Multiple trunk ports on switch

Similar Messages

• Can I use straight cable to connect trunk ports between 2 switches?

  Hi,
  Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
  thanks!

  Hi Devang,
  When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
  The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
  HTH, if yes please rate the post.
  Ankur

• Multiple PWWN on single switch port

  Hi,
  I wanted to know, how its possible to have multiple PWWN on single switch port..??
  Whats the concept behind it..
  Thanks
  Rajeev.

  Hi Rajeev,
  The concepts that you are looking for is N Port virtualization (NPV) and N-Port ID Virtualization (NPIV).
  Fuurther details can be found via the following Cisco White paper
  http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5989/ps9898/white_paper_c11-459263.html
  Hope that helps.
  Regards,
  Michael

• How to check trunk port on 3548 xl switch

  Hi all,
  i have 3548 xl switch  i know on other switches i can use command
  sh int trunk  but on this switch it  does not work.
  do anyone knows which command we can use  to check trunk ports other then this
  sh int fa switchport???????????
  thanks
  mahesh

  Hi all,
  i have 3548 xl switch  i know on other switches i can use command
  sh int trunk  but on this switch it  does not work.
  do anyone knows which command we can use  to check trunk ports other then this
  sh int fa switchport???????????
  thanks
  mahesh
  Hi Mahesh,
  What error it shows when you issue show interface trunk on switches ..
  Ganesh.H

• Switch trunking ports

  Hello,
  If I have switch A that has 3 vlans with ip addresses in other words 3 switch virtual interfaces and I configure one  port as a switchport trunk that has the following commands switchport trunk mode and encapulasation dot1q.   Now if I want connect to another switch B to allow those same vlans to go accross and then put 5 ports in those 3 vlans. The port from switch B that connects to switch A I would configure with the following commands  switchport mode trunk and  encapulasation dot1 my question is do I just configure on both switch ports switchport trunk allowed vlan all for devices from both switches in the same vlans to talk to each other or do I still need to add more commands to both switches like add the same svi from switch A to Switch B?

  Hi Horacio
  It sounds like you are pretty much there from reading your original post.
  Using the following commands creates a trunk port between the switches:
  #switchport trunk encapsulation dot1q
  #switchport mode trunk
  If you use these commands on both the switches you are connecting together, you should get a trunk port form and by default this allows all vlans to pass traffic across it.
  If you want to restrict the trunk so that it only passes traffic for specific vlans, this can be achieved using the following command:
  #switchport trunk allowed vlan [X]
  Replace the [X] with the vlans you want to allow. Make sure you do this both sides otherwise you may find one side sending traffic which is dropped by the other side.
  Make sure the Layer 2 Vlans exist on both switches. The SVI you mentioned with be the default gateway for hosts in that Vlan and only needs to exist on the switch which is performing the intervlan routing, you do not need an SVI on each switch for every Vlan.
  Hope this helps

• Dot1q trunk from single switch to multiple switches

  Hi,
  Hope you can help please !
  I have a single switch with 6 vlans and one trunk port at the main site  This has to connect to a 3 separate locations each with its own switch with a trunked port via a microwave network.
  I have run it in packet tracer using a hub as the microwave network.  It works fine in that, I just want to check it would 'actually' work or could it cause problems ?
  Diagram from PT below with 3 vlans just for clarification.

  First of all   'This is not a school related work' Leo Laohoo. There is no conspiracy here, calm yourself down.  
  We are loosing quite a few E1 circuits and they are being replaced with only a few ethernet, so we need to conserve them.
  It is indeed a L2 network.  The VLANs don't need to communicate with each other and will terminate into a firewall.  I used the PC's on the left as an interface just.
  I was concerned about having one trunk port connect to 3 other switches.  I wasn't sure how they would react as I've ever only used trunks point to point.  
  Hence why I used the hub in PT to break a single trunk into 3.  I just wasn't sure how the switches would react to this.
   Thanks !
  Mark

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Configure trunk port between 2 SG500 switches

  Hi all,
  I'm trying to do what seems to be a simple task but cannot get it to work.  I've very familiar with the Cisco commands on 2900 all the way up to 6500 series switches.  The SG500 has me stumped.  I have 3 switches, sw1, sw2, sw3.  sw1 and sw2 are stacked.  sw3 is standalone and in a different part of the building, maybe 25ft away.  All I want to do is set up a trunk port between the stack and the standalone.  In going by past experience, I would set the port as :
  - switchport mode trunk
  - switchport trunk allowed vlan 2,3,4
  The SG makes me specify tagged or untagged - which is fine.  So any vlan I want to move across the trunk i tag, obviously.  I do everything as I've done for years and it doesn't work.  VLAN1 is untagged, all VLANs I want to flow are allowed and tagged. 
  I'm quickly realizing I should have bucked up and just bought what I'm used to but I didn't have a choice in the matter.
  Any help would be great!
  Shawn

  Hi Shawn, something is the matter if the switch is asking you for tagged or untagged. The only reason it should be requesting a tag or untag statement is from a general port mode.
  The command syntax for the function is exactly the same as an IOS switch
  switchport mode trunk
  switchport trunk allowed vlan add 2,3,4
  Just like a Catalyst, if you use switchport trunk allowed vlan x,x,x it won't take the command as insufficient privilege or whatever the error it gives, suffice it say it doesn't really do anything without the add(or remove).
  -Tom
  Please mark answered for helpful posts

• Catalyst 6500 Block Switching Between Trunk Ports

  Hello all,
  I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
  For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
  Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
  Does anyone have any ideas on how to accomplish this?

