Missing Allowed vlans on trunk on Standby ACE.
Guys,
I would like to know if allowing vlans under portchannel will replicate on standby unit.Somehow I see all configuration is sync except switchport trunk allowed vlan under Portchannel.
Thanks
Ajay
Hi Siva,
I remove 3rd port from port channel but still vlans are not getting sync.
ACE1/Admin# sh vlan
Vlans configured on physical port(s)
vlan3001 vlan3060 vlan3200-3201 vlan3208 vlan3260-3262 vlan3264-3265 vlan3270-3272 vlan3274-3275 vlan3280 vlan3300-3302 vlan3650-3652 vlan3661-3663 vlan3668-3669 vlan4090
ACE1/Admin#
ACE2/Admin# sh vlan
Vlans configured on physical port(s)
vlan3001 vlan3200-3201 vlan3208 vlan3260-3262 vlan3264-3265 vlan3270-3272 vlan3274-3275 vlan3300-3302 vlan3650-3652 vlan3661 vlan3668-3669 vlan4090
ACE2/Admin#
ACE1/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Id : 1
No. of Contexts : 1
Running cfg sync status : Running configuration sync has completed
Startup cfg sync status : Startup configuration sync has completed
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 4090
query-interface vlan 3001
ft group 1
peer 1
no preempt
priority 150
associate-context Admin
inservice
any suggestion/ next steps to troubleshoot ?
Thanks
Ajay
Similar Messages
-
897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface
Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W.Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W. -
VTP Pruning vs Allowing VLANs on Trunk ports
We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
Here is our current configs for fiber ports between closets:
Cisco WMH6509
interface GigabitEthernet2/8
description Fiber To STB Lab 3850
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no snmp trap link-status
end
Cisco STB Lab 3850
interface GigabitEthernet1/1/1
description Fiber To WMH6509
switchport mode trunk
end
We are considering:
VTP Pruning Enable
or
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 26,99,109,188
switchport mode trunk
Thanks,
TomDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
However, VTP does have some "quirks". For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk. (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working. One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared). So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation. -
Unable to add allowed VLANs to TenGig trunk port
Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
endSteve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed! -
Switch Port Trunk allowed Vlan
Hi Guys
Request your help on my query :
I have a distribution switch and access switch and port channel between them.
Dist switch is the VTP server
lets assum I have 25 vlan
when I do show vlan brief on the access switch I can see all 25 vlans listed now
no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
Dist switch po1 -- connecting to - po Access switch
Dist switch #
int po1
switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
Thanks in advanceHi,
John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
Best regards,
Peter -
Hello,
My standby ACE has gone to unresponsive mode and shows something like this
peer state: FSM_FT_STATE_UNKNOWN
This is for all the contexts in the slot module. My question is how do we bring it back to HOT_STANDBY when all contexts are unresponsive
AND
How do we bring it to HOT_STANDBY when just one context is unresponsive
Thanks
SIDHI Sid,
It is very similar to the previous response of your query.
As I am seeing one error message here in your mail:
peer state: FSM_FT_STATE_UNKNOWN
Upon failure of the fault tolerant link between Services Chassis's the peer standby ACE begins to query the status of its peer active ACE. Six consecutive ping requests occur approximately every five seconds across the query interface VLAN while the fault tolerant link is down. The output from the show ft group detail command shown below indicates that the fault tolerant link is down; the primary peer state is unknown but the primary peer is still reachable. As a result, the standby peer remains in FSM_FT_STATE_STANDBY_COLD. When the fault tolerant link is recovered the query ping tests cease.
