Trunk port vs Access port speed
I am setting up a 4900M for a temporary training class, for 1Gb connected client PCs. I used a 10Gb interface with an X2-10G-SR which will connect via 62.5 micron fiber, to a 4948 10Gb interface with an SFP-10Gb-SR. As for the config, I have the 4900M te1/1 setup as an access port to the 4948. The connectivity is fine, as is the routing. But when we use the client PCs disk connectivity (connecting to 10Gb storage) we get great read speeds but when it tries writing it slows down and eventually errors out.
Question 1: Would it make a difference if the 4900M was connected via a trunk port to the 4948?
I believe the issue is the length of the 62.5 fiber, and the maximum transmit\receive length of the transceivers, but I want to rule out the switchport configuration.
Thanks. You were correct, as changing the port configuration from access to trunk produced the same R/W speeds. The issue was with the fiber run being too long for the SR trancievers.
Similar Messages
-
Access to trunk port clarification
Hello-
I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
Switch#1
interface GigabitEthernet0/5
switchport
switchport access vlan 6
....and the corresponding config on it's neighbor:
Switch#2
Interface GigabitEthernet10/8
switchport
switchport mode trunk
switchport trunk allowed vlan 1,6,100
My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
Thanks in advance-
BrianThis would work fine but not recommended.
Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
SW1-----F0/1----------f0/1----SW2
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6
SW1#
SW2
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100
SW2#
2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
ex:
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
b)
Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
eg;
SW2#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
Hope this clarifies your query.
Regards
Inayath
*************Plz dont forget to rate posts*********** -
My N2K connected to N5K, why some ports can set the port speed, and some cann't set the port speed?
int eth102/1/25 !!!No speed command
(config-if)# ?
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
description Enter description of maximum 80 characters
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
lacp Configure LACP parameters
link Configure link
lldp Configure Interface LLDP parameters
logging Configure logging for interface
mvr-group MVR interface config
mvr-type MVR interface config
mvr-vlan Interface MVR Config
no Negate a command or set its defaults
rate-limit Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
switchport Configure switchport parameters
untagged Default to use for untagged packets on interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
(config-if)# int eth102/1/48 !!! include speed command
(config-if)# ?
bandwidth Set bandwidth informational parameter
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
default Set a command to its defaults
delay Specify interface throughput delay
description Enter description of maximum 80 characters
duplex Enter the port duplex mode
fex Configure FEX fabric
flowcontrol Configure interface flowcontrol
hardware FEX Card type
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
lacp Configure LACP parameters
link Configure link
lldp Configure Interface LLDP parameters
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mac MAC
mac-address Configure interface mac address
mvr-group MVR interface config
mvr-type MVR interface config
mvr-vlan Interface MVR Config
negotiate Configure link negotiation parameters
no Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Enter the port speed
storm-control Configure Interface storm control
switchport Configure switchport parameters
untagged Default to use for untagged packets on interface
vpc Virtual Port Channel configuration
vtp Enable VTP on this interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
1,N5K version:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
BIOS: version 3.6.0
loader: version N/A
kickstart: version 6.0(2)N1(2)
system: version 6.0(2)N1(2)
Power Sequencer Firmware:
Module 1: version v5.0
Microcontroller Firmware: version v1.0.0.2
SFP uC: Module 1: v1.1.0.0
QSFP uC: Module not detected
BIOS compile time: 05/09/2012
kickstart image file is: bootflash:///n5000-uk9-kickstart.6.0.2.N1.2.bin
kickstart compile time: 3/14/2013 1:00:00 [03/14/2013 16:53:55]
system image file is: bootflash:///n5000-uk9.6.0.2.N1.2.bin
system compile time: 3/14/2013 1:00:00 [03/14/2013 19:28:50]
Hardware
cisco Nexus 5596 Chassis ("O2 48X10GE/Modular Supervisor")
Intel(R) Xeon(R) CPU with 8262944 kB of memory.
