The Cisco ASA supports 802.1q tagging, which inserts a tag into the original Ethernet frame. The 802.1q tag contains 4 fields:
- TPID (Tag Protocol Identifier)
- CFI (Canonical Format Indicator)
- VID (VLAN Identifier)
16-bit field. A value of 0x8100 identifies the frame as an IEEE 802.1q-tagged frame.
3-bit field describing the frame priority level. Value can range from 0 to 7.
1-bit field. If the value is 1, the MAC address is in noncanonical format. If the value is 0, the MAC address is in canonical format.
T2-bit field, identifying the VLAN to which the frame belongs. Value can range from 0 to 4095.
On my Cisco ASA 5520, I’ve set up the GigabitEthernet0/1 interface with a generic setup (name and IP address). I’ve created two subinterfaces off GigabitEthernet0/1: GigabitEthernet0/1.10 which belongs to VLAN 10, and GigabitEthernet0/1.20 which belongs to VLAN 20. I’ve given the subinterfaces new MAC addresses with the mac-address command. The show run interface coughs up this information:
ciscoasa# sh ru int ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 220.127.116.11 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.30.1.1 255.255.255.0 ! interface GigabitEthernet0/1.10 mac-address 1010.1010.1010 vlan 10 nameif SubnetTen security-level 100 ip address 10.30.10.1 255.255.255.0 ! interface GigabitEthernet0/1.20 mac-address 2020.2020.2020 vlan 20 nameif SubnetTwenty security-level 0 ip address 10.30.20.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only
I have a packet sniffer (Wireshark) snuffling up the packets coming out of the GigabitEthernet0/1 interface. It will also capture packets originating from the two subinterfaces.
So now let’s generate packets and see what the 802.1q tag looks like. First, let’s generate an untagged packet from the ASA. When I tell the ASA to ping 10.30.1.10, the ASA first does an ARP for the destination.
ciscoasa# ping 10.30.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.1.10, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)
And Wireshark picks up Ethernet frames like the one below, which are untagged since they originate from the GigabitEthernet0/1 interface (which has an IP address of 10.30.1.1 and is therefore the interface used to reach the 10.30.1.0 network):
When I tell the ASA to ping 10.30.10.10, the ASA uses the GigabitEthernet0/1.10 interface to ARP for the destination.
ciscoasa# ping 10.30.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.10.10, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)
Now Wireshark picks up Ethernet frames like the one below, which originate from MAC address 10:10:10:10:10:10 and are tagged with VLAN 10:
And when I tell the ASA to ping 10.30.20.10:
ciscoasa# ping 10.30.20.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.20.10, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)
We get frames originating from MAC address 20:20:20:20:20:20 that are tagged with VLAN 20: