Switch trunking ports

Hello,
If I have switch A that has 3 vlans with ip addresses in other words 3 switch virtual interfaces and I configure one  port as a switchport trunk that has the following commands switchport trunk mode and encapulasation dot1q.   Now if I want connect to another switch B to allow those same vlans to go accross and then put 5 ports in those 3 vlans. The port from switch B that connects to switch A I would configure with the following commands  switchport mode trunk and  encapulasation dot1 my question is do I just configure on both switch ports switchport trunk allowed vlan all for devices from both switches in the same vlans to talk to each other or do I still need to add more commands to both switches like add the same svi from switch A to Switch B?

Hi Horacio
It sounds like you are pretty much there from reading your original post.
Using the following commands creates a trunk port between the switches:
#switchport trunk encapsulation dot1q
#switchport mode trunk
If you use these commands on both the switches you are connecting together, you should get a trunk port form and by default this allows all vlans to pass traffic across it.
If you want to restrict the trunk so that it only passes traffic for specific vlans, this can be achieved using the following command:
#switchport trunk allowed vlan [X]
Replace the [X] with the vlans you want to allow. Make sure you do this both sides otherwise you may find one side sending traffic which is dropped by the other side.
Make sure the Layer 2 Vlans exist on both switches. The SVI you mentioned with be the default gateway for hosts in that Vlan and only needs to exist on the switch which is performing the intervlan routing, you do not need an SVI on each switch for every Vlan.
Hope this helps

Similar Messages

  • How can I encrypt my data links between switch uplink ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me

    How can I encrypt my data uplinks between switch trunk ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me as I want to encrypt my switch-to-switch link with Cisco TrustSec.

    Hi 
    Login to switch & go to interface..
    There you can give tags.. (ISL & DONT1Q)
    Command switch-port mode trunk
    Switch-port trunk encapsulation ssl or dot1Q

  • Can I use straight cable to connect trunk ports between 2 switches?

    Hi,
    Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
    thanks!

    Hi Devang,
    When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
    The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
    HTH, if yes please rate the post.
    Ankur

  • How to check trunk port on 3548 xl switch

    Hi all,
    i have 3548 xl switch  i know on other switches i can use command
    sh int trunk  but on this switch it  does not work.
    do anyone knows which command we can use  to check trunk ports other then this
    sh int fa switchport???????????
    thanks
    mahesh

    Hi all,
    i have 3548 xl switch  i know on other switches i can use command
    sh int trunk  but on this switch it  does not work.
    do anyone knows which command we can use  to check trunk ports other then this
    sh int fa switchport???????????
    thanks
    mahesh
    Hi Mahesh,
    What error it shows when you issue show interface trunk on switches ..
    Ganesh.H

  • Multiple trunk ports on switch

    How many ports on a 2950 can be configured as dot1q trunks? I need to place an intermediary switch in my network to pass trunk data beween 10 other Cisco switches and therefore need to configure 10 ports as trunk ports. Is this possible or would a different switch work better for this purpose?

    Hi Scott,
    There's no limitation on the number of trunk ports you can configure. However, there is a switch-wide limitation of 64 instances of Spanning Tree. In other words, you can only have 64 active VLANs on the switch.
    See:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swstp.htm#1150172
    HTH,
    Bobby
    *Please rate helpful posts.

  • Private VLAN Promiscuous Trunk Port - Switches which support this function

    Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

    4500x Yes
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
    Nexus 5k Yes
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
    3850s
    They dont support pvs at all yet
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

  • Configure trunk port between 2 SG500 switches

    Hi all,
    I'm trying to do what seems to be a simple task but cannot get it to work.  I've very familiar with the Cisco commands on 2900 all the way up to 6500 series switches.  The SG500 has me stumped.  I have 3 switches, sw1, sw2, sw3.  sw1 and sw2 are stacked.  sw3 is standalone and in a different part of the building, maybe 25ft away.  All I want to do is set up a trunk port between the stack and the standalone.  In going by past experience, I would set the port as :
    - switchport mode trunk
    - switchport trunk allowed vlan 2,3,4
    The SG makes me specify tagged or untagged - which is fine.  So any vlan I want to move across the trunk i tag, obviously.  I do everything as I've done for years and it doesn't work.  VLAN1 is untagged, all VLANs I want to flow are allowed and tagged. 
    I'm quickly realizing I should have bucked up and just bought what I'm used to but I didn't have a choice in the matter.
    Any help would be great!
    Shawn

    Hi Shawn, something is the matter if the switch is asking you for tagged or untagged. The only reason it should be requesting a tag or untag statement is from a general port mode.
    The command syntax for the function is exactly the same as an IOS switch
    switchport mode trunk
    switchport trunk allowed vlan add 2,3,4
    Just like a Catalyst, if you use switchport trunk allowed vlan x,x,x it won't take the command as insufficient privilege or whatever the error it gives, suffice it say it doesn't really do anything without the add(or remove).
    -Tom
    Please mark answered for helpful posts

  • Catalyst 6500 Block Switching Between Trunk Ports

    Hello all,
    I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
    For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
    Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
    Does anyone have any ideas on how to accomplish this?

