07-18-2011 03:48 PM
I have configured a couple of layer-3 subinterfaces on a aggregate, they are tagged as VLAN 700 and VLAN 800, in my cisco switch I have configured a trunk port that permits VLAN 700 and VLAN 800 to pass traffic across it. When plugged in, everything comes up just fine and I'm able to ping both interfaces etc etc.
As soon as I add a native vlan to the trunk port the switch shuts it's interfaces down and stops passing traffic (due to a native vlan mismatch obviously) how do I configure a native vlan other than vlan 1 on a layer-3 interface on the palo alto.
Using VLAN 1 is NOT an option.
07-19-2011 07:37 AM
Hi Bjaming,
If you add a native vlan other then VLAN1 on the switch, then you might want to configure the same vlan tag as configured on the trunk port on the switch on the ae interface on the PA firewall as well to see if that keeps the interface on the switch side up.
Do please let us know if this works for you.
Thanks
07-19-2011 08:59 AM
In the example above I mentioned VLAN 800 and 700, on the firewall I configured 2 layer-3 tagged sub-interfaces, one was tagged .800 the other was tagged .700
On the switch when I set the native VLAN as 700 (for example) traffic was no longer forwarded from the switch because the firewall, even though it was tagging traffic for VLAN 700 and 800 did not have the correct native VLAN configured on it's interfaces.
In effect I already tried that, and even though there was a sub-interface configured with the correct VLAN tag the switch still shut down the interfaces.
Thank you for the suggestion.
07-21-2011 09:36 AM
Okay just to simplify things,
I've removed the second vlan
I have created a VLAN named 888 with an ip on the switch side of 10.8.8.2/24
the interface configs are as follows
int g1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
int vlan 888
ip address 10.8.8.2 255.255.255.0
on the firewall
ethernet 1/3
link-speed auto;
link-duplex auto;
link-state auto;
layer3 {
mtu1500;
interface-management-profile ping-allowed;
ipv6 {
enabled no;
}
}
units {
ethernet 1/3.888 {
mtu 1500;
interface-management-profile ping-allowed;
tag 888;
ip {
10.8.8.1/24 { }
}
ipv6 {
enabled no;
}
}
}
Configured like that I am able to ping, no problems
When I apply
switchport trunk native vlan 888
to interface g1/1/1 I am no longer able to ping.
How do I configure native VLAN tagging on a 4020?
Do I need to open a support ticket in order to get a resolution?
07-22-2011 05:23 PM
To get a better understanding of how you are trying to deploy this please open a case. the native vlan should be untag and should not have any problems. we may want to see what errors are generated on the palo alto interface.
07-27-2011 02:28 AM
Hello,
I would expect things to stop working after the native vlan command had been issued as from then on, traffic would be tagged from PA>Cisco and untagged from Cisco>PA.
Have you tried configuring your PA with a L2 port untagged assigned to VLAN 888?
Regards,
Dave
08-09-2011 09:46 AM
Sorry I've been on vacation (blackhat/defcon) I'll try an untagged l2 interface and get back to you guys, thanks for the help!
10-20-2011 01:31 AM
Hi,
Did that work in the end?
Regards,
Dave
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
