Switch trunking ports
Hello,
If I have switch A that has 3 vlans with ip addresses in other words 3 switch virtual interfaces and I configure one port as a switchport trunk that has the following commands switchport trunk mode and encapulasation dot1q. Now if I want connect to another switch B to allow those same vlans to go accross and then put 5 ports in those 3 vlans. The port from switch B that connects to switch A I would configure with the following commands switchport mode trunk and encapulasation dot1 my question is do I just configure on both switch ports switchport trunk allowed vlan all for devices from both switches in the same vlans to talk to each other or do I still need to add more commands to both switches like add the same svi from switch A to Switch B?
Hi Horacio
It sounds like you are pretty much there from reading your original post.
Using the following commands creates a trunk port between the switches:
#switchport trunk encapsulation dot1q
#switchport mode trunk
If you use these commands on both the switches you are connecting together, you should get a trunk port form and by default this allows all vlans to pass traffic across it.
If you want to restrict the trunk so that it only passes traffic for specific vlans, this can be achieved using the following command:
#switchport trunk allowed vlan [X]
Replace the [X] with the vlans you want to allow. Make sure you do this both sides otherwise you may find one side sending traffic which is dropped by the other side.
Make sure the Layer 2 Vlans exist on both switches. The SVI you mentioned with be the default gateway for hosts in that Vlan and only needs to exist on the switch which is performing the intervlan routing, you do not need an SVI on each switch for every Vlan.
Hope this helps
Similar Messages
-
How can I encrypt my data uplinks between switch trunk ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me as I want to encrypt my switch-to-switch link with Cisco TrustSec.
Hi
Login to switch & go to interface..
There you can give tags.. (ISL & DONT1Q)
Command switch-port mode trunk
Switch-port trunk encapsulation ssl or dot1Q -
Can I use straight cable to connect trunk ports between 2 switches?
Hi,
Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
thanks!Hi Devang,
When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
HTH, if yes please rate the post.
Ankur -
How to check trunk port on 3548 xl switch
Hi all,
i have 3548 xl switch i know on other switches i can use command
sh int trunk but on this switch it does not work.
do anyone knows which command we can use to check trunk ports other then this
sh int fa switchport???????????
thanks
maheshHi all,
i have 3548 xl switch i know on other switches i can use command
sh int trunk but on this switch it does not work.
do anyone knows which command we can use to check trunk ports other then this
sh int fa switchport???????????
thanks
mahesh
Hi Mahesh,
What error it shows when you issue show interface trunk on switches ..
Ganesh.H -
Multiple trunk ports on switch
How many ports on a 2950 can be configured as dot1q trunks? I need to place an intermediary switch in my network to pass trunk data beween 10 other Cisco switches and therefore need to configure 10 ports as trunk ports. Is this possible or would a different switch work better for this purpose?
Hi Scott,
There's no limitation on the number of trunk ports you can configure. However, there is a switch-wide limitation of 64 instances of Spanning Tree. In other words, you can only have 64 active VLANs on the switch.
See:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swstp.htm#1150172
HTH,
Bobby
*Please rate helpful posts. -
Private VLAN Promiscuous Trunk Port - Switches which support this function
Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks
4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
Configure trunk port between 2 SG500 switches
Hi all,
I'm trying to do what seems to be a simple task but cannot get it to work. I've very familiar with the Cisco commands on 2900 all the way up to 6500 series switches. The SG500 has me stumped. I have 3 switches, sw1, sw2, sw3. sw1 and sw2 are stacked. sw3 is standalone and in a different part of the building, maybe 25ft away. All I want to do is set up a trunk port between the stack and the standalone. In going by past experience, I would set the port as :
- switchport mode trunk
- switchport trunk allowed vlan 2,3,4
The SG makes me specify tagged or untagged - which is fine. So any vlan I want to move across the trunk i tag, obviously. I do everything as I've done for years and it doesn't work. VLAN1 is untagged, all VLANs I want to flow are allowed and tagged.
I'm quickly realizing I should have bucked up and just bought what I'm used to but I didn't have a choice in the matter.
Any help would be great!
ShawnHi Shawn, something is the matter if the switch is asking you for tagged or untagged. The only reason it should be requesting a tag or untag statement is from a general port mode.
The command syntax for the function is exactly the same as an IOS switch
switchport mode trunk
switchport trunk allowed vlan add 2,3,4
Just like a Catalyst, if you use switchport trunk allowed vlan x,x,x it won't take the command as insufficient privilege or whatever the error it gives, suffice it say it doesn't really do anything without the add(or remove).
-Tom
Please mark answered for helpful posts -
Catalyst 6500 Block Switching Between Trunk Ports
Hello all,
I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
Does anyone have any ideas on how to accomplish this?I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
Can't see switchport protected:
6509(config-if)#switchport protected
^
% Invalid input detected at '^' marker. -
Catalyst 6500 Block Switching Between Trunk Port
Hello all,
I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
Does anyone have any ideas on how to accomplish this?Duplicate posts.
Go here: https://supportforums.cisco.com/thread/2261414 -
ACL not working on 3750 Switch Stack on a trunk port
I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port. For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk. I have tried standard and extended list, but neither seem to work.
What am I doing wrong?