dca-ss2-ace/Admin# show ft group detail
FT Group : 1
No. of Contexts : 1
Context Name : Admin
Context Id : 0
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_COLD
My Config Priority : 50
My Net Priority : 50
My Preempt : Enabled
Peer State : FSM_FT_STATE_UNKNOWN
Peer Config Priority : Unknown
Peer Net Priority : Unknown
Peer Preempt : Unknown
Peer Id : 1
Last State Change time : Wed Jun 11 14:46:08 2008
Running cfg sync enabled : Disabled
Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Startup cfg sync enabled : Disabled
Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group : 2
No. of Contexts : 1
Context Name : dca-ace-one
Context Id : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_COLD
My Config Priority : 50
My Net Priority : 50
My Preempt : Enabled
Peer State : FSM_FT_STATE_UNKNOWN
Peer Config Priority : Unknown
Peer Net Priority : Unknown
Peer Preempt : Unknown
Peer Id : 1
Last State Change time : Wed Jun 11 14:46:08 2008
Running cfg sync enabled : Disabled
Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Startup cfg sync enabled : Disabled
Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
All fault tolerant groups will honor the results of the query tests and remain in a FSM_FT_STATE_STANDBY_COLD state on the standby peer ACE.
The Admin context allows the network administrator to assemble virtual contexts into failover groups. A failover group is a container, which permits a pair of ACE modules to define several failover characteristics and apply them to all virtual context assigned to the container, including the Admin context. These defining features include:
â¢The associated peer ACE
â¢The priority or preference value for each ACE module in the redundant pairing
â¢Preemption (enabled by default)
â¢The virtual context(s) coupled to the group
Sachin Garg -
Various questions on uplink profiles, CoS, native VLAN, downlink trunking
I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
Fabric Fail-Over Mode
Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
checkbox is not checked."
What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
There are no best practices that specify whether the VSM
and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
network devices is a different VLAN than that used for server management, the VSM management
interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
VMware ESX management interfaces should share the same VLAN.
I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
Yes, you can still manage CoS using QoS on the vnics when using 1000V:
The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
Something else: Native VLANs
Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
No, port channel should not be configured when MAC-pinning is configured.
[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
Edit: 26 July 14:23. Found answers to many of my many questions...Answers inline.
Atle Dale wrote:
Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop. This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same. If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication. The native VLAN and default VLAN are not necessarily the same. Native refers to VLAN traffic without an 802.1q header and can be assigned or not. A default VLAN is mandatory. This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication. If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0. An access port doesn't use a native VLAN - as its assigned to only to a single VLAN. A trunk on the other hand carries multiple VLANs and can have a native vlan assigned. Remember your native vlan usage must be matched between each hop. Most network admins setup the native vlan to be the same throughout their network for simplicity. In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port. If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks. On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also. Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN. This is a practice by some people. Rather than using a native VLAN throughout their network, they tag everything. This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision. The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default. So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible. With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links. This is not configurable. You either tell the system to use Port Channel or Individual Links. The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces. To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks. In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning". This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B). Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch. For UCS these two commands to NOT apply. -
Probe fail on Standby ACE in One-armed mode
Hi there
I'm Kilsoo.
I made One-armed mode using ACE.
Real servers are in away Vlan from ACE.
So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
And, the probe from active ACE works well.
But, the probe from standby ACE was fail.
At this point, my first question
Is it normal situation that the probe fail from standby ACE????
So, I made the route-map for PBR like below for temporary solution.
route-map deny PBR 5
match ip address Probe_ACL
route-map permit PBR 10
match ip address L4_ACL
set ip next-hop <Alias IP address>
ip access-list extended Probe_ACL
pemit ip any <Standby ACE's IP address>
ip access-list extended L4_ACL
permit tcp <Real server's IP address> eq 80 any
Second question...
Do you have any other good solutions???
ThanksHi Cesar
Thanks for your reply.
But I think I was confuse when I wrote the message.
I used both ace's vlan ip address for next-hop ip address like your advice.
Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
Backbone Router
|
|
|
Supervisor --------------------ACE(vserver: 172.19.100.100)
| (vlan 200)
|
|
|(vlan 110)
|
|
Real servers
(172.19.110.111) -
Does it need add the native vlan to allowed vlan list ?
