Unable to add allowed VLANs to TenGig trunk port

Similar Messages

• 897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

• Manipulating allowed VLAN list on trunks

  I am in the process of restricting some of my VLANs so that they can be accessed only on the switches that actually need them. I have a VTP domain, so I am doing it by manipulating the "allowed" lists on the trunks. I have a mixed environment of IOS 4500, CatOS 4000, CatOS 5500, and IOS 29xx.
  So, I have a number of questions and observations:
  1. There are some special default VLANs, 1002-1005, which are designated fddi-default, token-ring-default etc. In an Ethernet-only environment, is there any harm if I clear these from all the trunks?
  2. I do not use the extended VLAN range 1025-4095. Is there any harm if I clear these from all trunks?
  3. Just out of academic interest, what ever happened to VLANs 1006 to 1024? They do not appear in any of the default "allowed" lists. Are they reserved for something?
  4. Suppose my native VLAN for my trunks is not 1, let us say 99. And my management is on yet another VLAN, say 98. What happens if I try and clear the native VLAN 99 from the trunks? (Yes, I know I should try this in a lab, but does anyone know the answer to save me the effort of setting it up?)
  5. Suppose I have a VLAN, say 50, that is only needed in two switches, so I clear it from all trunks except the one between those two switches. But all the switches know about it cos it is in the VTP list. I notice that in the IOS switches, the PVST+ instance for that VLAN get shut down. In the CatOS switches, the STP seems to continue to run, but the root bridge is designated as 00-00-00-00-00-00. Are these two behaviors consistent, i.e. what is actually going on in the CatOS case? (AAMOF, in the IOS switches, it is enough that none of the ports has an "up" presence in the VLAN, and the PVST+ instance shuts down, even if there are "down" ports configured to use it.
  6. Is there any way to set a global default "allowed" list in a switch, so that any new trunks only allow those VLANs, regardless of what is in the VTP list? (That is, apart from setting it to "transparent", which have other unwanted side effects such as not being aware of the creation of new VLANs.)
  That's a lot of questions. The new edition of the Clarke/Hamilton book is well overdue!
  Kevin Dorrell
  Luxembourg

  Glen,
  Thanks for the responses.
  1. I shall clear them out immediately.
  2. I shall clear them out immediately.
  3. It's a mystery. Anyone?
  4. It was 99 because that VLAN was created specifically to accommodate the trunks. Unfortunately, in that particular network, VLAN 1 was still in use as an access VLAN. It is recommended not to have any access ports on the VLAN that is used as the native on the trunks, to prevent VLAN-hopping. Most NetAdmins do this by putting all the access ports anywhere but VLAN 1, and keeping VLAN 1 for trunk natives and/or management. This network did it the other way round, by shifting the native of the trunks off onto an unused VLAN. But I don't know what would happen if I cleared the native VLAN off the trunk.
  5. I think here we need to distinguish between VTP and STP, and between allowed lists and pruning. I am not pruning here, I am actually clearing the VLANs from the trunks. In the case of pruning, the VTP declines to send the broadcasts down the trunk if they are not useful at the access layer switch, but the Spanning Tree topology is not affected. In the case of clearing, the Spanning Tree topology of the VLAN is actually modified, as if the trunk did not exist for that VLAN. OTOH, the VTP VLAN list is propagated to all switches, regardless of whether they have any presence on each VLAN. So according to the VTP server and all clients, there is a load of VLANs active in the domain. But if you have an allowed list on all the trunks, it could well be that the access switch knows about a VLAN, but does not have any presence on it. That is when the IOS shuts down the PVST+ STP for that VLAN, and a CatOS switch registers the root bridge as 00-00-00-00-00-00. As opposed to the case where the VTP domain does not have a VLAN in its database, so the CatOS has no STP instance for it.
  6. Anyone else?
  Thanks for the responses.
  Kevin Dorrell
  Luxembourg

• Unable to add allowed url

  Whenever I try to add a url to my list of allowable sites, it does not show up on the list of urls that have been entered. I also have a problem when I try to add a new allowed http rule, when I click on new url the screen just blinks and nothing is added. I am able to add to the my deny url lists, but not add to my allowed list. I can also add a new ftp rule and seems to work correctly. Can anyone think of what I might be doing wrong or if I have some settings wrong on the server?
  It is running on NW65 sp 6 with bm 3.9 with the newest n2h2 category server acl.
  Thanks in advance.

