VLANs across switches without trunking

Similar Messages

• Span VLANs across switches

  VLANs are new to me so please forgive me -
  We have 5 Cisco sg500x switches. We need to create two vlans across some or all of the switches.
  I have been successful in creating vlan1 on one switch and excluding and including ports to segregate traffic. My problem is I can’t get the other switches to see vlan1 that was created on the original switch. I have enabled gvrp on all switches and ports assigned to the vlan but no luck in getting vlan1 devices to communicate across switches. How do I make this work? I think my main problem is creating uplink ports between the switches to carry the vlan across.
  How do I go about spanning vlans across the switches?
  Many thanks

  Thanks Robert I think that has got me a bit further in that I'm not getting VLAN MISMATCH error any more. I believe it was because the trunk ports were marked as untagged.  I still don't feel I understand the NATIVE VLAN concept or how to set it. If I have the default VLAN(1) and I have the VLAN I am trying to span across two switches (VLAN2) do I then need a 3rd VLAN to be the native for either end of the trunk between the two switches? Anyway this what I've done in more detail -
  On Switch 1
  Create VLAN 2: VLAN ID 2
  Set port 2 as follows: Default VLAN1 = forbidden, VAN2 = trunk, tagged
  Set port 3 as follows: Default VLAN1 = forbidden, VAN2 = access, untagged
  On Switch 2
  Create VLAN 2: VLAN ID 2
  Set port 2 as follows: Default VLAN1 = forbidden, VAN2 = trunk, tagged
  Set port 3 as follows: Default VLAN1 = forbidden, VAN2 = access, untagged
  With rj45 connect port 2 on both switches to each other. Clients connected to port 3 on both switches cannot ping each other across the trunk.
  Seeing this in the logs:
  Warning: %STP-W-PORTSTATUS:gi1/1/2: STP status Forwarding
  IP info:
  Default VLAN1 on 172.16.1.0/21
  VLAN2 on 172.16.40.0/21
  Any suggestions or areas to investigate would be helpful however obvious they may seem to anyone as this is my first effort with a Cisco. Thanks

• Private vlan across switches in NX-OS

  Hi,
  I'm trying to make a scenario to span private vlan across multiple switches but I couldn't get this to work in NX-OS N7K.
  My topology is similar to the one in the picture attached.
  I tried to ping from isolated host vlan 201 in switch A to isolated host vlan 202 in switch B. Promiscuous trunk port has been configured to upstream router in Switch A. From switch a to switch b is a normal trunk port.
  But still, I can't establish any connectivity from host vlan 201 to host vlan 202.
  Any suggestion?
  thanks

  Jerry -
  Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?
  Carole

• Wireless AP native vlan and switch trunk

  Hi,
  I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
  AP Config
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hostname
  logging rate-limit console 9
  enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
  no aaa new-model
  ip cef
  dot11 syslog
  dot11 ssid Personal
     vlan 2
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii 7 070E26451F5A17113741595D
  crypto pki token default removal timeout 0
  username Cisco password 7 1531021F0725
  bridge irb
  interface Dot11Radio0
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  stbc
  beamform ofdm
  station-role root
  no dot11 extension aironet
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio1
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  no dfs band block
  stbc
  beamform ofdm
  channel dfs
  station-role root
  interface Dot11Radio1.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio1.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 spanning-disabled
  no bridge-group 2 source-learning
  interface GigabitEthernet0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  interface BVI1
  ip address 192.168.1.100 255.255.255.0
  ip default-gateway 192.168.1.1
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  password 7 01181101521F
  login
  transport input all
  end
  Switch Port config
  interface FastEthernet1/0/10
  switchport trunk native vlan 100
  switchport mode trunk

  I will re-check the routing again but could it be some bridging issues ?
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  **** unable to put up this command on the giga port
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging  issue ?