If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
ThanksYes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg -
CSCur53506 - broadcast flood when allowed vlan add/remove on protected port
Does not this Bug occur in IOS 15.XX ?
Thanks for the reply - yes I did save it. All the other ports have the command. But when the phone boots up - it ends up disappearing after the above occurs:
When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
interface gigabitethernet36
switchport trunk allowed vlan add 10
to this:
interface gigabitethernet36
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 10
macro description ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible. However, the PC that is also on gi36 works fine.
If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring. -
Private VLAN Promiscuous Trunk Port - Switches which support this function
Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks
4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
Catalyst series - Private VLAN over trunk
Hey every body
I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
Cheers4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
Hi All,
I have a pair of ACE30 in Active/Standby mode. I can ssh to all active contexts. I can also ssh to all standby contexts except one. Could anybody please advise how should I go about troubleshooting this issue?
Regards,
NileshHi Kanwaljeet,
Thank you for your response and apologies for my late response to your reply. Below is the output you asked for.
Regards,
Nilesh
ACTIVE ACE
class-map type management match-any MGMT-POLICY
3 match protocol icmp any
8 match protocol ssh source-address A.D.C.D 255.255.255.224
9 match protocol ssh source-address E.F.G.H 255.255.255.224
10 match protocol https source-address A.D.C.D 255.255.255.224
11 match protocol https source-address E.F.G.H 255.255.255.224
12 match protocol snmp source-address A.D.C.D 255.255.255.224
13 match protocol snmp source-address E.F.G.H 255.255.255.224
policy-map type management first-match MGMT-POLICY
class MGMT-POLICY
permit
interface vlan 216
bridge-group 1
mac-sticky enable
access-group input BPDU
access-group input ALL
service-policy input CLIENT-INPUT-POLICY-216
service-policy input MGMT-POLICY
no shutdown
interface vlan 217
bridge-group 2
mac-sticky enable
access-group input BPDU
access-group input ALL
service-policy input CLIENT-INPUT-POLICY-217
service-policy input MGMT-POLICY
no shutdown
interface vlan 226
bridge-group 1
mac-sticky enable
access-group input BPDU
access-group input ALL
no shutdown
interface vlan 227
bridge-group 2
mac-sticky enable
access-group input BPDU
access-group input ALL
no shutdown
interface bvi 1
ip address 10.201.6.251 255.255.255.0
alias 10.201.6.252 255.255.255.0
peer ip address 10.201.6.250 255.255.255.0
no shutdown
interface bvi 2
ip address 10.201.7.251 255.255.255.0
alias 10.201.7.252 255.255.255.0
peer ip address 10.201.7.250 255.255.255.0
no shutdown
STANDBY ACE
class-map type management match-any MGMT-POLICY
3 match protocol icmp any
8 match protocol ssh source-address A.D.C.D 255.255.255.224
9 match protocol ssh source-address E.F.G.H 255.255.255.224
10 match protocol https source-address A.D.C.D 255.255.255.224
11 match protocol https source-address E.F.G.H 255.255.255.224
12 match protocol snmp source-address A.D.C.D 255.255.255.224
13 match protocol snmp source-address E.F.G.H 255.255.255.224
policy-map type management first-match MGMT-POLICY
class MGMT-POLICY
permit
interface vlan 216
bridge-group 1
mac-sticky enable
access-group input BPDU
access-group input ALL
service-policy input CLIENT-INPUT-POLICY-216
service-policy input MGMT-POLICY
no shutdown
interface vlan 217
bridge-group 2
mac-sticky enable
access-group input BPDU
access-group input ALL
service-policy input CLIENT-INPUT-POLICY-217
service-policy input MGMT-POLICY
no shutdown
interface vlan 226
bridge-group 1
mac-sticky enable
access-group input BPDU
access-group input ALL
no shutdown
interface vlan 227
bridge-group 2
mac-sticky enable
access-group input BPDU
access-group input ALL
no shutdown
interface bvi 1
ip address 10.201.6.250 255.255.255.0
alias 10.201.6.252 255.255.255.0
peer ip address 10.201.6.251 255.255.255.0
no shutdown
interface bvi 2
ip address 10.201.7.250 255.255.255.0
alias 10.201.7.252 255.255.255.0
peer ip address 10.201.7.251 255.255.255.0
no shutdown -
Hi all!