  I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
  Can't see switchport protected:
  6509(config-if)#switchport protected
                                            ^
  % Invalid input detected at '^' marker.

• Catalyst 6500 Block Switching Between Trunk Port

  Hello all,
  I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
  For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
  Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
  Does anyone have any ideas on how to accomplish this?

  Duplicate posts. 
  Go here:  https://supportforums.cisco.com/thread/2261414

• ACL not working on 3750 Switch Stack on a trunk port

  I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
  What am I doing wrong?
  Access-List:
  Standard IP access list 10
      10 deny   10.101.15.13 log
      20 permit any log
  Access-List Interface:
  interface GigabitEthernet7/0/10
   description ESX Trunk
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 1,2,60-63
   switchport mode trunk
   ip access-group 10 in
  Mac-Address on the Switch Port:
  63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
  Windows Machine MAC:
  Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
  Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
  Windows Connection (which should be denied):
   TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

  PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
  In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

• Multiple network ports.... options?

  Our Xserve has 4 ethernet ports, but our switch doesn't support the right kind of link aggregation to make use of a fat trunked 4Gb connection to our network.
  Is there any way I can I make use of these multiple ports to enhance or optimise network traffic to our server, and if so, how?
  I guess I could activate and connect all 4 ports to our 2x 24 port switches, but each connection would need a different IP address – presumably that would affect DNS and accessing services on the server?
  Advice appreciated!!

  Really. At least, that was the case last December when we moved premises, bought the Xserve and a couple of these switches..... I think it's to do with that 'manual' bit in the Netgear specs – I have a feeling a little more intelligence on the part of the switch is required.
  I had read the specs and assumed it would work. Frustratingly, I tried everything (last year), and no good. I'm not at work just now, so I can't log in to the control panel, but from memory, all you can do is specify groups of ports to 'trunk' together – it works fine between the two switches (I've set up a two-port trunk between the switches), just not Xserve to Switch A (or B!).
  I really wanted this to work, as it would have balanced our network load to the server nicely, so if anyone thinks I've missed something........?

• Use AP as a trunk to a switch

  Hello,
  I have a 5508 controller with multiple SSID’s that are non-broadcasting. My goal is to get a 1142N to work in non-root bridge mode by accessing one of the existing WPA2 SSID’s.
  I have a IDF that has a 3750 switch with multiple devices connected to it in 3-4 different vlans. B/C of fiber length restraints, I can’t uplink in a traditional way. So, my thought is I can connect a 1142N in non-root bridge mode and connect it to an existing WPA2 w/AES that’s being broadcasted by our 5508WLC. Connect the 1142 to 3750 and let it act as the trunk port for the devices on the switch.
  Is that possible?
  Thanks in advance.

  Sudip:
  Using your method would work fine with 1 VLAN only. However, can not be used for multiple VLANs.
  Even though you can use Work Group Bridge (WGB) in order to let the autonomous AP to join through lightweight APs, it can only connect using one SSID and hence using one VLAN.
  Q. Does a WGB support multiple VLANs in it?A. No. A Cisco WGB device does not support multiple VLANs in it. A 1100 AP, however, that acts in WGB mode can support multiple VLANs in it but with these restrictions:The VLANs must be assigned on both the root AP and WGB sides.The WGB must be connected to a dot1Q-capable switch.The Infrastructure SSID must be mapped to the native VLAN on root and the WGB.Note: The WGB associates on the Infrastructure SSID.With this configuration, it is possible to associate WGB (WGB BVI interface) as a Native VLAN and have wired clients configured behind a dot1q switch associated to different (non-Native) VLANs.
  Reference: http://www.cisco.com/en/US/products/hw/wireless/ps441/products_qanda_item09186a0080094644.shtml#q49
  The above multi-vlan support although restricted to 1100, it is only achievable with two autonomous APs one of them is a WGB. This is because with a lightweight AP, you are only restricted to the VLAN to which the SSID that the WGB connects to is configured.
  If you want to do what you illustrated you can use two autonomous APs; one as a root and one as a non-root.
  Hope this helps.
  Amjad

• Can't apply ALC to trunk port

  Hi,
  I'm trying to configure a Cisco Catalyst 6500 switch to not allow traffic from our traffic generators to go over the trunk link to the rest of the network. Currently I have multiple VLANs that correspond to different lab setups, each having traffic generators on them. The trunk port is used to connect VMs to each of the setups (on different VLANs) but I'm seeing that the traffic generators sometimes flood the trunk link and cause management be unusable.
  I want to configure a port-based ACL to block traffic from the traffic generators from going over the trunk port but I don't see the "ip access-group" command available on this interface.
  Here's the config for my trunk interface:
  CATALYST2#show run int gi1/1
  Building configuration...
  Current configuration : 124 bytes
  interface GigabitEthernet1/1
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   no ip address
  end
  When I go into config mode and try to tie an ACL to the interface, the command isn't available:
  CATALYST2#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  CATALYST2(config)#int gi1/1
  CATALYST2(config-if)#ip access-group ?
  % Unrecognized command
  Any idea why? I need a way to block this traffic (either via IP or MAC ACLs). My understanding is that trunk ports are able to have port-based ACLs applied to them that will act on all VLANs but I can't seem to do it.  
  Thanks for your help in advance!

