Trunked port active in vlan
Maybe there's an obvious answer, but I have this strange thing;
Switchport config
interface GigabitEthernet0/2
description Trunk to CORE02
switchport mode trunk
shutdown
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
sh vlan brie
VLAN Name Status Ports
1 default active Gi0/2
Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.
in my switch I can not delete it
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48TS-L 12.2(58)SE2 C2960S-UNIVERSALK9-M
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport mode trunk
spanning-tree portfast
_Cat_2960s_5_1#sh vla br
VLAN Name Status Ports
1 default active Gi1/0/41,
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
no switchport port-security
_Cat_2960s_5_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
_Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
_Cat_2960s_5_1(config-if)#no switchport access vlan 1
_Cat_2960s_5_1(config-if)#^Z
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
another trunk port with native vlan configured is not in vlan 1
Similar Messages
-
Trunk port changes assigned VLANs spontaneously
Hello,
I have problem with GE2 port VLAN membership in trunk mode.
When I set GE2 port as a trunk for VLAN 11 tagged, VLAN 48 tagged
and VLAN 666 untagged+PVID, it stays so only untill reboot.
After reboot there are 11, 48 and 666 tagged, while VLAN 1
untagged+PVID. Everything works somehow, but there are warnings.
Default VLAN 11. The other side is 2960G with no vtp on port
and vtp is globally off.
Thank you
SF 200-24 24-Port 10/100 Smart Switch
Model Description: 24-Port 10/100 Smart Switch Firmware Version: 1.1.1.8
Serial Number: DNI15330085 Firmware MD5 Checksum: 0b73c744e12a6f93c711867b1188736e
PID VID: SLM224GT V01 Boot Version: 1.0.0.1
Boot MD5 Checksum: 81359f6e6c7e640b53df27c4f05b8d60
Locale: en-US
Language Version: 1.1.1.6
Language MD5 Checksum: N/AHi Igor
Just out of interest, I see no mention that you saved the configuration in your problem description.
As the administrators guide says on page 30, Configurations will be lost if not saved.
Just in case you didn't save your configuration, here is a 6 minute video that shows, in the last minute, how to save the configuration of a 300 series switch, but it should be identical for a 200 series product..
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=56220782&rKey=5fc47a1c7b566b8c
or try from the GUI
Click Administration > File Management > Copy/Save Configuration
Copy the running configuration to the startup configuration.
If you have saved your configuration but still lose VLAN assignment, yes please follow the advice in the previous posting.
regards Dave -
Authenticating Trunk Ports - VLAN list
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
JohnHello
I would suggest the following:
>> Arrange for some physical enclosure (locked) or any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
>> Change the NATIVE VLAN from the default (VLAN 1)
>> Disable Trunk negotiation (ON mode)
Regards
Farrukh -
How to configure a port channel with VLAN trunking (and make it work..)
We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack. We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
We want the same ports to be able to allow multiple vlans to communicate. (trunked)
These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
We are only able to configure an IP on one of the vlans.
When we configure an IP from another vlan for the data lif, it does not respond to a ping.
Does anyone have any idea what I'm doing wrong on the Cisco switch?
interface GigabitEthernet4/0/12
description Netapp2-e0a
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet4/0/13
description Netapp2-e0c
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/12
description Netapp2-e0b
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/13
description Netapp2-e0d
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
spanning-tree portfast
spanning-tree bpduguard enable
endOur problem was fixed by the storage people. They changed the server end to trunk, and the encapsulation / etherchannel.
I like all the suggestions, and they probably helped out with the configuration getting this to work.
Thanks!
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
interface GigabitEthernet4/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet4/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active -
Unable to add allowed VLANs to TenGig trunk port
Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
endSteve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed! -
Dedicated VLAN ID's on trunk ports
I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...
I am trying to understand this concept fully.
If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.
Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??
Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.Hi,
This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.
Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.
HTH,
-amit singh -
Hi,
Is posible to configure a Switchport like dynamic vlan port and in the same time to be trunk port?Hi,
Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.
You can find more info here.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html
HTH,
Sundar -
Private VLAN Promiscuous Trunk Port - Switches which support this function
Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks
4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
Wlc management port can't trunk other than native vlan
Hello,
Ihave installed my first WLC 5508 with this topology :
WLC Connected trought distrubtion SFP 1Gb port to Core Switch port configured as Trunk port permetting 3 Wireless VLAN :
- Management WLC, Wireless Voice and Wireless Data Vlan (native Vlan is management WLAN).
- I have created 2 dynamic interface on WLC regarding my Wireless VLAN :
10.7.1.0/24 : Defaut Management Virtual Interface when installing WLC +
10.7.6.0/24 : Voice Virtual Interface and
10.7.2.0/24 : Wireless Data Virtual Interface trought GUI.
DHCP configured on each dynamic interface is the L3 vlan interface for equal VLAN subent for CORE SWITCH contining IP DHCP Pool.
WLC Management Inerface IP adress is : 10.7.1.10/24
I Have create 2 WLAN with SSID named Data ID 1 & Voice ID2.
I have create and AP Groupe named APGRP1 containing the AP registered on WLC and using both SSID WLAN.
Both AP are connected to Switch acess port configured as access port to native management WLC VLAN.
I have create 3 IP DHCP pool on Core switch with related L3 Interfaces for Inter VLAN routing.
Problem: when I try to connect from laptop to Data SSID I get IP Address from management WLC VLAN a non DATA VLAN.
the same case from Wireless IP Phone configured with Voice SSID.
What can I modifie that permet to both device to get IP address from the correct VLAN?
ThnksHi Adil,
Q1 >> AP access port on the switch must be configured on an Access port mode or trunk mode?
ANS - The LWAPP/ CAPWAP APs connected to the switchport should be a Access port not trunk.