We have mostly 2950 switches with standard image and 2950lre with EI. All switches in transparent modes with different domain names.
Here is the problem
cat1 <-trunk-> cat2 <-trunk> cat3
On cat1 and cat3 there are ports in ,let's say ,vlan 10
Right now I have to create vlan 10 in transit cat2. Otherwise it won't pass tagged packets recieved from cat1 to cat3.
I was under impression that catalysts can pass all vlans in trunk by default,even if it's not known on local switch.
I did debug on lre (debug switch vlan) and after creating vlan, it put trunk port in tagged mode for this vlan
VLANDEBUG:STP_FORWARDING: vlan 1289 port 25
strata_add_port_to_vlan: adding tagged port for VM_1Q_PORT
VLANDEBUG:Set Tagged Mode For Port:25, Unit:0
So, after creating vlan it permits this vlan on trunk port
I wonder if it's platrofm depended, IOS image (c2950lre-i6l2q4-mz.121-22.EA1) depended or it's just the way catalysts work?Hi,
You have to create Vlan 10 on your Cat2 otherwise it will not pass the traffic for the Vlan2. Think it in this way that if your switch is a VTP client and you have a VTP server, now your VLAN info will be passed to every VTP client and thus you have the same number of VLANS on the switch and hence the traffic gets pass over the trunk. If you have switches in Transparent mode than each switch has its own Vlan database and to get the traffic passed fo a particular Vlan that vlan should exist in Vlan database of each and every switch,.
If that vlan doesnot exist then how the switch will tag the packets when it has to send the traffic to other switch. On catalyst switch the moment the tagged packet exists the trunk port it rips off the dot1q TAG and adds a Port vlan ID i.e vlan 10 on the packet and the moment it enters on the trunk port to pass it to other link, a DOT 1q tag is added on the switch. This is how the catalyst switch works. So if doesnot have any Vlan in its vlan database it will not pass the traffic for that Vlan.
I remeber I did the same LAB when I was giving a training to some Army guys and it happend to be the same.
regards,
-amit singh -
Hi Folks,
I am having a doubt with native Vlan in trunk ports.
In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88
Maybe you are looking for
-
Goods receipt Capacity check in PO creation- EHP2
Hi I have activated business function LOG_MM_CI_1 in our ECC 6.0 system . I have also activated Goods receipt capacity check and subsequent settings in customization . I am able to view the GR capacity check icon in Purchase order creation (ME21N). W
-
Apostrophe (') issue in Oracle 10g
Hi, I am using oracle 10g and I inserted a record with apostrophe symbol. After executing the script i checked the data and apostrophe symbol is converted into a special character like below. Original - Applying of Smart 5 S' Principles After inserti
-
Java Script Error in Page sumbit
Hi Friends, Can some please help me with the JavaScript error in my jsp page. Here is my Jsp page source: <%@ page language="java"%> <%@ page import="java.util.*"%> <%@page import="com.caremark.ivr.beans.CallSummaryByDateBean"%> <%@page import="com.c
-
Photoshop crash when i use Magic Bullet Looks
Hello, good, I need help because I have been dating a message to start photoshop, which tells me card graphics is not supported, and attempting to open a plugin, such as Magic Bullet Looks, to put ok, shut me photoshop, and this had not happened to m
-
There is what I see if I open the .htm file in the directory: When we visualize the project in our intranet or directly in the project, the images become with red X instead of the image. This problem occurred after we build the project following modi