VLAN Trunking and GVRP

Decided we'd give the Cisco 300 series switches a try and see
what we think about them compared to our Cisco Catalyst 2960 switches.
I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
Denny

Similar Messages

How to configure a port channel with VLAN trunking (and make it work..)

We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack. We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
We want the same ports to be able to allow multiple vlans to communicate. (trunked)
These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
We are only able to configure an IP on one of the vlans.
When we configure an IP from another vlan for the data lif, it does not respond to a ping.
Does anyone have any idea what I'm doing wrong on the Cisco switch?
interface GigabitEthernet4/0/12
description Netapp2-e0a
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet4/0/13
description Netapp2-e0c
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/12
description Netapp2-e0b
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/13
description Netapp2-e0d
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
spanning-tree portfast
spanning-tree bpduguard enable
end

Our problem was fixed by the storage people. They changed the server end to trunk, and the encapsulation / etherchannel.
I like all the suggestions, and they probably helped out with the configuration getting this to work.
Thanks!
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
interface GigabitEthernet4/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet4/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active

Trunking and the management VLAN

I have gotten my 5010's up and can get to them from mgmt0. The ip address for mgmt0 resides in VLAN 2 for me. I am getting ready to trunk my 5010's back to my 6500's. Do I need to make sure that VLAN 2 cannot be seen through the trunk ports since it resides on mgmt0?

I don't think this is technically right- the MGMT and the data-path aren't actually connected. The MgmT 0 port doesn't have any concept that it's on "vlan 2"- it's just an access port.
Similarly, if VLAN 2 is on the trunk port, the IP address you assigned to MGMT0 isn't going to respond.
If you configured "feature interface vlan" and then put an IP address on VLAN 2, you could mange this box that way- on two separate IP addresses, via the two separate connections.
With the current lack of ability to wrap ACLs around the Interface VLANs, I'm more comfortable NOT using interface-vlan commands, and using a single uplink to mgmt0. Loss of the mgmt0 port is now only loss of the ability to manage the switch, not a data-path impacting event. (unless you need to configure the switch to correct an data-path issue, in which case you've got problems.)
The shift to out-of-band is a nice feature, but it's going to require a big shift in thinking from an implementation standpoint.

After Enabling trunking and two VLANs on switchports - clients don't receive IP Addresses

Hello all and thanks for your help and expertise. Here's my scenario:
I have approximately 35 Ruckus APs in a building which has multiple VLANs. The switches are Cisco 3560G. I want to segment the wireless traffic onto a dedicated wireless VLAN (218). I created two scopes in DHCP to service the APs and wireless clients. The APs should get their IP addresses on VLAN 1 (VLAN 1 scope in dhcp.) The clients should get their IP addresses on VLAN 218 (VLAN 218 scope in dhcp). I utilized the following commands to accomplish this goal, unsuccessfully.
Example: on port gi0/5
1 - switchport trunk encapsulation dot1q
2 - switchport mode trunk
3 - switchport mode access
4 - switchport trunk allowed vlan 1,218
Problems: 1) The APs are not getting an IP address on the default or native VLAN 1 unless I configure an IP Helper. Please note we have another building where a consultant set this configuration up (and it works) but I don't see an IP helper set when I check the config for VLAN 1.
2) The wireless clients do not get an IP address on VLAN 218, even if I set an IP helper address. In the other building - there is an IP helper set on VLAN 218 so I'm not sure what I missing or if something else is configured.
I would greatly, greatly appreciate if someone could tell me what I'm missing here. Is there something else I have to do to ensure clients on vlan 1 and 218 are able to obtain dhcp addresses in the config of the switch? Do I have to further configure vlan 1 or 218? I'm enabling the correct encapsulation, trunking the ports, and setting the vlans. What am I missing here relative to APs and clients getting dhcp addresses. Anyway your help is much apprecaited.

You need vlan 218 on all switches and allowed on all trunks that need to pass traffic for that vlan.
You don't have to add it explicitly to STP as it should be run anyway but if you manually set STP priorities for other vlans you should probably do if for this vlan as well.
Shouldn't stop it working though.
If you manually assign a vlan 218 IP to a client can it ping the SVI IP ie. it's default gateway and if so can it ping devices in other vlans ?
Jon

Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI;
2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
3. All Vlans are trunked between switches
4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

Hello Emcmanamy, Bruce,
Thanks for your feedback.
Just like you, I have been facing the same problematic last months with my customer.
Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
You can configure a host interface as an isolated or community access port only.
We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.
This ability is documented here =>
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
You cannot configure a host interface as a promiscuous port.
You cannot configure a host interface as a private VLAN trunk port.
Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
All these conditions are not met on a N5K interface.
Best regards.
Karim

VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

Hello expert,
I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
[Cisco Catalyst 3750 Switch]
interface GigabitEthernet1/0/45
description NCC-CC-1stFlr
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 101-103
spanning-tree portfast
[Cisco SF300-48P Switch]
interface fastethernet48
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 101-103
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface fastethernet29
switchport mode general
switchport general allowed vlan add 103 tagged
switchport general pvid 103
Are these are correct? Kindly advice!
Thank you very much!
Regards,
Alex

Hi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers

Does the 8540 support VLAN Trunking

I would like to VLAN trunk four VLANs(8540 bridge-groups) from an 8540 switch router to a Cat 5000. I have not seen in Cisco's documentation anything that indicates that the 8540 supports VLAN trunking.

8540 supports both ISL and 802.1q VLAN trunking
http://www.cisco.com/univercd/cc/td/doc/product/atm/c8540/12_1/pereg_1/quick_cg/layer3.htm#39775

SGE2010 switches, VLAN's and a blocked port in spanning-tree

Folks,
I have 2 switch groups.
2 SGE2010's with VLAN's defined as 10,20 and 30
Vlan 10 is the management VLAN, and it uplinks to our border router.
Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW
Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.
As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
I have attached an image with a diagram of our current set up.
Any help/advice would be much appreciated.

Tom,
I remember our conversation a few weeks ago. I did not get a chance to have a go at MSTP, mainly because I have no expierence with it, and looking at the configuration properities, it looks a little daunting.
It has also been a very busy few weeks with the deployment of 200+ phones across several sites, and the system is functioning great with out the LAG trunk, I am just trying to plan for the future.
I made a few postings a few weeks ago, one here and one on the Cisco forums on reddit, and a user there gave me some advice I have been unable to make work (I think it's just wrong), but I would love to go this route if it is in fact possible.
Here is the thread : http://www.reddit.com/r/Cisco/comments/x91tc/vlan_trunks_spanning_tree_and_a_port_blocked/c5kskch
This user implies it's possible to block a VLAN across the LAG which would end the logical loop problems.
It looks like his advice is to make the LAG into a trunk, and then block specific VLAN's from transiting it, but in trunk mode, I can't assign it an IP, so I am sorta wondering how exactly you transport packets across it.
Can you confirm that his advice is in fact incorrect?
If MSTP is my only route, then I suppose it's time to dig into the docs and see If I cant get it up and running.

Encrypting vlan-trunk traffic between switches

Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
Norway

Hi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks

Dynamic VLAN assignment and Layer 3 switching on 300 series

I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
I may well be confused and missing something regarding how this is typically used..

Hello Glenn,
Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
The answer, although (in my opinion is terrible) would be GVRP. But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

Vlans, voice and data

I am implementing voip, we want to plug the pc into the phone and make both see the network but yet they are on different vlans, how does the port know which data is for voice and what data is for the pc ? do you enable the port to see both vlans by the swithport mode command, or does the port only go into 1 vlan ? At the moment we have vlan 200 and vlan 1, We have just plugged the phones in vlan 200 and pc's in vlan 1 but at the moment they are in seperate ports, I want to know what we will have to to when we plug both phone and pc into one port ?
thanks
Carlos
thanks

Hi Carl,
Nops not at all this is not the normal way to configure ip phone and pc together to a switchport. Infact on switches with current code and mostaly all the switches you cannot configure 2 dats vlan on same port like you are doing now.
If you give switchport voice vlan 200 and switch port access vlan 1 then they are 2 different kind of vlans and will work on same port.
Now when you give switchport access vlan 1 means there will be no tag and it is justa frame without any tagging and saying it belongs to vlan 1 as as it reaches the switchport it gets pvid of vlan 1.
When you configure switchport voice vlan 200 it will be a tagged vlan. Because ip phones are switches itlsef as soon as you give voice vlan command it will form an internal trunk and start sending voice data on tagged with vlan 200 and switchport will understand that tagged traffic and will come to know it is for vlan 200 and voice traffic,
HTH
Ankur

Cisco VLAN Trunking Protocol Vulnerability

I have got a cisco 2821 model router with a c2800nm-advipservicesk9-mz.151-2.T4 IOS, and was reported with 'Cisco VLAN Trunking Protocol Vulnerability'.
Though the device is in server mode, I do not have any domain name or trunk port configured.
Is my device really vulnerable? If yes, whats next?