  After some more research, I noticed that to configure a PACL on a trunk port, you must first configure port prefer mode. The command to put a trunk port in port prefer mode is "access-group mode prefer port" on the interface. Unfortunately that command isn't available in my CLI either... Still stuck. 

• Can I 'monitor session' trunk ports to a Cisco IDS?

  I ran across an existing config that has two trunk ports on a 3560 being port monitored to another port which is plugged in to a port on an ids 4515. Will the IDS be able to interpret that trunk traffic? The customer is complaining that they aren't able to see events on a local network (VLAN 1) and this is suppose to be the port they get that traffic from.
  Not sure why they chose to monitor trunk ports and I'm not sure it's even possible. I want to change the monitored port to some other local VLAN port that makes sense.
  Here are the existing lines:
  interface G0/47
  switchport turn encap dot1q
  switchport mode trunk
  interface G0/48
  switchport turn encap dot1q
  switchport mode trunk
  monitor session 2 source interface Gi0/47 - 48
  monitor session 2 destination interface Gi0/20
  ...port 20 goes to the ids.

  There are 3 modes of sensing supported on the sensors: promiscuous, inline interface pair, and inline vlan pair.
  Each mode interacts with vlan headers slightly differently.
  Promiscuous:
  A promiscuous sensor is fully capable of analyzing 802.1q trunk packets. The vlan will also be reported in any alerts generated.
  The trick when monitoring using a trunk is to ensure the span (or vacl capture) configuration is correct on the switch to get the packets you are expecting.
  Many types of switches have special caveats when a trunk is a source or destination port in the span.
  We also even support Vlan Group subinterfaces on the promiscuous interface.
  This allows sets of vlans on the same monitoring port to be monitored by different virtual sensors.
  So you could take vlans 1-10 and monitor with vs0, and then take vlans 11-20 and monitor with vs1, etc....
  However, to use this feature the switch must be very consistent in how packets are sent to the sensor. When monitoring a connection the sensor needs to see both client and server traffic. And when using Vlan Groups the sensor needs to see the client and server traffic ON THE SAME VLAN. It is this on the same vlan requirement that is not always possible with some span configurations when the switch itself is routing between vlans. Most switches are deployed with routing between vlans by the switch, and so in many cases you won't see the client and server traffic on the same vlans. This is very switch code dependant so you would need to do some research on your specific switch.
  Inline Interface Pair:
  With an inline interface you are pairing 2 physical interfaces together. A common deployment is to place the inline interface pair in the middle of an existing 802.1q trunk port. Interface 1 would be plugged into the switch, and interface 2 plugged into the other switch or other type of device (like router or firewall).
  In this setup the sensor is fully capable of monitoring these packets with 802.1q headers.
  However, there is something to keep in mind in these deployments. Often that other device (router, firewall, or switch) will route packets between vlans. So a packet going through the sensor on vlan 10 could be routed right back through the sensor again on vlan 20. Seeing the same packet again can cause TCP tracking confusion on the sensor (especially when the other device is doing small modifications to the packet like sequence number randomization).
  To address these we have 2 features.
  On InLine Interface Pairs we have the same Vlan Group feature as I discussed above in Promiscuous mode. (Do not confuse Vlan Groups with InLine Vlan Pairs discussed later in this response).
  So with Vlan Groups you could separate the vlans across virtual sensors. So if the packet gets routed back into the sensor you could configure it so that packet gets monitored by a separate virtual sensor and it will prevent the sensor confusion with state tracking.
  However, there will still be some situations where the packet may still need to cross the same virtual sensor twice. For this deployment scenario we have a configuration setting where you can tell the sensor to track tcp sessions uniquely per vlan. So long as the return packet is on a different vlan this should prevent the tcp tracking confusion. BUT there is a bug this code right now. It should be fixed in an upcoming service pack. The workaround is to go ahead and create a unique Vlan Group for each vlan (one vlan per group instead of multiple vlans in a group), and assign all of the Vlan Groups to the virtual sensor(s).
  And then you InLine Vlan Pairs:
  With InLine Vlan Pairs the monitoring interface Must be an 802.1q trunk port.
  Instead taking packets in one interface and passing to the next interface, the sensor actually takes packets in on one vlan and then sends it back on the other vlan of the pair on the same interface. It does this by modifying the vlan number in the 802.1q header.