  Brady,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Problems with vlan and dot1q trunking port

  Dear Folks,
  i have problems with my AccessPoint Konfiguration.
  Even when i set the Catalyst Port to trunk, i can only connect to VLAN 1 but not to VLAN 10.
  and if i change the port to statik vlan 10 i can not connect to the ap but it works...
  config below:
  User Access Verification
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 1200_PP_1
  logging queue-limit 100
  enable secret xxxx
  clock timezone A 1
  ip subnet-zero
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid DEPACNGLW0HS
  vlan 10
  authentication shared
  infrastructure-ssid
  mobility network-id 10
  speed basic-1.0 2.0 5.5 11.0
  rts threshold 2312
  channel 2412
  antenna receive right
  antenna transmit right
  station-role root
  interface Dot11Radio0.1
  no ip route-cache
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 port-protected
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  speed 100
  full-duplex
  ntp broadcast client
  interface FastEthernet0.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  no bridge-group 254 source-learning
  bridge-group 254 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.2.2.222 255.255.255.0
  no ip route-cache
  ip default-gateway 10.2.2.2
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
  ip radius source-interface BVI1
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  line vty 5 15
  login
  end
  it would be fine if anyone could help me....

  You configure Layer 3 Mobility with WLSM. No trunking is required on the CAT switch. However, you need to set the switch port on the CAT switch as access port in VLAN 10.
  Please post the WLSM and SUP720 configuration. Also, which VLAN do you want to access the AP?
  The following URL may be useful for you to verify the configuration:
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00802a86a7.html

• Dedicated VLAN ID's on trunk ports

  I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...
  I am trying to understand this concept fully.
  If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.
  Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??
  Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.

  Hi,
  This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.
  Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.
  HTH,
  -amit singh

• SRW2048 - trunk port

  Hi,
  I have a question according trunk port behavior.
  I need to connect Cisco Linksys to a Catalyst switch. On the Catalyst I have set up the port to trunk mode.
  I have also put the SRW2048 port to trunk mode. But the switches are not able to communicate to each other.
  Is there any possibility to set up on the SRW2048 to accept all tagged vlans on the trunk port. Because it looks like
  to be a bit different behavior from cisco switches where are all vlans available on the trunk mode port.
  I am talking about encapsulation dot1q (tagged Vlans)
  The switch has teh newest firmware: v1.2.2d
  Thank you for your response.
  Juraj

  Unlike the Catalyst, the SRW does not automatically add all VLANs on the switch to a trunk port. Instead you have to make all your VLANs member of the trunk mode port.

• Best practices for configure Rogue Detector AP and trunk port?

  I'm using a 2504 controller.  I dont have WCS.
  My questions are about the best way to configure a Rogue Detector AP.
  In my lab environment I setup the WLC with 2 APs.  One AP was in local mode, and I put the other in Rogue Detector mode.
  The Rogue Detector AP was connected to a trunk port on my switch.  But the AP needed to get its IP address from the DHCP server running on the WLC.  So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides.  If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC.  This makes sense because untagged traffic on the trunk port will be delivered to the native vlan.  So I take it that the AP doesn't know how to tag frames.
  Everything looked like it was working ok.
  So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it.  Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire.  From the rogue client I was able to successfully ping the management interface of the WLC.
  But the WLC never actually reported the rogue AP as being connected to the wired network.
  So my questions are:
  1. What is the correct configuration for the trunk port?  Should it not be configured with a native vlan?  If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
  2.  Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network?  I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
  Thanks for any input!!

  #what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
  it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
  #Does the switch sees the Rogue AP's wired MAC on its MAC table.
  Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
  Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
  It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
  So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
  Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan.

• Does it need add the native vlan to allowed vlan list ?

  If I confiured the port like this "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 11,12"
  does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 10,11,12"
  Thanks

  Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
  The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
  But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
  Kevin Dorrell
  Luxembourg

• CSCur53506 - broadcast flood when allowed vlan add/remove on protected port

  Does not this Bug occur in IOS 15.XX ?

  Thanks for the reply - yes I did save it.  All the other ports have the command.  But when the phone boots up - it ends up disappearing after the above occurs:
  When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
  interface gigabitethernet36
  switchport trunk allowed vlan add 10
  to this:
  interface gigabitethernet36
  storm-control broadcast enable
  storm-control broadcast level 10
  storm-control include-multicast
  port security max 10
  port security mode max-addresses
  port security discard trap 60
  spanning-tree portfast
  switchport trunk allowed vlan add 10
  macro description ip_phone
  !next command is internal.
  macro auto smartport dynamic_type ip_phone
  Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible.  However, the PC that is also on gi36 works fine.
  If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
  So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring.