Access-List:
Standard IP access list 10
10 deny 10.101.15.13 log
20 permit any log
Access-List Interface:
interface GigabitEthernet7/0/10
description ESX Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,60-63
switchport mode trunk
ip access-group 10 in
Mac-Address on the Switch Port:
63 0050.569a.6d9f DYNAMIC Gi7/0/10
Windows Machine MAC:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
Windows Connection (which should be denied):
TCP 10.20.63.4:3389 10.101.15.13:21289 ESTABLISHED InHostPACL only apply to an L2 interface. On an L2 interface the only direction that can be applied is INBOUND. On an L3 interface INBOUND or OUTBOUND can be specified.
In any case, I have worked around the issue by applying VACLs. Marking this as resolved. -
Access to trunk port clarification
Hello-
I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
Switch#1
interface GigabitEthernet0/5
switchport
switchport access vlan 6
....and the corresponding config on it's neighbor:
Switch#2
Interface GigabitEthernet10/8
switchport
switchport mode trunk
switchport trunk allowed vlan 1,6,100
My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
Thanks in advance-
BrianThis would work fine but not recommended.
Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
SW1-----F0/1----------f0/1----SW2
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6
SW1#
SW2
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100
SW2#
2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
ex:
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
b)
Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
eg;
SW2#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
Hope this clarifies your query.
Regards
Inayath
*************Plz dont forget to rate posts*********** -
Best practices for configure Rogue Detector AP and trunk port?
I'm using a 2504 controller. I dont have WCS.
My questions are about the best way to configure a Rogue Detector AP.
In my lab environment I setup the WLC with 2 APs. One AP was in local mode, and I put the other in Rogue Detector mode.
The Rogue Detector AP was connected to a trunk port on my switch. But the AP needed to get its IP address from the DHCP server running on the WLC. So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides. If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC. This makes sense because untagged traffic on the trunk port will be delivered to the native vlan. So I take it that the AP doesn't know how to tag frames.
Everything looked like it was working ok.
So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it. Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire. From the rogue client I was able to successfully ping the management interface of the WLC.
But the WLC never actually reported the rogue AP as being connected to the wired network.
So my questions are:
1. What is the correct configuration for the trunk port? Should it not be configured with a native vlan? If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
2. Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network? I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
Thanks for any input!!#what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
#Does the switch sees the Rogue AP's wired MAC on its MAC table.
Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan. -
I have a router to a 3550 switch feeding in a star toplogy one 2950 off each port. I have port protprected on the ports of each of the 2950s. The question is can I do port protected on all my trunk ports except the uplink port on the 3550? I am wanting to stop any user on the network from seeing another. My other option is to do a vlan per switch but would perfer not to bring down the network as it is already live and in heavy usage.
Thank you for your help in advance.Yes, you can enable protected mode on trunk ports
Configuring Protected Ports
Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Protected ports have these features:
•A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
•Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
•Protected ports are supported on 802.1Q trunks.
link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/swtrafc.html#wp1158863
HTH -
Service instance and trunk ports
hi I have the following configuration:
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface Port-channel12
description SHN-AGG-BX1
switchport trunk allowed vlan 34,50,76,3998
switchport mode trunk
mtu 9000
interface GigabitEthernet0/23
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
interface GigabitEthernet0/24
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
the input interfaces are gigEth0/1 and gigEth0/2 and the output interfaces are gigEth0/23 and gigEth0/24.
the ingress traffic at the input port has a single tag and the ingress traffic at the output port has two tags.
please explain me, where tags would be pushed/popped and why??
thank you.Hello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). -
I'm setting up two 3750E switches on a bench prior to installing them - with a ten Gig port trunk port between them. I am running PVST and have pretty standard switch configuration. Show span indicates that all my vlans are forwarding between the ports but the packet rate keeps increasing as if its in a loop. Must be something obvious but can't find it - is there anything special you have to do to those ten GIG Modules to get them to work.
# interface ten gig 1/0/2
# sw trunk enc dot1q
# sw mode trunk
# sw nonegotiatepardon me. I thought you are saying that packets are dropping but you are talking about STP loop.
As mentioned in other post, check if this link creating STP loop because of UDLD ? Maybe one of your cable not working or some other reason.
Though in LR you dont need an attenuator but check the power levels at both sides.Are they within receiver sensitivity? as you must be connecting back to back just with patch cables.
Maybe you are looking for
-
Can I install Adobe Muse on more than one computer?
I have Adobe Muse on my computer and I want to be able to work on the same website I'm creating on my work computer also. Is there anyway I can do this without paying for 2 seperate accounts?
-
Where can I modify or re-create the save-as-excel function in query reports
as the titile
-
Refreshing Image files in Dreamweaver
I have changed a few image files that show up in all of my many individual web page files. I saved the new files in the same place and with the same name as the old files, but the old files still show up in my Dreamweaver files. The main difference b
-
Omni portlet not showing google gadget in Web center Application
Hi I am using the same thing as given in http://download.oracle.com/otndocs/tech/webcenter/files/owc_r11_google_gadgets.htm but at last i am not able to visible 'tiny map' ,i tried calendar and mario also but same result i am using JDEV11.1.1.4 if an
-
I'm using CS 3. When I define a second Repeat Region, say working off = of Recordset2, I always seem to get a "name redefined" error on a Dim = statement. After spending countless hours trying to track down the bug, = I seem to have found a workaroun