Archive for September, 2008

Sep 15

Troubleshoot VLAN trunks

Cisco Routers/Switches, How-to, IOS Fundamentals siteadmin 1 Comment »

The syntax for setting up VLAN trunks on Cisco switches is straight forward, but a simple typo can keep them from working. Here are some simple troubleshooting steps to resolve trunking problems.

Trunking problems usually come down to one of two things: Either the entire trunk will not establish or there is a problem with a single VLAN communicating across the trunk. A detailed explanation of setting up VLAN trunks can be found here.


Problem 1: The trunk will not establish.

Step 1: Verify the native VLAN
When working with 802.1q VLAN trunks, the most common error is that the native vlan is different on each trunk. Both switches will produce a native VLAN mismatch error at the console. Look at the difference in the configuration with the show run int gigabit 0/1 command.

Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15

Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15

Note that Switch A has a native VLAN of 5 and Switch B has a native VLAN of 15. This will prevent the trunk from establishing. Another problem is created when the native VLAN is specified on one switch, but not the other. The switch without a specified native vlan defaults to VLAN 1 as its native VLAN and creates the same native VLAN mismatch error as above, but finding the problem is not as obvious.

Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 5,10.15
No native VLAN is specified, so it defaults to VLAN 1

Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15

Another problem that can keep the trunk from establishing is when the port is left is access mode. Mode access prevents the port from transmitting the proper VLAN information to the next switch. The improper configuration will look something like this:

Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport mode access
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15

Remove the mode access to resolve the problem

switchB(config-f)#int gigabit 0/1
switchB(config-f)#no switchpprt mode access


Problem 2: The trunk establishes, but there is a problem with a single VLAN on the trunk.

Step 1: Verify that the VLAN is created properly on each switch.
Cisco Switches will allow a VLAN to be added to a trunk port, but will not pass traffic unless the VLAN is configured on the switch. For example, if VLAN 15 is not working between the two switches, the show vlan command will show whether it is confgured.

SwitchA>show vlan

VLAN Name                             Status    Ports
—- ——————————– ———
5    Accounting                       active    fa0/1
10  Marketing                         active    fa0/2

switchB>show vlan

VLAN Name                             Status    Ports
—- ——————————– ———
5    Accounting                       active    fa0/1
10  Marketing                         active    fa0/2
15 Administration                   active    fa0/3

Note that VLAN 15 appears on Switch B, but not Switch A. Add the VLAN to Switch A to resolve the issue.

SwitchA(conf t)#vlan 15
Switch(config-vlan)#description Administration

Step 2: Verify that the VLANs are allowed on the trunk ports. It is a good idea to specify the vlans that are allowed on the trunk, but that means that they must be added after the fact. Look at the configuration for the trunk ports on switch A and B.

switchA
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10

Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15

VLAN 15 is configured on the trunk for Switch B, but not for Switch A. Add the VLAN to switch A.

switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15

Sep 08

Configure Private VLANS

Cisco Routers/Switches, How-to siteadmin No Comments »

Private VLANs only govern Layer 2 communications. They do not force traffic to the router or firewall. Two hosts on the same subnet but separated by Private VLANS cannot communicate unless permitted. Traffic between the two is either enabled or disabled, it cannot be filtered like a firewall. Private VLANs must be trunked between switches in order to communicate between switches. I started to create detailed instructions, but found it well documented elsewhere on the net.

Here are few notes about Private VLANs
Enables Sticky ARP
Every port on that VLAN must be configured for Private VLANs
Ports come in three types

  • Isolated - can only cummicate off-vlan
  • Community - can communicate to other designated ports in the same VLAN
  • Promiscuous - can communicate with any port

For more info see the PVLAN article from internetworkexperts.com and Private VLAN trunk configuration at Cisco

Some switches do not fully support private VLANs, but support a similar protected ports option which is simpler to configure. Packetlife has a complete description of protected ports.