• Switch Port Trunk allowed Vlan

  Hi Guys
  Request your help on my query :
  I have a distribution switch  and access switch and port channel between them.
  Dist switch is the VTP server
  lets assum I have 25 vlan
  when I do show vlan brief on the access switch I can see all 25 vlans listed now
  no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
  Dist switch po1 -- connecting to - po Access switch
  Dist switch #
  int po1
  switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
  After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
  Thanks in advance  

  Hi,
  John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
  I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
  Best regards,
  Peter

• How to add VLAN to trunk port on Cisco SF200-24

  Hello All,
  I have question want to ask: 
  I have Cisco switch SF200-24 I want to configuration VLAN as below:
  Port 1 to 10 = Vlan 100
  Port 11 to 21 = Vlan 200
  Port 22 to 24 = Vlan 300
  Port GE1 = Trunking (Primary)
  Port GE2 = Trunking (Secondary)
  How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
  Which port can I connect for management switch?
  Thanks 

  > How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
  firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
  Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
  and you are done.
  > Which port can I connect for management switch?
  by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN.

• Missing Allowed vlans on trunk on Standby ACE.

  Guys,
  I would like to know if allowing vlans under portchannel will replicate on standby unit.Somehow I see all configuration is sync except  switchport trunk allowed vlan under Portchannel.             
  Thanks
  Ajay

  Hi Siva,
  I remove 3rd port from port channel but still vlans are not getting sync.
  ACE1/Admin# sh vlan
  Vlans configured on physical port(s)
  vlan3001  vlan3060  vlan3200-3201  vlan3208  vlan3260-3262  vlan3264-3265  vlan3270-3272  vlan3274-3275  vlan3280  vlan3300-3302  vlan3650-3652  vlan3661-3663  vlan3668-3669  vlan4090
  ACE1/Admin#
  ACE2/Admin# sh vlan
  Vlans configured on physical port(s)
  vlan3001  vlan3200-3201  vlan3208  vlan3260-3262  vlan3264-3265  vlan3270-3272  vlan3274-3275  vlan3300-3302  vlan3650-3652  vlan3661  vlan3668-3669  vlan4090
  ACE2/Admin#
  ACE1/Admin# sh ft group status
  FT Group                     : 1
  Configured Status            : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                     : FSM_FT_STATE_ACTIVE
  Peer State                   : FSM_FT_STATE_STANDBY_HOT
  Peer Id                      : 1
  No. of Contexts              : 1
  Running cfg sync status      : Running configuration sync has completed
  Startup cfg sync status      : Startup configuration sync has completed
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 4090
    query-interface vlan 3001
  ft group 1
    peer 1
    no preempt
    priority 150
    associate-context Admin
    inservice
  any suggestion/ next steps to troubleshoot ?
  Thanks
  Ajay

• VTP Pruning vs Allowing VLANs on Trunk ports

  We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
  We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
  Here is our current configs for fiber ports between closets:
  Cisco WMH6509
  interface GigabitEthernet2/8
   description Fiber To STB Lab 3850
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   no ip address
   no snmp trap link-status
  end
  Cisco STB Lab 3850
  interface GigabitEthernet1/1/1
   description Fiber To WMH6509
   switchport mode trunk
  end
  We are considering:
  VTP Pruning Enable
             or
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 26,99,109,188
   switchport mode trunk
  Thanks,
  Tom

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
  However, VTP does have some "quirks".  For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk.  (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working.  One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
  So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared).  So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation.

• Unable to add vrf to Vlan interface

  Running 3750 in stack Version 15.0(2)SE2
  I am geting error when trying to add vrf vlan int
  switch(config)#interface Vlan101
  switch(config-if)#ip vrf forwarding dummy
  % CEF table 0x6 does not exist (Vlan101).
  switch(config-if)#^Z
  Please help

  Yes Cef is by default on the switch i believe
  switch#sh ip cef
  Prefix               Next Hop             Interface
  0.0.0.0/0            10.34.68.1           FastEthernet0
  0.0.0.0/8            drop
  0.0.0.0/32           receive
  10.34.68.0/24        attached             FastEthernet0
  10.34.68.0/32        receive              FastEthernet0
  10.34.68.1/32        attached             FastEthernet0
  10.34.68.2/32        attached             FastEthernet0
  10.34.68.11/32       attached             FastEthernet0
  10.34.68.13/32       attached             FastEthernet0
  10.34.68.14/32       attached             FastEthernet0
  10.34.68.15/32       receive              FastEthernet0
  10.34.68.255/32      receive              FastEthernet0
  10.145.172.0/32      receive              Virtual3
  127.0.0.0/8          drop
  224.0.0.0/4          drop
  224.0.0.0/24         receive
  240.0.0.0/4          drop
  255.255.255.255/32   receive