Cisco ASA – 802.1q VLAN Tagging

The Cisco ASA supports 802.1q tagging, which inserts a tag into the original Ethernet frame. The 802.1q tag contains 4 fields:

  1. TPID (Tag Protocol Identifier)
  2. 16-bit field. A value of 0x8100 identifies the frame as an IEEE 802.1q-tagged frame.

  3. Priority
  4. 3-bit field describing the frame priority level. Value can range from 0 to 7.

  5. CFI (Canonical Format Indicator)
  6. 1-bit field. If the value is 1, the MAC address is in noncanonical format. If the value is 0, the MAC address is in canonical format.

  7. VID (VLAN Identifier)
  8. T2-bit field, identifying the VLAN to which the frame belongs. Value can range from 0 to 4095.

802.1q Tag Inserted into an Ethernet Frame

802.1q Tag Inserted into an Ethernet Frame

Configuration Example

On my Cisco ASA 5520, I’ve set up the GigabitEthernet0/1 interface with a generic setup (name and IP address). I’ve created two subinterfaces off GigabitEthernet0/1: GigabitEthernet0/1.10 which belongs to VLAN 10, and GigabitEthernet0/1.20 which belongs to VLAN 20. I’ve given the subinterfaces new MAC addresses with the mac-address command. The show run interface coughs up this information:

ciscoasa# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.30.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
 mac-address 1010.1010.1010
 vlan 10
 nameif SubnetTen
 security-level 100
 ip address 10.30.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
 mac-address 2020.2020.2020
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only

I have a packet sniffer (Wireshark) snuffling up the packets coming out of the GigabitEthernet0/1 interface. It will also capture packets originating from the two subinterfaces.

So now let’s generate packets and see what the 802.1q tag looks like. First, let’s generate an untagged packet from the ASA. When I tell the ASA to ping 10.30.1.10, the ASA first does an ARP for the destination.

ciscoasa# ping 10.30.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.1.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

And Wireshark picks up Ethernet frames like the one below, which are untagged since they originate from the GigabitEthernet0/1 interface (which has an IP address of 10.30.1.1 and is therefore the interface used to reach the 10.30.1.0 network):

Untagged Ethernet Frame Captured in Wireshark

Untagged Ethernet Frame Captured in Wireshark

When I tell the ASA to ping 10.30.10.10, the ASA uses the GigabitEthernet0/1.10 interface to ARP for the destination.

ciscoasa# ping 10.30.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.10.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Now Wireshark picks up Ethernet frames like the one below, which originate from MAC address 10:10:10:10:10:10 and are tagged with VLAN 10:

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

And when I tell the ASA to ping 10.30.20.10:

ciscoasa# ping 10.30.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.20.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

We get frames originating from MAC address 20:20:20:20:20:20 that are tagged with VLAN 20:

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

mac-address command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

One Trackback

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*