2,N5K port
Eth102/1/1 -- connected 101 full 1000 --
Eth102/1/2 -- connected 101 full 1000 --
Eth102/1/3 -- connected 101 full 1000 --
Eth102/1/4 -- connected 101 full 1000 --
Eth102/1/5 -- connected 101 full 1000 --
Eth102/1/6 -- connected 101 full 1000 --
Eth102/1/7 -- connected 101 full 1000 --
Eth102/1/8 -- connected 101 full 1000 --
Eth102/1/9 -- connected 101 full 1000 --
Eth102/1/10 -- connected 101 full 1000 --
Eth102/1/11 -- connected 101 full 1000 --
Eth102/1/12 -- connected 101 full 1000 --
Eth102/1/13 -- connected 101 full 1000 --
Eth102/1/14 -- connected 101 full 1000 --
Eth102/1/15 -- connected 104 full 1000 --
Eth102/1/16 -- connected 104 full 1000 --
Eth102/1/17 -- connected 104 full 1000 --
Eth102/1/18 -- connected 104 full 1000 --
Eth102/1/19 -- connected 104 full 1000 --
Eth102/1/20 -- connected 104 full 1000 --
Eth102/1/21 -- connected 104 full 1000 --
Eth102/1/22 -- connected 104 full 1000 --
Eth102/1/23 -- connected 104 full 1000 --
Eth102/1/24 -- connected 104 full 1000 --
Eth102/1/25 -- notconnec 102 auto auto --
Eth102/1/26 -- notconnec 102 auto auto --
Eth102/1/27 -- connected 106 full 1000 --
Eth102/1/28 -- connected 106 full 1000 --
Eth102/1/29 -- connected 104 full 1000 --
Eth102/1/30 -- connected 104 full 1000 --
Eth102/1/31 -- connected 104 full 1000 --
Eth102/1/32 -- connected 104 full 1000 --
Eth102/1/33 -- connected 104 full 1000 --
Eth102/1/34 -- connected 104 full 1000 --
Eth102/1/35 -- connected 104 full 1000 --
Eth102/1/36 -- connected 104 full 1000 --
Eth102/1/37 -- connected 104 full 1000 --
Eth102/1/38 -- connected 104 full 1000 --
Eth102/1/39 -- notconnec 1 auto auto --
Eth102/1/40 -- notconnec 1 auto auto --
Eth102/1/41 -- notconnec 1 auto auto --
Eth102/1/42 -- notconnec 1 auto auto --
Eth102/1/43 -- notconnec 1 auto auto --
Eth102/1/44 -- notconnec 1 auto auto --
Eth102/1/45 -- notconnec 1 auto auto --
Eth102/1/46 -- notconnec 1 auto auto --
Eth102/1/47 -- notconnec 1 auto auto --
Eth102/1/48 ZTC-Switch-48 connected 105 full 100 --
3,Fex
show fex 102 det
FEX: 102 Description: AO4-N2K-FEX102 state: Online
FEX version: 6.0(2)N1(2) [Switch version: 6.0(2)N1(2)]
FEX Interim version: 6.0(2)N1(2)
Switch Interim version: 6.0(2)N1(2)
Extender Serial: FOX1742G09B
Extender Model: N2K-C2248TP-E-1GE, Part No: 73-13671-02
Card Id: 149, Mac Addr: 64:e9:50:16:08:02, Num Macs: 64
Module Sw Gen: 21 [Switch Sw Gen: 21]
post level: complete
Pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth1/3
FCoE Admin: false
FCoE Oper: true
FCoE FEX AA Configured: false
Fabric interface state:
Po102 - Interface Up. State: Active
Eth1/1 - Interface Up. State: Active
Eth1/2 - Interface Up. State: Active
Eth1/3 - Interface Up. State: Active
Eth1/4 - Interface Up. State: Active
Fex Port State Fabric Port
Eth102/1/1 Up Po102
Eth102/1/2 Up Po102
Eth102/1/3 Up Po102
Eth102/1/4 Up Po102
Eth102/1/5 Up Po102
Eth102/1/6 Up Po102
Eth102/1/7 Up Po102
Eth102/1/8 Up Po102
Eth102/1/9 Up Po102
Eth102/1/10 Up Po102
Eth102/1/11 Up Po102
Eth102/1/12 Up Po102
Eth102/1/13 Up Po102
Eth102/1/14 Up Po102
Eth102/1/15 Up Po102
Eth102/1/16 Up Po102show run int eth102/1/25 all
!Command: show running-config interface Ethernet102/1/25 all
!Time: Tue Apr 14 14:33:38 2009
version 6.0(2)N1(2)
interface Ethernet102/1/25
no description
lacp port-priority 32768
lacp rate normal
priority-flow-control mode auto
lldp transmit
lldp receive
no switchport block unicast
no switchport block multicast
no hardware multicast hw-hash
no hardware vethernet mac filtering per-vlan
cdp enable
switchport
