Missing Allowed vlans on trunk on Standby ACE.

Similar Messages

• 897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

• VTP Pruning vs Allowing VLANs on Trunk ports

  We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
  We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
  Here is our current configs for fiber ports between closets:
  Cisco WMH6509
  interface GigabitEthernet2/8
   description Fiber To STB Lab 3850
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   no ip address
   no snmp trap link-status
  end
  Cisco STB Lab 3850
  interface GigabitEthernet1/1/1
   description Fiber To WMH6509
   switchport mode trunk
  end
  We are considering:
  VTP Pruning Enable
             or
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 26,99,109,188
   switchport mode trunk
  Thanks,
  Tom

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
  However, VTP does have some "quirks".  For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk.  (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working.  One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
  So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared).  So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation.

• Unable to add allowed VLANs to TenGig trunk port

  Hi,
  I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
  I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
  I've tried adding single VLANs and multiples, but no joy. Any ideas?
  Here's what I've done:
  SWITCH_1631(config)#default int t4/1
  Interface TenGigabitEthernet4/1 set to default configuration
  SWITCH_1631#sh ru int t4/12
  Building configuration...
  Current configuration : 65 bytes
  interface TenGigabitEthernet4/12
   no ip address
   shutdown
  end
  SWITCH_1631(config)#int t4/1
  SWITCH_1631(config-if)#switchport
  SWITCH_1631(config-if)#switchport mode trunk
  SWITCH_1631(config-if)#switchport trunk allowed vlan ?
    WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
    add     add VLANs to the current list
    all     all VLANs
    except  all VLANs except the following
    none    no VLANs
    remove  remove VLANs from the current list
  SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
  SWITCH_1631(config-if)#
  SWITCH_1631#sh vlan id 700
  VLAN Name                             Status    Ports
  700  VLAN_NAME                        active    <snip>
  SWITCH_1631#sh ru int t4/1
  Building configuration...
  Current configuration : 74 bytes
  interface TenGigabitEthernet4/1
   switchport
   switchport mode trunk
  end

  Steve,
  Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
  Port                Mode         Encapsulation  Status        Native vlan
  Gi3/39              on           802.1q         trunking      1
  Te4/1               on           802.1q         trunking      1
  Po1                 on           802.1q         trunking      50
  Po2                 on           802.1q         trunking      50
  Po3                 on           802.1q         trunking      50
  Po4                 on           802.1q         trunking      50
  Po5                 on           802.1q         trunking      50
  Port                Vlans allowed on trunk
  Gi3/39              15-16,20-23,30,401,608
  Te4/1               1-4094
  Po1                 10,13,20-21,25,30,50,52,61,70,600,700-701,950
  Po2                 10,20,30,50,52,61,70,600,700-701,950
  Po3                 10,20,30,50,61,70,600,700-701,950
  Po4                 10,20,30,50,61,70,600,700-701,950
  Po5                 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
  The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
  Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
  Then I realised what the problem was  trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
  So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

• Switch Port Trunk allowed Vlan

  Hi Guys
  Request your help on my query :
  I have a distribution switch  and access switch and port channel between them.
  Dist switch is the VTP server
  lets assum I have 25 vlan
  when I do show vlan brief on the access switch I can see all 25 vlans listed now
  no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
  Dist switch po1 -- connecting to - po Access switch
  Dist switch #
  int po1
  switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
  After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
  Thanks in advance  

  Hi,
  John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
  I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
  Best regards,
  Peter

• Standby ACE unresponsive

  Hello,
  My standby ACE has gone to unresponsive mode and shows something like this
  peer state: FSM_FT_STATE_UNKNOWN
  This is for all the contexts in the slot module. My question is how do we bring it back to HOT_STANDBY when all contexts are unresponsive
  AND
  How do we bring it to HOT_STANDBY when just one context is unresponsive
  Thanks
  SID

