remember to rate useful posts.