    I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
    Can't see switchport protected:
    6509(config-if)#switchport protected
                                              ^
    % Invalid input detected at '^' marker.

  • Catalyst 6500 Block Switching Between Trunk Port

    Hello all,
    I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
    For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
    Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
    Does anyone have any ideas on how to accomplish this?

    Duplicate posts. 
    Go here:  https://supportforums.cisco.com/thread/2261414

  • ACL not working on 3750 Switch Stack on a trunk port

    I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
    What am I doing wrong?
    Access-List:
    Standard IP access list 10
        10 deny   10.101.15.13 log
        20 permit any log
    Access-List Interface:
    interface GigabitEthernet7/0/10
     description ESX Trunk
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,2,60-63
     switchport mode trunk
     ip access-group 10 in
    Mac-Address on the Switch Port:
    63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
    Windows Machine MAC:
    Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
    Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
    Windows Connection (which should be denied):
     TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

    PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
    In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

  • Access to trunk port clarification

    Hello-
    I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
    Switch#1
    interface GigabitEthernet0/5
     switchport
     switchport access vlan 6
    ....and the corresponding config on it's neighbor:
    Switch#2
    Interface GigabitEthernet10/8
    switchport
    switchport mode trunk
    switchport trunk allowed vlan 1,6,100
    My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
    Thanks in advance-
    Brian

    This would work fine but not recommended.
    Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
    SW1-----F0/1----------f0/1----SW2
    SW1#sh int trunk 
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/1       auto         n-802.1q       trunking      1
    Port        Vlans allowed on trunk
    Fa0/1       1-1005
    Port        Vlans allowed and active in management domain
    Fa0/1       1,6
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/1       1,6
    SW1#
    SW2
    SW2#sh int trunk 
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/1       on           802.1q         trunking      1
    Port        Vlans allowed on trunk
    Fa0/1       1,6,100
    Port        Vlans allowed and active in management domain
    Fa0/1       1,6,100
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/1       1,6,100
    SW2#
    2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
    ex:
    SW1#sh int trunk 
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/1       auto         n-802.1q       trunking      1
    Port        Vlans allowed on trunk
    Fa0/1       1-1005
    Port        Vlans allowed and active in management domain
    Fa0/1       1,6,10,20,30,40,50,60,70,80,90,100
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/1       1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
    b)
    Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
    eg;
    SW2#sh int tr
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/1       on           802.1q         trunking      1
    Port        Vlans allowed on trunk
    Fa0/1       1,6,100
    Port        Vlans allowed and active in management domain
    Fa0/1       1,6,100
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/1       1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
    i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
    Hope this clarifies your query.
    Regards
    Inayath
    *************Plz dont forget to rate posts***********

  • Best practices for configure Rogue Detector AP and trunk port?

    I'm using a 2504 controller.  I dont have WCS.
    My questions are about the best way to configure a Rogue Detector AP.
    In my lab environment I setup the WLC with 2 APs.  One AP was in local mode, and I put the other in Rogue Detector mode.
    The Rogue Detector AP was connected to a trunk port on my switch.  But the AP needed to get its IP address from the DHCP server running on the WLC.  So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides.  If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC.  This makes sense because untagged traffic on the trunk port will be delivered to the native vlan.  So I take it that the AP doesn't know how to tag frames.
    Everything looked like it was working ok.
    So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it.  Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire.  From the rogue client I was able to successfully ping the management interface of the WLC.
    But the WLC never actually reported the rogue AP as being connected to the wired network.
    So my questions are:
    1. What is the correct configuration for the trunk port?  Should it not be configured with a native vlan?  If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
    2.  Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network?  I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
    Thanks for any input!!

    #what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
    it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
    #Does the switch sees the Rogue AP's wired MAC on its MAC table.
    Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
    Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
    It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
    So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
    Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan.

  • Port protected on trunk ports

    I have a router to a 3550 switch feeding in a star toplogy one 2950 off each port.  I have port protprected on the ports of each of the 2950s.  The question is can I do port protected on all my trunk ports except the uplink port on the 3550?  I am wanting to stop any user on the network from seeing another.  My other option is to do a vlan per switch but would perfer not to bring down the network as it is already live and in heavy usage.
    Thank you for your help in advance. 