switchport mode access
no switchport dot1q ethertype
no switchport priority extend
switchport access vlan 102
spanning-tree port-priority 128
spanning-tree cost auto
spanning-tree link-type auto
spanning-tree port type edge
spanning-tree bpduguard enable
no spanning-tree bpdufilter
speed auto
duplex auto
flowcontrol receive off
flowcontrol send on
no link debounce
no beacon
delay 1
snmp trap link-status
logging event port link-status default
logging event port trunk-status default
mdix auto
storm-control broadcast level 100.00
storm-control multicast level 100.00
storm-control unicast level 100.00
no shutdown lan
load-interval counter 1 30
load-interval counter 2 300
no load-interval counter 3
medium broadcast
channel-group 2025 mode active
no shutdown
show run int eth102/1/48 all
!Command: show running-config interface Ethernet102/1/48 all
!Time: Tue Apr 14 14:35:08 2009
version 6.0(2)N1(2)
interface Ethernet102/1/48
description ZTC-Switch-48
lacp port-priority 32768
lacp rate normal
priority-flow-control mode auto
lldp transmit
lldp receive
no switchport block unicast
no switchport block multicast
no hardware multicast hw-hash
no hardware vethernet mac filtering per-vlan
cdp enable
switchport
switchport mode access
no switchport dot1q ethertype
no switchport priority extend
switchport access vlan 105
spanning-tree port-priority 128
spanning-tree cost auto
spanning-tree link-type auto
spanning-tree port type edge
spanning-tree bpduguard enable
no spanning-tree bpdufilter
speed auto
duplex auto
flowcontrol receive off
flowcontrol send on
no link debounce
no beacon
delay 1
snmp trap link-status
logging event port link-status default
logging event port trunk-status default
mdix auto
storm-control broadcast level 100.00
storm-control multicast level 100.00
storm-control unicast level 100.00
no shutdown lan
load-interval counter 1 30
load-interval counter 2 300
no load-interval counter 3
medium broadcast
no shutdown
Ports are connected, there is no relationship with the speed option, such as port 102/1/1 is connected, but no speed option, port 102/1/47 is notconnected, there speed options.
show int eth102/1/1
Ethernet102/1/1 is up
Belongs to Po2001
Hardware: 100/1000 Ethernet, address: 64e9.5016.0802 (bia 64e9.5016.0802)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
full-duplex, 1000 Mb/s
Beacon is turned off
Input flow-control is off, output flow-control is on
Switchport monitor is off
EtherType is 0x8100
Last link flapped 1d02h
int eth102/1/1
(config-if)# ?
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
description Enter description of maximum 80 characters
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
lacp Configure LACP parameters
link Configure link
lldp Configure Interface LLDP parameters
logging Configure logging for interface
mvr-group MVR interface config
mvr-type MVR interface config
mvr-vlan Interface MVR Config
no Negate a command or set its defaults
rate-limit Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
switchport Configure switchport parameters
untagged Default to use for untagged packets on interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
show int eth102/1/47
Ethernet102/1/47 is down (Link not connected)
Hardware: 100/1000 Ethernet, address: 64e9.5016.0830 (bia 64e9.5016.0830)
MTU 1500 bytes, BW 0 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
auto-duplex, auto-speed
Beacon is turned off
Input flow-control is off, output flow-control is on
Switchport monitor is off
EtherType is 0x8100
int eth102/1/47
(config-if)# ?
