Port protected on trunk ports

I have a router to a 3550 switch feeding in a star toplogy one 2950 off each port. I have port protprected on the ports of each of the 2950s. The question is can I do port protected on all my trunk ports except the uplink port on the 3550? I am wanting to stop any user on the network from seeing another. My other option is to do a vlan per switch but would perfer not to bring down the network as it is already live and in heavy usage.
Thank you for your help in advance.

Yes, you can enable protected mode on trunk ports
Configuring Protected Ports
Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Protected ports have these features:
•A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
•Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
•Protected ports are supported on 802.1Q trunks.
link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/swtrafc.html#wp1158863
HTH

Similar Messages

Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?

Hello to all the Cisco Experts,
I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
The configuration of the switchport will be as below:
interface GigabitEthernet1/0/1
description ESXi
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,15
switchport mode trunk
spanning-tree portfast trunk
end
The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
Thank you in advance.

Hi Leo,
First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
Enabling portfast on a trunk is so "yesterday", in my opinion. If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant. The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.
Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link? Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
Best regards,
Peter

Access to trunk port clarification

Hello-
I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
Switch#1
interface GigabitEthernet0/5
switchport
switchport access vlan 6
....and the corresponding config on it's neighbor:
Switch#2
Interface GigabitEthernet10/8
switchport
switchport mode trunk
switchport trunk allowed vlan 1,6,100
My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
Thanks in advance-
Brian

This would work fine but not recommended.
Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
SW1-----F0/1----------f0/1----SW2
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6
SW1#
SW2
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100
SW2#
2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
ex:
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
b)
Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
eg;
SW2#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
Hope this clarifies your query.
Regards
Inayath
*************Plz dont forget to rate posts***********

Service instance and trunk ports

hi I have the following configuration:
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface Port-channel12
description SHN-AGG-BX1
switchport trunk allowed vlan 34,50,76,3998
switchport mode trunk
mtu 9000
interface GigabitEthernet0/23
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
interface GigabitEthernet0/24
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
the input interfaces are gigEth0/1 and gigEth0/2 and the output interfaces are gigEth0/23 and gigEth0/24.
the ingress traffic at the input port has a single tag and the ingress traffic at the output port has two tags.
please explain me, where tags would be pushed/popped and why??
thank you.

Hello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30).

OVM 3:Monitor a trunk port/create a dedicated NIC

Hi,
I need to monitor a trunk port from within a guest. Does OVM offer the ability to tie a network card directly to a guest? I don't want other guests to have access to the same nic at the same time.

Understood.
I have now setup a simple network with bonds/ports only and attached that to the NIC that is connected to the SPAN port on my Cisco switch. This SPAN port mirrors a trunk port and thus carries of course all the VLANs.
Next, I have setup a guest running ntop and that has a vnic attached to it, that is connected to the new network. Now, when I run tcpdump against that port I am only seeing broadcast and multicast traffic. Is there a way to capture the whole network traffic that is mirrored to the SPAN port?
I have also taken a look at the network with ports and vans, but that doesn't seem to fit either.

"Multicast" Across a Trunk port

I have a pair of Nokia firewalls connected to two 4006 switches running 7.6.3 code. The firewalls have a multicast virutal address that doesn't seem to pass across an etherchannel trunk between the switches even though the vlan they are in is being forwarded across the trunk. Do you know if a dot1q trunk would block a multicast packet from a Nokia firewall from passing ?

Hi :
Basically , by default multicast is only forwarded to the router ports or where an IGMP request is received. Now you have a Cat4000 and it has CGMP turned on by default . As long as it does not detect any router ports , multicast should basically be flooded in the entire vlan. In your case , multicast not being flooded makes me think the switch is detecting a multicast router at some other port other then the trunk port and certainly not receiving a CGMP join from that router for this particular group.
Here is a hack that you can use.
set multicast router
where mod/port is a trunk port .
Second thing is youc an disable CGMP only if you do not have other multicast traffic in your network and only traffic is this low volume keepalive traffic between the firewalls so that this traffic will be flooded in the entire vlan on both switches.
set cgmp disable
Hope this helps.
Salman Z.

Wlc management port can't trunk other than native vlan

Hello,
Ihave installed my first WLC 5508 with this topology :
WLC Connected trought distrubtion SFP 1Gb port to Core Switch port configured as Trunk port permetting 3 Wireless VLAN :
- Management WLC, Wireless Voice and Wireless Data Vlan (native Vlan is management WLAN).
- I have created 2 dynamic interface on WLC regarding my Wireless VLAN :
10.7.1.0/24 : Defaut Management Virtual Interface when installing WLC +
10.7.6.0/24 : Voice Virtual Interface and
10.7.2.0/24 : Wireless Data Virtual Interface trought GUI.
DHCP configured on each dynamic interface is the L3 vlan interface for equal VLAN subent for CORE SWITCH contining IP DHCP Pool.
WLC Management Inerface IP adress is : 10.7.1.10/24
I Have create 2 WLAN with SSID named Data ID 1 & Voice ID2.
I have create and AP Groupe named APGRP1 containing the AP registered on WLC and using both SSID WLAN.
Both AP are connected to Switch acess port configured as access port to native management WLC VLAN.
I have create 3 IP DHCP pool on Core switch with related L3 Interfaces for Inter VLAN routing.
Problem: when I try to connect from laptop to Data SSID I get IP Address from management WLC VLAN a non DATA VLAN.
the same case from Wireless IP Phone configured with Voice SSID.
What can I modifie that permet to both device to get IP address from the correct VLAN?
Thnks

