topic Re: Native VLAN configuration in General Topics

Native VLAN configuration

bjaming — Mon, 18 Jul 2011 22:48:00 GMT

I have configured a couple of layer-3 subinterfaces on a aggregate, they are tagged as VLAN 700 and VLAN 800, in my cisco switch I have configured a trunk port that permits VLAN 700 and VLAN 800 to pass traffic across it. When plugged in, everything comes up just fine and I'm able to ping both interfaces etc etc.

As soon as I add a native vlan to the trunk port the switch shuts it's interfaces down and stops passing traffic (due to a native vlan mismatch obviously) how do I configure a native vlan other than vlan 1 on a layer-3 interface on the palo alto.

Using VLAN 1 is NOT an option.

Re: Native VLAN configuration

mrajdev — Tue, 19 Jul 2011 14:37:39 GMT

Hi Bjaming,

If you add a native vlan other then VLAN1 on the switch, then you might want to configure the same vlan tag as configured on the trunk port on the switch on the ae interface on the PA firewall as well to see if that keeps the interface on the switch side up.

Do please let us know if this works for you.

Thanks

Re: Native VLAN configuration

bjaming — Tue, 19 Jul 2011 15:59:17 GMT

In the example above I mentioned VLAN 800 and 700, on the firewall I configured 2 layer-3 tagged sub-interfaces, one was tagged .800 the other was tagged .700

On the switch when I set the native VLAN as 700 (for example) traffic was no longer forwarded from the switch because the firewall, even though it was tagging traffic for VLAN 700 and 800 did not have the correct native VLAN configured on it's interfaces.

In effect I already tried that, and even though there was a sub-interface configured with the correct VLAN tag the switch still shut down the interfaces.

Thank you for the suggestion.

Re: Native VLAN configuration

bjaming — Thu, 21 Jul 2011 16:36:58 GMT

Okay just to simplify things,

I've removed the second vlan

I have created a VLAN named 888 with an ip on the switch side of 10.8.8.2/24

the interface configs are as follows

int g1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

int vlan 888

ip address 10.8.8.2 255.255.255.0

on the firewall

ethernet 1/3

link-speed auto;

link-duplex auto;

link-state auto;

layer3 {

mtu1500;

interface-management-profile ping-allowed;

ipv6 {

enabled no;

}

units {

ethernet 1/3.888 {

mtu 1500;

interface-management-profile ping-allowed;

tag 888;

ip {

10.8.8.1/24 { }

}

ipv6 {

enabled no;

}

Configured like that I am able to ping, no problems

When I apply

switchport trunk native vlan 888

to interface g1/1/1 I am no longer able to ping.

How do I configure native VLAN tagging on a 4020?

Do I need to open a support ticket in order to get a resolution?

Re: Native VLAN configuration

jnguyen — Sat, 23 Jul 2011 00:23:28 GMT

To get a better understanding of how you are trying to deploy this please open a case. the native vlan should be untag and should not have any problems. we may want to see what errors are generated on the palo alto interface.

Re: Native VLAN configuration

DavePalo — Wed, 27 Jul 2011 09:28:43 GMT

Hello,

I would expect things to stop working after the native vlan command had been issued as from then on, traffic would be tagged from PA>Cisco and untagged from Cisco>PA.

Have you tried configuring your PA with a L2 port untagged assigned to VLAN 888?

Regards,

Dave

Re: Native VLAN configuration

bjaming — Tue, 09 Aug 2011 16:46:32 GMT

Sorry I've been on vacation (blackhat/defcon) I'll try an untagged l2 interface and get back to you guys, thanks for the help!

Re: Native VLAN configuration

DavePalo — Thu, 20 Oct 2011 08:31:36 GMT

Hi,

Did that work in the end?

Regards,

Dave