bandwidth Set bandwidth informational parameter
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
default Set a command to its defaults
delay Specify interface throughput delay
description Enter description of maximum 80 characters
duplex Enter the port duplex mode
fex Configure FEX fabric
flowcontrol Configure interface flowcontrol
hardware FEX Card type
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
lacp Configure LACP parameters
link Configure link
lldp Configure Interface LLDP parameters
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mac MAC
mac-address Configure interface mac address
mvr-group MVR interface config
mvr-type MVR interface config
mvr-vlan Interface MVR Config
negotiate Configure link negotiation parameters
no Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Enter the port speed
storm-control Configure Interface storm control
switchport Configure switchport parameters
untagged Default to use for untagged packets on interface
vpc Virtual Port Channel configuration
vtp Enable VTP on this interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in -
Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?
Hello to all the Cisco Experts,
I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
The configuration of the switchport will be as below:
interface GigabitEthernet1/0/1
description ESXi
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,15
switchport mode trunk
spanning-tree portfast trunk
end
The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
Thank you in advance.Hi Leo,
First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
Enabling portfast on a trunk is so "yesterday", in my opinion. If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant. The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.
Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link? Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
Best regards,
Peter -
New Trunking port Error Disabled on Nexus 5000
I configured my Nexus 5000 ports as so
Int Eth1000/1/48
switchport mode trunk
switchport trunk allowed vlan 8
speed 1000
channel-group 7 mode active
int Po7
switchport mode trunk
switchport trunk allowed vlan 8
vpc7
speed 1000
I configured my 3650 as so:
int Gig0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 8
switchport mode trunk
speed 1000
channel-group 1 mode active
Port channel 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 8
switchport mode trunk
speed 1000
Both of these ports are connected Int Eth1000/1/48 and int Gig0/23. Int Eth1000/1/48 shut down and when I checked the logs on the N5K it said for the port ErrorDisabled REASON BPDUguard. I did not configure bpdufilter or bpduguard on either side. What is causing it?
I found 3 other ports the have bpdufilter on them would that be it?
Since the 3560 is an older switch how can I also ensure it get demoted to not be root bridge or secondary root bridge?Hi,
1- You tried to bundle GE and E interfaces with LACP on both switch but you did not mention the other bundle members, however, it looks the etherchannel did not comes up and interfaces work separately.
As a result, STP has prevented bridging loop and put one of them in errdisable state. I think you must check your etherchannel configuration.
2- you can use "spanning-tree vlan <> priority 61400" on 3560 switch to make sure it won't be a root bridge.
HTH
Houtan -
Hi
Is it possible to make a report that list my trunk ports and what switch / interface its on ?
I have a large network. I know i have lot of switches where trunk interface is in fastethernet ports. I would like to change that and make that all trunk is on gigabit ports. So would be nice to have a list with that.
I have tried the report Wired Detailed Device Inventory. Under trunk it says false/true.. But the interface the report says true to is not always true its a trunk port, and vice versa. So cant use that one.
If its not possible to run a report that do this is it then possible to make a job with cli commands my self ?
Im thinking that the: sh int status cli command could work. There i can see wich ports are access and trunks. And then a cli command to give me hostname or IP of switch as well.. if i could get that exported to a csv file i could import that to excel and clean it up my self and sort it so i only had trunk ports on fastethernet interfaces.