Hi Adil,
Q1 >> AP access port on the switch must be configured on an Access port mode or trunk mode?
ANS - The LWAPP/ CAPWAP APs connected to the switchport should be a Access port not trunk.
Q2>> if the first case, setting the port on, the same VLAN like WLC Management VLAN will support other WLAN Vlans (voice and data)?
ANS - Yes it does support, since the traffic which involes the WLAN will be inside the LWAPP/CAPWAP logical tunnel.
Q3>> I will verify the interface mapping between WLAN and Dynamic Interfaces and i will tell you.
ANS - I will be waiting for your response!!
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

RV220W - Setting Up Trunk Ports

Hello
We just recently bought a RV220W. We have been trying to find out how to setup one of the ports as a trunk port to be able to pass several VLANs to a XenServer. The documentation states it is possible:
However the option is no actually there:
I have been looking all around without much success. I would really appreciate if anyone could give me a hint on how to make a port behave as a trunk on this device.
Thank you

Wilmar,
If I want to pass VLANs 1, 20 and 30 only on Port 4, it would have to be like in the config above, right?- As a side note and forgive my ignorance but why do I have to leave at least one VLAN untagged?
The port is configured properly to pass the VLANs. One VLAN must be untagged, typically the defautl VLAN on the network, because it is a Trunk port. If you had the option for General port you could leave all VLANs untagged. The switch that connects to the port should be configured exactly the same.
There is only one manual for the RV220W:
http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv220w/administration/guide/rv220w_ag_78-19743.pdf
It looks like the manual that you referenced is for a switch.
- Marty

Problems with vlan and dot1q trunking port

Dear Folks,
i have problems with my AccessPoint Konfiguration.
Even when i set the Catalyst Port to trunk, i can only connect to VLAN 1 but not to VLAN 10.
and if i change the port to statik vlan 10 i can not connect to the ap but it works...
config below:
User Access Verification
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 1200_PP_1
logging queue-limit 100
enable secret xxxx
clock timezone A 1
ip subnet-zero
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid DEPACNGLW0HS
vlan 10
authentication shared
infrastructure-ssid
mobility network-id 10
speed basic-1.0 2.0 5.5 11.0
rts threshold 2312
channel 2412
antenna receive right
antenna transmit right
station-role root
interface Dot11Radio0.1
no ip route-cache
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
ntp broadcast client
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.2.2.222 255.255.255.0
no ip route-cache
ip default-gateway 10.2.2.2
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
ip radius source-interface BVI1
bridge 1 route ip
line con 0
line vty 0 4
login local
line vty 5 15
login
end
it would be fine if anyone could help me....

You configure Layer 3 Mobility with WLSM. No trunking is required on the CAT switch. However, you need to set the switch port on the CAT switch as access port in VLAN 10.
Please post the WLSM and SUP720 configuration. Also, which VLAN do you want to access the AP?
The following URL may be useful for you to verify the configuration:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00802a86a7.html

Catalyst 6500 Block Switching Between Trunk Ports

Hello all,
I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
Does anyone have any ideas on how to accomplish this?

I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
Can't see switchport protected:
6509(config-if)#switchport protected
^
% Invalid input detected at '^' marker.

Trunked port active in vlan

Maybe there's an obvious answer, but I have this strange thing;
Switchport config
interface GigabitEthernet0/2
description Trunk to CORE02
switchport mode trunk
shutdown
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
sh vlan brie
VLAN Name                             Status    Ports
1    default                          active    Gi0/2
Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.

in my switch I can not delete it
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48TS-L 12.2(58)SE2 C2960S-UNIVERSALK9-M
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport mode trunk
spanning-tree portfast
_Cat_2960s_5_1#sh vla br
VLAN Name Status Ports
1 default active Gi1/0/41,
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
no switchport port-security
_Cat_2960s_5_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
_Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
_Cat_2960s_5_1(config-if)#no switchport access vlan 1
_Cat_2960s_5_1(config-if)#^Z
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
another trunk port with native vlan configured is not in vlan 1

Can I use straight cable to connect trunk ports between 2 switches?

Hi,
Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
thanks!

Hi Devang,
When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
HTH, if yes please rate the post.
Ankur

Best practices for configure Rogue Detector AP and trunk port?

I'm using a 2504 controller. I dont have WCS.
My questions are about the best way to configure a Rogue Detector AP.
In my lab environment I setup the WLC with 2 APs. One AP was in local mode, and I put the other in Rogue Detector mode.
The Rogue Detector AP was connected to a trunk port on my switch. But the AP needed to get its IP address from the DHCP server running on the WLC. So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides. If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC. This makes sense because untagged traffic on the trunk port will be delivered to the native vlan. So I take it that the AP doesn't know how to tag frames.
Everything looked like it was working ok.
So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it. Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire. From the rogue client I was able to successfully ping the management interface of the WLC.
But the WLC never actually reported the rogue AP as being connected to the wired network.
So my questions are:
1. What is the correct configuration for the trunk port? Should it not be configured with a native vlan? If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
2. Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network? I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
Thanks for any input!!

#what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
#Does the switch sees the Rogue AP's wired MAC on its MAC table.
Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan.

Unable to add allowed VLANs to TenGig trunk port

Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
end

Steve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

How to check trunk port on 3548 xl switch

Hi all,
i have 3548 xl switch i know on other switches i can use command
sh int trunk but on this switch it does not work.
do anyone knows which command we can use to check trunk ports other then this
sh int fa switchport???????????
thanks
mahesh

Hi all,
i have 3548 xl switch i know on other switches i can use command
sh int trunk but on this switch it does not work.
do anyone knows which command we can use to check trunk ports other then this
sh int fa switchport???????????
thanks
mahesh
Hi Mahesh,
What error it shows when you issue show interface trunk on switches ..
Ganesh.H

Port protected on trunk ports

Similar Messages

Maybe you are looking for