Hi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers

VLAN trunking

I have a 2950T-48-SI, a 3508G-XL, and a 3548-XL.
The 2950T and the 3508 are connected via Gig0/1 on the 2950 and Gig0/7 on the 3508.
The 3548 and the 3508 are connected via Gig0/1 on the 3548 and Gig0/1 on the 3508.
I have been using only the default VLAN for all of my devices. I now want to add a new VLAN (#10) and I want to be able to move each workstation port to a specific VLAN as needed.
Devices on the 2 VLANS do NOT need to communicate with each other and each VLAN has its own router.
Ive created the new VLAN on all switches. The VLAN10 router is connected to the 2950, as is a port in my office. When I assign that port in my office to VLAN10, I get a DHCP address from my VLAN10 router and I get out to the world correctly (through the VLAN10 router and not the VLAN1 router). So I know that the basic VLAN10 is working properly, getting to the correct router, etc.
The problem comes when I try to reconfigure the remote switches (the 3508 and the 3548) to use the new VLAN (in addition to the default VLAN). I can get the 3548 to talk to the 3508 correctly on VLAN10, but I cant get the 3508 to talk to the 2950 on VLAN10.
The options for Administrative Mode and Administrative Encapsulation on the Gigabit ports are different on the 2950 switch than they are on the 3500XL series, and I guess I dont know how to set them up correctly.
On the 2950, the only Administrative Encapsulation choice is 802.1Q. The Administrative Mode choices are:
Static Access
Dynamic Access
Dynamic Desirable
Dynamic Auto
802.1Q Trunk
802.1Q Trunk NonNegotiate
On the 3508 and 3548, the only Administrative Encapsulation choice is ISL. The Administrative Mode choices are:
Static Access
Multi-VLAN
Dynamic Access
ISL Trunk
802.1Q Trunk
It seems like the Encapsulation settings should match on both ends, but that doesnt seem to be possible on these switches
Can someone help educate me ?
Thanks, Susan

Hi Susan,
The encapsulation settings need not be same through out the network and it should be same on 2 oints connected to each other.
Yes 2950 only supports dot1q
So when you connect 2950T and the 3508 via Gig0/1 on the 2950 and Gig0/7 on the 3508 you can use dot1q encapslation and just issue a command
switchport mode trunk
When you connect 3548 and the 3508 via Gig0/1 on the 3548 and Gig0/1 on the 3508 you can also use dot1q trunk or ISL trunk your wish but better to use dot1q.
config t
interface interface_id
switchport mode trunk
switchport trunk encapsulation dot1q
If you issue this config on all the switches connected to each other it should definetely form a trunk.
Only thing is when you put this commands on 2950 switch need not put dot1q as it only supports dot1q
config t
interface interface_id
switchport mode trunk
HTH, if yes please rate the post.
Ankur

Lost Packets in certain customer VLANs Trunked over ME

I work for a service provider that configures CPE networks for our customers. We have one customer that we are setting up a Disaster Recovery site over Metro Ethernet. The customers servers need L2 connectivity to the data center for redundancy. The customer wants their VLANs on their 4510 mirrored on a 3750 at the DR site. A gigabit ME VLAN was setup through our ME network between the 2 sites. The 3750 and 4510 were staged at the customer site and tested before the 3750 was moved to the remote DR site and connected by ME.
The 3750 and 4510 were directly connected on a dot1q trunk between the two switches. About 18 vlans are trunked between the 2 switches, about 15 of which have L3 Vlan interfaces configured.
The issue we are having is that packets are getting dropped, on certain customer vlans, but not others. All Vlans worked properly when the 3750 was directly connected to the 4510 at the datacenter.
Our network engineers in charge of the ME noticed MAC-Flap errors on ME switches at the Data Center and the DR site. It see the Mac Address of Interface Vlan 101 and Interface Vlan 318 of the 3750 switch on both the customer access port on both ME 3400 switches (uni) and the ME trunk ports (nni). No other vlans are having issues with lost packets, or connectivity.
On ME 3400 switch uni tunnel port is vlan 459. Native vlan is 540 on 3400 and is the switch mgt vlan.
Has anyone run into this before?

I think commonsense101 means the "Customer Agreement" and the following passage in particular.
"Where and How Does Verizon Wireless Service Work?
Wireless devices use radio transmissions, so unfortunately you can't get Service if your device isn't in range of a transmission signal. And please be aware that even within your Coverage Area, many things can affect the availability and quality of your Service, including network capacity, your device, terrain, buildings, foliage and weather."

How many VLANs supported via MACsec VLAN-trunk link?

Hi,
Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
As far as I know, C3750X has limitation of 8 VLANs, according to
•Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
Thanks,
Cedar

Hi,
Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
As far as I know, C3750X has limitation of 8 VLANs, according to
•Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
Thanks,
Cedar

VLAN Trunking and GVRP

Similar Messages

Maybe you are looking for