Thanks :)
/ CarstenThis is Part2 (strange results of recursive with clause)
from wrong result of 11gR2 Recursive with clause part3
SQL> with tmp(day1) as(select date '2009-06-01' from dual),
2 rec(day1) as(
3 select day1 from tmp
4 union all
5 select add_months(day1,1)
6 from rec
7 where add_months(day1,1) < date '2010-05-05')
8 select * from rec;
select add_months(day1,1)
ERROR at line 5:
ORA-01790: expression must have same datatype as corresponding expression
SQL> with rec(dayc,LV) as(
2 select cast(date '2010-04-15' as date),1 from dual
3 union all
4 select cast(dayc+1 as date),LV+1
5 from rec
6 where LV<= 3)
7 select * from rec;
DAYC LV
10-04-15 1
10-04-14 2
10-04-13 3
10-04-12 4 -
Hi,
I'm trying to configure a Cisco Catalyst 6500 switch to not allow traffic from our traffic generators to go over the trunk link to the rest of the network. Currently I have multiple VLANs that correspond to different lab setups, each having traffic generators on them. The trunk port is used to connect VMs to each of the setups (on different VLANs) but I'm seeing that the traffic generators sometimes flood the trunk link and cause management be unusable.
I want to configure a port-based ACL to block traffic from the traffic generators from going over the trunk port but I don't see the "ip access-group" command available on this interface.
Here's the config for my trunk interface:
CATALYST2#show run int gi1/1
Building configuration...
Current configuration : 124 bytes
interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
end
When I go into config mode and try to tie an ACL to the interface, the command isn't available:
CATALYST2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CATALYST2(config)#int gi1/1
CATALYST2(config-if)#ip access-group ?
% Unrecognized command
Any idea why? I need a way to block this traffic (either via IP or MAC ACLs). My understanding is that trunk ports are able to have port-based ACLs applied to them that will act on all VLANs but I can't seem to do it.
Thanks for your help in advance!After some more research, I noticed that to configure a PACL on a trunk port, you must first configure port prefer mode. The command to put a trunk port in port prefer mode is "access-group mode prefer port" on the interface. Unfortunately that command isn't available in my CLI either... Still stuck.
-
OVM 3:Monitor a trunk port/create a dedicated NIC
Hi,
I need to monitor a trunk port from within a guest. Does OVM offer the ability to tie a network card directly to a guest? I don't want other guests to have access to the same nic at the same time.Understood.
I have now setup a simple network with bonds/ports only and attached that to the NIC that is connected to the SPAN port on my Cisco switch. This SPAN port mirrors a trunk port and thus carries of course all the VLANs.
Next, I have setup a guest running ntop and that has a vnic attached to it, that is connected to the new network. Now, when I run tcpdump against that port I am only seeing broadcast and multicast traffic. Is there a way to capture the whole network traffic that is mirrored to the SPAN port?
I have also taken a look at the network with ports and vans, but that doesn't seem to fit either. -
Hi Guys,
I have tried connecting 2 switch using a trunk port in able for VLAN to run on 2950 switch, 2950 and 2960G, but the problem is, it keeps going up and down when I check the logs. The client experienced intermittent network connection by this problem. What seems to be the problem here? I already replaced the cables.
Here is the config:
They are connected via cross-cable
2950:
Int f0/24 --> 100mbps port
switchport mode trunk
2960G:
Int G0/1 --> 1Gbps port
switchport mode trunk
*I believe they will auto negotiate their current speed and duplex.
Thanks in advance.
Cheers!Yes, they have the same settings.
Here it is:
int g0/2
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:23, output 00:00:00, output hang never
Last clearing of "show interface" counters 5d18h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 21000 bits/sec, 21 packets/sec
5 minute output rate 495000 bits/sec, 180 packets/sec
5180581 packets input, 1243581478 bytes, 0 no buffer
Received 62493 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 30119 multicast, 0 pause input
0 input packets with dribble condition detected
179416978 packets output, 2694243274 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
int f0/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 100BaseTX
input flow-control is unsupported output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 5d18h
Input queue: 2/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 504000 bits/sec, 180 packets/sec
5 minute output rate 22000 bits/sec, 22 packets/sec
179389710 packets input, 2690183405 bytes, 0 no buffer
Received 26481884 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
4510 input errors, 3566 CRC, 243 frame, 0 overrun, 0 ignored
0 watchdog, 17984825 multicast, 0 pause input
0 input packets with dribble condition detected
5180070 packets output, 1243477217 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out -
Prime Infrastructure 2.2 - Wired Clients and Trunk Ports
We have our VMWare ESX hosts connected to our server access switches via trunk ports. Prime doesn't seem to track clients on trunk ports (to avoid showing clients on uplink ports between switches, I'm sure). Since these are not switch-to-switch connections, is there a way to enable Prime to track wired clients on these specific trunk ports so we have MAC/IP client info in Prime for our virtual environment?