    Yes, you can enable protected mode on trunk ports
    Configuring Protected Ports
    Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
    Protected ports have these features:
    •A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
    •Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
    •Protected ports are supported on 802.1Q trunks.
    link:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/swtrafc.html#wp1158863
    HTH

  • Service instance and trunk ports

    hi I have the following configuration:
    interface Port-channel1
     description SHN-AX1-1-2-CNRY
     switchport trunk allowed vlan none
     switchport mode trunk
     load-interval 30
     no keepalive
     service instance 1 ethernet
      encapsulation untagged
      l2protocol peer lacp
      bridge-domain 1
     service instance 2 ethernet
      description IDP_VLAN_2
      encapsulation dot1q 2
      bridge-domain 3998
     service instance 3 ethernet
      description BBR_VLAN
      encapsulation dot1q 420
      bridge-domain 3998
     service instance 4 ethernet
      description MGMT_VLAN
      encapsulation dot1q 95
      bridge-domain 3998
     service instance 5 ethernet
      description STATIC_VLAN
      encapsulation dot1q 3641,3644,3777,3291
      bridge-domain 3998
     service instance 6 ethernet
      description SME_VLAN
      encapsulation dot1q 2098,2339
      bridge-domain 3998
    interface Port-channel1
     description SHN-AX1-1-2-CNRY
     switchport trunk allowed vlan none
     switchport mode trunk
     load-interval 30
     no keepalive
     service instance 1 ethernet
      encapsulation untagged
      l2protocol peer lacp
      bridge-domain 1
     service instance 2 ethernet
      description IDP_VLAN_2
      encapsulation dot1q 2
      bridge-domain 3998
     service instance 3 ethernet
      description BBR_VLAN
      encapsulation dot1q 420
      bridge-domain 3998
     service instance 4 ethernet
      description MGMT_VLAN
      encapsulation dot1q 95
      bridge-domain 3998
     service instance 5 ethernet
      description STATIC_VLAN
      encapsulation dot1q 3641,3644,3777,3291
      bridge-domain 3998
     service instance 6 ethernet
      description SME_VLAN
      encapsulation dot1q 2098,2339
      bridge-domain 3998
    interface GigabitEthernet0/1
     switchport trunk allowed vlan none
     switchport mode trunk
     channel-group 1 mode on
    interface GigabitEthernet0/2
     switchport trunk allowed vlan none
     switchport mode trunk
     channel-group 1 mode on
    interface Port-channel12
     description SHN-AGG-BX1
     switchport trunk allowed vlan 34,50,76,3998
     switchport mode trunk
     mtu 9000
    interface GigabitEthernet0/23
     switchport trunk allowed vlan 34,3998
     switchport mode trunk
     mtu 9000
     channel-group 12 mode active
    interface GigabitEthernet0/24
     switchport trunk allowed vlan 34,3998
     switchport mode trunk
     mtu 9000
     channel-group 12 mode active
    the input interfaces are gigEth0/1 and gigEth0/2 and the output interfaces are gigEth0/23 and gigEth0/24.
    the ingress traffic at the input port has a single tag and the ingress traffic at the output port has two tags.
    please explain me, where tags would be pushed/popped and why??
    thank you.

    Hello.
    You might have confused service instance configuration and usual switchport mode trunk.
    Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
    >But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
    Also under Figure 11-2 we have following example:
     QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
    Switch (config)# interface gigabitethernet0/1 
    Switch (config-if)# service instance 1 Ethernet 
    Switch (config-if-srv)# encapsulation dot1q 1-100 
    Switch (config-if-srv)# bridge-domain 30
    Switch (config)# interface gigabitethernet0/2 
    Switch (config-if)# switchport mode trunk
    Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). 

  • 10 Gig Trunk Port

    I'm setting up two 3750E switches on a bench prior to installing them  - with a ten Gig port trunk port between them. I am running PVST and have pretty standard switch configuration.   Show span indicates that all my vlans are forwarding between the ports but the packet rate keeps increasing as if its in a loop.  Must be something obvious but can't find it - is there anything special you have to do to those ten GIG Modules to get them to work.
    # interface ten gig 1/0/2
    # sw trunk enc dot1q
    # sw mode trunk
    # sw nonegotiate

    pardon me. I thought you are saying that packets are dropping but you are talking about STP loop.
    As mentioned in other post, check  if this link creating STP loop because of UDLD ?  Maybe one of your cable not working or some other reason.
    Though in LR you dont need an attenuator but check the power levels at both sides.Are they within receiver sensitivity? as you must be  connecting back to back just with patch cables.

Maybe you are looking for