  HI Sid,
  It is very similar to the previous response of your query.
  As I am seeing one error message here in your mail:
  peer state: FSM_FT_STATE_UNKNOWN
  Upon failure of the fault tolerant link between Services Chassis's the peer standby ACE begins to query the status of its peer active ACE. Six consecutive ping requests occur approximately every five seconds across the query interface VLAN while the fault tolerant link is down. The output from the show ft group detail command shown below indicates that the fault tolerant link is down; the primary peer state is unknown but the primary peer is still reachable. As a result, the standby peer remains in FSM_FT_STATE_STANDBY_COLD. When the fault tolerant link is recovered the query ping tests cease.
  dca-ss2-ace/Admin# show ft group detail
  FT Group : 1
  No. of Contexts : 1
  Context Name : Admin
  Context Id : 0
  Configured Status : in-service
  Maintenance mode : MAINT_MODE_OFF
  My State : FSM_FT_STATE_STANDBY_COLD
  My Config Priority : 50
  My Net Priority : 50
  My Preempt : Enabled
  Peer State : FSM_FT_STATE_UNKNOWN
  Peer Config Priority : Unknown
  Peer Net Priority : Unknown
  Peer Preempt : Unknown
  Peer Id : 1
  Last State Change time : Wed Jun 11 14:46:08 2008
  Running cfg sync enabled : Disabled
  Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Startup cfg sync enabled : Disabled
  Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  FT Group : 2
  No. of Contexts : 1
  Context Name : dca-ace-one
  Context Id : 1
  Configured Status : in-service
  Maintenance mode : MAINT_MODE_OFF
  My State : FSM_FT_STATE_STANDBY_COLD
  My Config Priority : 50
  My Net Priority : 50
  My Preempt : Enabled
  Peer State : FSM_FT_STATE_UNKNOWN
  Peer Config Priority : Unknown
  Peer Net Priority : Unknown
  Peer Preempt : Unknown
  Peer Id : 1
  Last State Change time : Wed Jun 11 14:46:08 2008
  Running cfg sync enabled : Disabled
  Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Startup cfg sync enabled : Disabled
  Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  All fault tolerant groups will honor the results of the query tests and remain in a FSM_FT_STATE_STANDBY_COLD state on the standby peer ACE.
  The Admin context allows the network administrator to assemble virtual contexts into failover groups. A failover group is a container, which permits a pair of ACE modules to define several failover characteristics and apply them to all virtual context assigned to the container, including the Admin context. These defining features include:
  •The associated peer ACE
  •The priority or preference value for each ACE module in the redundant pairing
  •Preemption (enabled by default)
  •The virtual context(s) coupled to the group
  Sachin Garg

• Various questions on uplink profiles, CoS, native VLAN, downlink trunking

  I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
  Fabric Fail-Over Mode
  Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
  enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
  through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
  1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
  network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
  checkbox is not checked."
  What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
  The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
  Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
  According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
  There are no best practices that specify whether the VSM
  and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
  network devices is a different VLAN than that used for server management, the VSM management
  interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
  VMware ESX management interfaces should share the same VLAN.
  I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
  Yes, you can still manage CoS using QoS on the vnics when using 1000V:
  The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
  Something else: Native VLANs
  Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
  Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
  And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
  What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
  No, port channel should not be configured when MAC-pinning is configured.
  [Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
  -Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
  Edit: 26 July 14:23. Found answers to many of my many questions...

  Answers inline.
  Atle Dale wrote:
  Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop.  This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same.  If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication.  The native VLAN and default VLAN are not necessarily the same.  Native refers to VLAN traffic without an 802.1q header and can be assigned or not.  A default VLAN is mandatory.  This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication.  If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0.  An access port doesn't use a native VLAN - as its assigned to only to a single VLAN.  A trunk on the other hand carries multiple VLANs and can have a native vlan assigned.  Remember your native vlan usage must be matched between each hop.  Most network admins setup the native vlan to be the same throughout their network for simplicity.  In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port.  If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks.  On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also.  Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN.  This is a practice by some people.  Rather than using a native VLAN throughout their network, they tag everything.  This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision.  The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default.  So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible.  With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links.  This is not configurable.  You either tell the system to use Port Channel or Individual Links.  The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces.  To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks.  In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning".  This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B).  Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch.  For UCS these two commands to NOT apply.

