Trunk and MTU configuration on ASA firewall
::Trunks on ASA 5510 and higher::
Ø
An ASA trunk link supports only the IEEE 802.1q
trunk encapsulation method.
Ø
As each packet is sent over a trunk link, it is
tagged with its source VLAN number.
Ø
As packets are removed from the trunk, the tag
is examined and removed so that the packet can be forwarded to their
appropriate VLANs.
Ø
By default, only packets that are sent out the
ASA’s physical interface itself are not tagged, and they appear to use the
trunk’s native VLAN.
Ø
Packets that are sent out a sub-interface do
receive a VLAN tag.
Ø
IEEE 802.1q trunk links support the concept of a
native VLAN. Frames coming from the native VLAN are sent over the trunk link
without a tag, while frames from other VLANs have a tag added while in the
trunk.
Ø
An ASA trunk link is either on or off, according
to the sub-interface configuration.
Ciscoasa(config)# interface hardware_id.subinterface
Ciscoasa(config-subif)# vlan vlan_id
Configure
a Trunk Link on an ASA:::
ciscoasa(config)# interface e0/0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# int e0/0.1
ciscoasa(config-subif)# vlan 10
ciscoasa(config)# int e0/0.2
ciscoasa(config-subif)# vlan 20
CASE:
Problem: TRUNK CONNECTION PROBLEM BETWEEN ASA and Switch
OF CISCO
Whenever, we have setup a trunk link between a cisco ASA (5505
and above)and a cisco switch (2960,3560). However, we do not able to establish
a connection between them at either Layer 2 or 3.
If we look at the interface counters on firewall, we may
notice that we are piling up a bunch of “L2 decode Drops” errors.
Solution:
Ø The most likely cause is the native VLAN on
the switch side of the trunk .
Ø We have a sub-interface on the ASA that is
supposed to route for the native vlan.
Ø When switch sends out a frame from the native
VLAN, it does not tag it.
Ø However, if the ASA has a sub-interface for
that VLAN, it expects tagged frames only for it, so communications for the
particular VLAN will fail between the switch and the ASA.
Base:
Ø If we have a sub-interface for a VLAN on the
ASA, then it can not also be used as the native VLAN on the switch’s trunk
port.
Ø Any VLAN setup as such will not work.
Ø For solve this, the sub-interface/ VLAN
configuration on the ASA to avoid the switch port’s native VLAN , or change the
native VLAN on the switch to something else.
::ASA Firewall
Interface MTU::
Ø Ethernet interface has its maximum
transmission unit (MTU) size set to 1500 bytes by default.
Ø If a packet is larger than the MTU must be
fragmented before being transmitted.
Ø And before the packet can be presented at the
destination, all of its fragments must be reassembled in their proper order.
Ø The fragmentation and reassembly process
takes time, memory, and CPU resources, so it must be avoided if possible.
Ø Various IEEE standards use expanded frame
sizes to carry additional information. Data centers often leverage
Ethernet “Giant” or “jumbo” frames, which are much larger than
normal, to move large amounts of data efficiently.
Ø We uses the command for adjust the MTU on an
ASA interface:
Ciscoasa(config)#
mtu <nameif> <bytes>
Ø The transmitted MTU can be sized from 64 to 9216 bytes.
Ø We should also use the command to enable
jumbo frame processing as frames are received on an interface:
Ciscoasa(config-if)#
jumbo-frame reservation
Ø
When we
increase the MTU size on any ASA, always remember that the jumbo-frame
reservation command is supported only on the ASA 5580.
0 responses to “Trunk and MTU configuration on ASA firewall”