• Creating multiple vlans across multiple switches

  Hi All,
  How should I create multiple vlans across multiple switches?
  For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP?  Just trying to practice and learn.. Any help will be greatly appreciated:)
  VLAN 100: [DHCP-workstations]
  172.26.4.0/24
  172.26.5.0/24
  VLAN 200: [Servers]
  172.16.1.0/24
  172.16.2.0/24
  VLAN 300: [Printers]
  192.168.129.0/24
  192.168.130.0/24
  VLAN 800: [Management for switches/routers]
  10.160.1.0/24

  Hi
  You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Spanning vlans across access switches in distribution block.... please help

  Hi All
  Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
  Please help

  Hello,
  The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
  It depends on your topology or what you want achieve.
  If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
  In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
  I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
  best regards,
  Sebastian

• Configure VLANs across multiple switches

  Hi.
  I'm trying to configure a segregated network using a VLAN. There are 5 switches on the site (all SG200). A router with 2 interfaces - one for the normal network and for the segregated network - is connected and located at switch 1. The network which needs to be segregated and the PCs on it are connected to a port on switch 5. Switch 1 is connected to switch 2, 2 to 3, 3 to 4 and 4 to 5.
  I have created a VLAN but can't get the network to talk to the first switch over the link. I have created a VLAN ID 10 on each switch. Do the switches have to be linked together logically in some way to get this to work.
  Thanks.

  Hi,
  Try to create the VLAN 5 in all switches.I have assumed that Management VLAN for all switches are VLAN 1.Kindly configure Trunk between switch 1 to S2 ,S2 to S3,S3 to S4,S4 to S5, S5 to S1.Allow the VLAN's 1U,10T.
  regards
  Moorthy

• Switch Port Trunk allowed Vlan

  Hi Guys
  Request your help on my query :
  I have a distribution switch  and access switch and port channel between them.
  Dist switch is the VTP server
  lets assum I have 25 vlan
  when I do show vlan brief on the access switch I can see all 25 vlans listed now
  no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
  Dist switch po1 -- connecting to - po Access switch
  Dist switch #
  int po1
  switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
  After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
  Thanks in advance  

  Hi,
  John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
  I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
  Best regards,
  Peter

• Distinguishing Vlans without Trunking ?

  Hi,
  How does a switch distinguish one Vlan from another if trunking is not involved ?
  For Example: Switch A is connected to Switch B via a X-over cable. I place two ports at either end of the X-over cable into VLAN 2. I place one PC on switch A in VLAN 2 and one PC in switch B in VLAN 2. The result is that they can communicate. If I place one of the PC's into VLAN 1 then they cannot communicate. Is there a tagging mechanism involved here even though trunking isn't being used ?
  Has anyone got an example of the frame format for Ethernet for this scenario ?
  Cheers,
  Phil.

  Devices connected to an access port (versus a trunk port) do not receive VLAN information.
  FOr example, if you connected port 1 from switch A (which happens to be in VLAN 100) via crossover to another switch port 1 (which happens to be in VLAN 200), neither switch would know anything about the VLANs on the other switch.
  Tags are added on the ingress to an access port, and stripped at the egress from an access port.
  Traffic going from one port to another in the same VLAN (on the same switch) is not tagged (I believe).
  If you connected an "dumb" (unmanaged) switch into a port that is associated with a VLAN on the host switch, then all of the extended ports will also appear in the VLAN of the host switch's outbound trunk.
  The short version is that VLANs do not come into play for things plugged into an access port.
  Good Luck
  Scott

• How to span vlans across core layer in core/distribution/access campus design?

  Hi,
  I studied Cisco Borderless Campus Design Guide 1.0 (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.html) last week because we plan to redesign our campus backbone to a three tier Core/Distribution/Access Design.
  Today we use a collapsed backbone where a lot of vlans are spanned across the backbone because they are needed in different buildings.
  Could anybody give me a hint how Cisco recommends to deal with that kind of vlans in the multi-tier design?
  In my eyes between core and distribution layer there is only routing functionality and no l2 transport of vlans.
  So using the same vlan in different buildings seems not to be supported?
  Best Regards,
  Thorsten