Hi,
PI discards all the MAC table entries that are on trunk ports for a switch. This enhancement was added from PI 2.1 & later.
- Ashok
Please rate the useful post or mark as correct answer as it will help others looking for similar information -
Trunk port as a destination for SPAN session
Can we make a trunk port as a destination for SPAN session? If yes, how
Of course you can. It will be configured the same as an access port:
monitor session 1 destination int g0/24
However be aware of the following:
Destination Port
Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source port.
The destination port has these characteristics:
•It must reside on the same switch as the source port (for a local SPAN session).
•It can be any Ethernet physical port.
•It cannot be a source port or a reflector port.
•It cannot be an EtherChannel group or a VLAN.
•It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
•The port does not transmit any traffic except that required for the SPAN session.
•If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
•It does not participate in spanning tree while the SPAN session is active.
•When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).
•No address learning occurs on the destination port.
•A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports. -
Authenticating Trunk Ports - VLAN list
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
JohnHello
I would suggest the following:
>> Arrange for some physical enclosure (locked) or any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
>> Change the NATIVE VLAN from the default (VLAN 1)
>> Disable Trunk negotiation (ON mode)
Regards
Farrukh -
Catalyst 6500 Block Switching Between Trunk Ports
Hello all,
I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
Does anyone have any ideas on how to accomplish this?I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
Can't see switchport protected:
6509(config-if)#switchport protected
^
% Invalid input detected at '^' marker. -
Catalyst 6500 Block Switching Between Trunk Port
Hello all,
I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
Does anyone have any ideas on how to accomplish this?Duplicate posts.
Go here: https://supportforums.cisco.com/thread/2261414 -
Maybe there's an obvious answer, but I have this strange thing;
Switchport config
interface GigabitEthernet0/2
description Trunk to CORE02
switchport mode trunk
shutdown
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
sh vlan brie
VLAN Name Status Ports
1 default active Gi0/2
Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.in my switch I can not delete it
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48TS-L 12.2(58)SE2 C2960S-UNIVERSALK9-M
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport mode trunk
spanning-tree portfast
_Cat_2960s_5_1#sh vla br
VLAN Name Status Ports
1 default active Gi1/0/41,
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
no switchport port-security
_Cat_2960s_5_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
_Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
_Cat_2960s_5_1(config-if)#no switchport access vlan 1
_Cat_2960s_5_1(config-if)#^Z
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
another trunk port with native vlan configured is not in vlan 1
Maybe you are looking for
-
Issue with running PL/SQL function returning Sql query
hi, I am trying to create a report region by using the option of PL/SQL function returning sql query. I notice that it's very slow for the report region page to show up. In my PL/SQL function body, there are only 3 steps, first update all the 10 rows
-
Should Display PDF in Browser be able to be checked & unchecked in Preferences
I no longer can download Safari documents, like credit card statements, as PDF files. I went into Preferences/Internet and found that the "Display PDF in Browser" is not an option that can be check or unchecked. Is that the problem?
-
My First MP3 player and already the disgust
Just picked up a black 5gig Zen Micro and I still haven't opened it of what I've read so far. I was originally searching for the difference in retail boxes since I chose the smaller box over the bigger box because the cashier said the smaller box are
-
Hi I want to create production order with reference to sales order. If iam using requirement type KSL/KSV error is coming "Sales order has no co object" IF iam using requirement type KE it is working.. I tried strategies: 20 & 40 Thanks in advance Re
-
EDI for cross docking process (pull and push)
We need to send in the EDI process, the allocation by store information to the vendor using pull and push process. When we have pull process, we can do some enchacement in ORDERS IDOC, by the push process, somebody knows what IDOC we can use to send