Q2>> if the first case, setting the port on, the same VLAN like WLC Management VLAN will support other WLAN Vlans (voice and data)?
ANS - Yes it does support, since the traffic which involes the WLAN will be inside the LWAPP/CAPWAP logical tunnel.
Q3>> I will verify the interface mapping between WLAN and Dynamic Interfaces and i will tell you.
ANS - I will be waiting for your response!!
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
Problems with vlan and dot1q trunking port
Dear Folks,
i have problems with my AccessPoint Konfiguration.
Even when i set the Catalyst Port to trunk, i can only connect to VLAN 1 but not to VLAN 10.
and if i change the port to statik vlan 10 i can not connect to the ap but it works...
config below:
User Access Verification
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 1200_PP_1
logging queue-limit 100
enable secret xxxx
clock timezone A 1
ip subnet-zero
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid DEPACNGLW0HS
vlan 10
authentication shared
infrastructure-ssid
mobility network-id 10
speed basic-1.0 2.0 5.5 11.0
rts threshold 2312
channel 2412
antenna receive right
antenna transmit right
station-role root
interface Dot11Radio0.1
no ip route-cache
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
ntp broadcast client
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.2.2.222 255.255.255.0
no ip route-cache
ip default-gateway 10.2.2.2
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
ip radius source-interface BVI1
bridge 1 route ip
line con 0
line vty 0 4
login local
line vty 5 15
login
end
it would be fine if anyone could help me....You configure Layer 3 Mobility with WLSM. No trunking is required on the CAT switch. However, you need to set the switch port on the CAT switch as access port in VLAN 10.
Please post the WLSM and SUP720 configuration. Also, which VLAN do you want to access the AP?
The following URL may be useful for you to verify the configuration:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00802a86a7.html -
Access to trunk port clarification
Hello-
I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
Switch#1
interface GigabitEthernet0/5
switchport
switchport access vlan 6
....and the corresponding config on it's neighbor:
Switch#2
Interface GigabitEthernet10/8
switchport
switchport mode trunk
switchport trunk allowed vlan 1,6,100
My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
Thanks in advance-
BrianThis would work fine but not recommended.
Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
SW1-----F0/1----------f0/1----SW2
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6
SW1#
SW2
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100
SW2#
2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
ex:
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
b)
Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
eg;
SW2#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1,6,100
Port Vlans allowed and active in management domain
Fa0/1 1,6,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
Hope this clarifies your query.
Regards
Inayath
*************Plz dont forget to rate posts*********** -
Service instance and trunk ports
hi I have the following configuration:
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface Port-channel12
description SHN-AGG-BX1
switchport trunk allowed vlan 34,50,76,3998
switchport mode trunk
mtu 9000
interface GigabitEthernet0/23
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
interface GigabitEthernet0/24
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
the input interfaces are gigEth0/1 and gigEth0/2 and the output interfaces are gigEth0/23 and gigEth0/24.
the ingress traffic at the input port has a single tag and the ingress traffic at the output port has two tags.
please explain me, where tags would be pushed/popped and why??
thank you.Hello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). -
Trunk port as a destination for SPAN session
Can we make a trunk port as a destination for SPAN session? If yes, how
Of course you can. It will be configured the same as an access port:
monitor session 1 destination int g0/24
However be aware of the following:
Destination Port
Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source port.
The destination port has these characteristics:
•It must reside on the same switch as the source port (for a local SPAN session).
•It can be any Ethernet physical port.
•It cannot be a source port or a reflector port.
•It cannot be an EtherChannel group or a VLAN.
•It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
•The port does not transmit any traffic except that required for the SPAN session.
•If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
•It does not participate in spanning tree while the SPAN session is active.
•When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).
•No address learning occurs on the destination port.
•A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports. -
Multiple trunk ports on switch
How many ports on a 2950 can be configured as dot1q trunks? I need to place an intermediary switch in my network to pass trunk data beween 10 other Cisco switches and therefore need to configure 10 ports as trunk ports. Is this possible or would a different switch work better for this purpose?
Hi Scott,
There's no limitation on the number of trunk ports you can configure. However, there is a switch-wide limitation of 64 instances of Spanning Tree. In other words, you can only have 64 active VLANs on the switch.
See:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swstp.htm#1150172
HTH,
Bobby
*Please rate helpful posts. -
Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?
Hello to all the Cisco Experts,
I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
The configuration of the switchport will be as below:
interface GigabitEthernet1/0/1
description ESXi
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,15
switchport mode trunk
spanning-tree portfast trunk
end
The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
Thank you in advance.Hi Leo,
First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
Enabling portfast on a trunk is so "yesterday", in my opinion. If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant. The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.
Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link? Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
Best regards,
Peter
Maybe you are looking for
-
I am using a WD My Passport Studio external hard drive as a Time Machine. I get the error that a back up folder could not be created when my iMac has been asleep, any advice. The hard drive is set set not to go to sleep.
-
I just got the above card for my mac. I want to run it through it's paces to make sure it's working okay. What do you suggest?
-
Userexit_move _data_komkg
hi all, i had a doubt, when the USER-EXIT "userexit_move datakomkg" will be triggered? whether after creation of sales order no.(VBELN) or before creation of sales order no. note: you can find that in "INCLUDE MV45AFZA" which is in REPORT SAPMV45A
-
MacBook Pro July 2011 edition suddenly powered off
Last night after using my MacBook Pro for 6 hours plugged in for the most part, I went to plug my Iphone USB into the socket and it went black. It shut itself off and now won't turn on. The green charge light dimmed off moments before it turned itsel
-
I need to improve / enhance the search functionality for the transaction CRMD_ORDER for searching against Sold to Party and Bill to Party. Is there any BADI for the same? Regard's Vikash