  Thorsten
  Just to add to Joseph's post.
  It is quite common for a vlan to be spanned when it doesn't actually need to be ie. the network has evolved that way.
  Most things do not need L2 adjacency, they can happily use L3. Servers sometimes do but in the campus design your servers are usually located in one site so you don't need to extend vlans to other sites in your campus.
  Not suggesting this is the case for you but it may be worth checking whether you really do. (apologies if you already have)
  As Joseph mentioned you really want to avoid it if at all possible ie. ideally all connections to the core switches are L3 ie. no need for vlans at all in the core.
  If you need to extend a few vlans then you can do this but still route for all other vlans ie. you would configure your distribution to core connections as trunks and then allow the vlans you need to extend plus one other vlan, unique per distribution pair, to route all other vlans. So per site your distribution switches route all vlans except the extended vlans and of they need to route to a vlan in another site they use that unique vlan.
  But this is not ideal because you then need to extend certain vlans across the core and because you are using L2 connections STP could come into it although that does depend on your core switch selection eg. 4500/6500 VSS etc. would alleviate this.
  There are ways to extend vlans across a L3 network but the solutions available are very much dependant on the kit you use and their capabilities so if you do need multiple vlans in multiple sites but still want to keep a L3 core you may want to investigate some of those before purchasing kit (unless of course you have already purchased it).
  What you do really depends on just how many vlans you actually need to extend between sites.
  Jon

• Extending VLANs across routed interfaces

  Hello;
  I'm trying to create a L3 core network. The core equipment will be Cisco 3750 enhanced. My idea is make each link between core 3750 a routed interface, with /30 IP addresses.
  The problem is the customer needs some VLANs extended across the full enterprise. Is there any way to encapsulate the VLAN inside routed interface?
  Thanks in advance.

  I realize this thread is 5+ years old, but I feel like commenting anyway.
  If you want to encapsulate the vlan across that link, you won't be able to use routed interfaces.  You will need to use a layer 2 trunk(dot1q).  Therefore, I wouldn't bother with the /30 addresses unless you want to monitor that specific link by IP.  In that case, use a special VLAN just for those two interfaces and put your /30 addresses on the vlan interfaces.
  If you want fast fail over on a layer 2 link, well then, use Rapid STP.  The goal should be to get rid of those flat VLANs that span the core and switch to your original plan of routed interfaces using EIGRP or OSPF.

• Significance of native vlan in switching environment

  Folks,
  Can someone please tell me the significance of native vlan in switched environment. I mean why do we need it? and why does is it not gettagged by the switches when it is going over a trunk.
  Thanks

  thanks for the response i will make sure that i grade this post. in continuation to our discussion:
  Why does daot1q gave a concept like natice vlan? what was the purpose behind it??? why did they think of sending vlan information from 1 switch to the other without tagging it?
  Also, in a layer 2 switch. Lets say that i have vlan 1 in shutdown mode, and all ports are in vlan 100, and i creat a int vlan 100, does this vlan automatically become the management vlan, since it has an ip address?
  Thanks

• VLANs across EoMPLS

  Hi there
  I wonder if it possible to transport a QinQ across an EoMPLS connection, so the EoMPLS is transparent to the QinQ (ie. transport a trunk of VLANs across the EoMPLS connection)?

  Hi there,
  It is possible to transport QinQ across EoMPLS.
  EoMPLS can operate in two modes: port-tunneling mode and VLAN-tunneling mode.Port-tunneling is also referred to as port-to-port transport which supports QinQ.
  Here are some more details.This type of transport defines one of the Metro Ethernet Services called Ethernet Wire Service (EWS).
  EWS is a non-multiplexed point-to-point service.It is P2P as it resembles a PVC.It is a wire service as a port does not have multiplexing. A customer port connects to a single remote customer port. This is similar to a leased line.
  EWS counterpart is Ethernet relay service which is VLAN multiplexed P2P service.In ERS service multiplexing is available based on VLAN, such that different customer VLANs within a customer port can connect to different sites. This is similar to a Frame Relay port.
  EWS being a transparent services use QinQ facing the customer to provide "VLAN bundling" in a port-based service and achieve transparency for customer bridge protocol data units (BPDUs).
  An example of QinQ transport over EoMPLS would be Switch to Switch Port-based EoMPLS transport.
  Hope it helps.
  Cheers
  Zeshan

• Catalyst 6500 Block Switching Between Trunk Ports

  Hello all,
  I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
  For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
  Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
  Does anyone have any ideas on how to accomplish this?

  I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
  Can't see switchport protected:
  6509(config-if)#switchport protected
                                            ^
  % Invalid input detected at '^' marker.

• Catalyst 6500 Block Switching Between Trunk Port

  Hello all,
  I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
  For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
  Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
  Does anyone have any ideas on how to accomplish this?

  Duplicate posts. 
  Go here:  https://supportforums.cisco.com/thread/2261414