• Probe fail on Standby ACE in One-armed mode

  Hi there
  I'm Kilsoo.
  I made One-armed mode using ACE.
  Real servers are in away Vlan from ACE.
  So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
  And, the probe from active ACE works well.
  But, the probe from standby ACE was fail.
  At this point, my first question
  Is it normal situation that the probe fail from standby ACE????
  So, I made the route-map for PBR like below for temporary solution.
  route-map deny PBR 5
  match ip address Probe_ACL
  route-map permit PBR 10
  match ip address L4_ACL
    set ip next-hop <Alias IP address>
  ip access-list extended Probe_ACL
    pemit ip any <Standby ACE's IP address>
  ip access-list extended L4_ACL
  permit tcp <Real server's IP address> eq 80 any
  Second question...
  Do you have any other good solutions???
  Thanks

  Hi Cesar
  Thanks for your reply.
  But I think I was confuse when I wrote the message.
  I used both ace's vlan ip address for next-hop ip address like your advice.
  Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
  Backbone Router
           |
           |
           |
  Supervisor --------------------ACE(vserver: 172.19.100.100)
           |         (vlan 200)
           |
           |
           |(vlan 110)
           |
           |
  Real servers
  (172.19.110.111)

• Does it need add the native vlan to allowed vlan list ?

  If I confiured the port like this "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 11,12"
  does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 10,11,12"
  Thanks

  Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
  The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
  But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
  Kevin Dorrell
  Luxembourg

• CSCur53506 - broadcast flood when allowed vlan add/remove on protected port

  Does not this Bug occur in IOS 15.XX ?

  Thanks for the reply - yes I did save it.  All the other ports have the command.  But when the phone boots up - it ends up disappearing after the above occurs:
  When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
  interface gigabitethernet36
  switchport trunk allowed vlan add 10
  to this:
  interface gigabitethernet36
  storm-control broadcast enable
  storm-control broadcast level 10
  storm-control include-multicast
  port security max 10
  port security mode max-addresses
  port security discard trap 60
  spanning-tree portfast
  switchport trunk allowed vlan add 10
  macro description ip_phone
  !next command is internal.
  macro auto smartport dynamic_type ip_phone
  Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible.  However, the PC that is also on gi36 works fine.
  If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
  So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring.

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Catalyst series - Private VLAN over trunk

  Hey every body
  I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
  But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
  Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
  Cheers

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Cannot ssh standby ACE

  Hi All,
  I have a pair of ACE30 in Active/Standby mode. I can ssh to all active contexts. I can also ssh to all standby contexts except one. Could anybody please advise how should I go about troubleshooting this issue?
  Regards,
  Nilesh

  Hi Kanwaljeet,
  Thank you for your response and apologies for my late response to your reply. Below is the output you asked for.
  Regards,
  Nilesh
  ACTIVE ACE
  class-map type management match-any MGMT-POLICY
    3 match protocol icmp any
    8 match protocol ssh source-address A.D.C.D 255.255.255.224
    9 match protocol ssh source-address E.F.G.H 255.255.255.224
    10 match protocol https source-address A.D.C.D 255.255.255.224
    11 match protocol https source-address E.F.G.H 255.255.255.224
    12 match protocol snmp source-address A.D.C.D 255.255.255.224
    13 match protocol snmp source-address E.F.G.H 255.255.255.224
  policy-map type management first-match MGMT-POLICY
    class MGMT-POLICY
      permit
  interface vlan 216
    bridge-group 1
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    service-policy input CLIENT-INPUT-POLICY-216
    service-policy input MGMT-POLICY
    no shutdown
  interface vlan 217
    bridge-group 2
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    service-policy input CLIENT-INPUT-POLICY-217
    service-policy input MGMT-POLICY
    no shutdown
  interface vlan 226
    bridge-group 1
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    no shutdown
  interface vlan 227
    bridge-group 2
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    no shutdown
  interface bvi 1
    ip address 10.201.6.251 255.255.255.0
    alias 10.201.6.252 255.255.255.0
    peer ip address 10.201.6.250 255.255.255.0
    no shutdown
  interface bvi 2
    ip address 10.201.7.251 255.255.255.0
    alias 10.201.7.252 255.255.255.0
    peer ip address 10.201.7.250 255.255.255.0
    no shutdown
  STANDBY ACE
  class-map type management match-any MGMT-POLICY
    3 match protocol icmp any
    8 match protocol ssh source-address A.D.C.D 255.255.255.224
    9 match protocol ssh source-address E.F.G.H 255.255.255.224
    10 match protocol https source-address A.D.C.D 255.255.255.224
    11 match protocol https source-address E.F.G.H 255.255.255.224
    12 match protocol snmp source-address A.D.C.D 255.255.255.224
    13 match protocol snmp source-address E.F.G.H 255.255.255.224
  policy-map type management first-match MGMT-POLICY
    class MGMT-POLICY
      permit
  interface vlan 216
    bridge-group 1
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    service-policy input CLIENT-INPUT-POLICY-216
    service-policy input MGMT-POLICY
    no shutdown
  interface vlan 217
    bridge-group 2
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    service-policy input CLIENT-INPUT-POLICY-217
    service-policy input MGMT-POLICY
    no shutdown
  interface vlan 226
    bridge-group 1
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    no shutdown
  interface vlan 227
    bridge-group 2
    mac-sticky enable
    access-group input BPDU
    access-group input ALL
    no shutdown
  interface bvi 1
    ip address 10.201.6.250 255.255.255.0
    alias 10.201.6.252 255.255.255.0
    peer ip address 10.201.6.251 255.255.255.0
    no shutdown
  interface bvi 2
    ip address 10.201.7.250 255.255.255.0
    alias 10.201.7.252 255.255.255.0
    peer ip address 10.201.7.251 255.255.255.0
    no shutdown

• Unknown vlan in trunk

  Hi all!
  We have mostly 2950 switches with standard image and 2950lre with EI. All switches in transparent modes with different domain names.
  Here is the problem
  cat1 <-trunk-> cat2 <-trunk> cat3
  On cat1 and cat3 there are ports in ,let's say ,vlan 10
  Right now I have to create vlan 10 in transit cat2. Otherwise it won't pass tagged packets recieved from cat1 to cat3.
  I was under impression that catalysts can pass all vlans in trunk by default,even if it's not known on local switch.
  I did debug on lre (debug switch vlan) and after creating vlan, it put trunk port in tagged mode for this vlan
  VLANDEBUG:STP_FORWARDING: vlan 1289 port 25
  strata_add_port_to_vlan: adding tagged port for VM_1Q_PORT
  VLANDEBUG:Set Tagged Mode For Port:25, Unit:0
  So, after creating vlan it permits this vlan on trunk port
  I wonder if it's platrofm depended, IOS image (c2950lre-i6l2q4-mz.121-22.EA1) depended or it's just the way catalysts work?

  Hi,
  You have to create Vlan 10 on your Cat2 otherwise it will not pass the traffic for the Vlan2. Think it in this way that if your switch is a VTP client and you have a VTP server, now your VLAN info will be passed to every VTP client and thus you have the same number of VLANS on the switch and hence the traffic gets pass over the trunk. If you have switches in Transparent mode than each switch has its own Vlan database and to get the traffic passed fo a particular Vlan that vlan should exist in Vlan database of each and every switch,.
  If that vlan doesnot exist then how the switch will tag the packets when it has to send the traffic to other switch. On catalyst switch the moment the tagged packet exists the trunk port it rips off the dot1q TAG and adds a Port vlan ID i.e vlan 10 on the packet and the moment it enters on the trunk port to pass it to other link, a DOT 1q tag is added on the switch. This is how the catalyst switch works. So if doesnot have any Vlan in its vlan database it will not pass the traffic for that Vlan.
  I remeber I did the same LAB when I was giving a training to some Army guys and it happend to be the same.
  regards,
  -amit singh

• Native Vlan and Trunking

  Hi Folks,
  I am having a doubt with native Vlan in trunk ports.
  In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
  Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
  So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

  yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88