The syntax for setting up VLAN trunks on Cisco switches is straight forward, but a simple typo can keep them from working. Here are some simple troubleshooting steps to resolve trunking problems.
Trunking problems usually come down to one of two things: Either the entire trunk will not establish or there is a problem with a single VLAN communicating across the trunk. A detailed explanation of setting up VLAN trunks can be found here.
Problem 1: The trunk will not establish.
Step 1: Verify the native VLAN
When working with 802.1q VLAN trunks, the most common error is that the native vlan is different on each trunk. Both switches will produce a native VLAN mismatch error at the console. Look at the difference in the configuration with the show run int gigabit 0/1 command.
Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Note that Switch A has a native VLAN of 5 and Switch B has a native VLAN of 15. This will prevent the trunk from establishing. Another problem is created when the native VLAN is specified on one switch, but not the other. The switch without a specified native vlan defaults to VLAN 1 as its native VLAN and creates the same native VLAN mismatch error as above, but finding the problem is not as obvious.
Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 5,10.15
No native VLAN is specified, so it defaults to VLAN 1
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Another problem that can keep the trunk from establishing is when the port is left is access mode. Mode access prevents the port from transmitting the proper VLAN information to the next switch. The improper configuration will look something like this:
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport mode access
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Remove the mode access to resolve the problem
switchB(config-f)#int gigabit 0/1
switchB(config-f)#no switchpprt mode access
Problem 2: The trunk establishes, but there is a problem with a single VLAN on the trunk.
Step 1: Verify that the VLAN is created properly on each switch.
Cisco Switches will allow a VLAN to be added to a trunk port, but will not pass traffic unless the VLAN is configured on the switch. For example, if VLAN 15 is not working between the two switches, the show vlan command will show whether it is confgured.
SwitchA>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
switchB>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
15 Administration active fa0/3
Note that VLAN 15 appears on Switch B, but not Switch A. Add the VLAN to Switch A to resolve the issue.
SwitchA(conf t)#vlan 15
Switch(config-vlan)#description Administration
Step 2: Verify that the VLANs are allowed on the trunk ports. It is a good idea to specify the vlans that are allowed on the trunk, but that means that they must be added after the fact. Look at the configuration for the trunk ports on switch A and B.
switchA
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15
VLAN 15 is configured on the trunk for Switch B, but not for Switch A. Add the VLAN to switch A.
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15
Archive for the 'How-to' Category
Private VLANs only govern Layer 2 communications. They do not force traffic to the router or firewall. Two hosts on the same subnet but separated by Private VLANS cannot communicate unless permitted. Traffic between the two is either enabled or disabled, it cannot be filtered like a firewall. Private VLANs must be trunked between switches in order to communicate between switches. I started to create detailed instructions, but found it well documented elsewhere on the net.
Here are few notes about Private VLANs
Enables Sticky ARP
Every port on that VLAN must be configured for Private VLANs
Ports come in three types
- Isolated - can only cummicate off-vlan
- Community - can communicate to other designated ports in the same VLAN
- Promiscuous - can communicate with any port
For more info see the PVLAN article from internetworkexperts.com and Private VLAN trunk configuration at Cisco
Some switches do not fully support private VLANs, but support a similar protected ports option which is simpler to configure. Packetlife has a complete description of protected ports.
Configure VLAN trunks on Cisco Switches
Cisco Routers/Switches, How-to, IOS Fundamentals No Comments »VLAN trunks allow multiple networks to pass over a single physical connection. The trunk connection can be passed between two switches or between a switch and a computer. Before VLANs, each network connection required a separate corresponding physical connection, so using VLAN trunks reduces networking costs by reducing the need for expensive phycial connections and conserving the number of ports used on switches and servers.
Configuring VLAN trunks on Cisco switches and routers only takes a few steps. For an in-depth look at working with vlans, look at Understanding VLANs on Cisco Switches.
First verify that the VLANs are created on both switches that are to be connected. Verify VLANs are created with the show vlan command.
Step 1: Verify VLANS
switchA>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
switchB>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
In the output above, we see that vlans 5 and 10 are configured on the switches and enabled on ports. A VLAN trunk between the two switches will allow devices on ports 1 on each switch to communicate and allow devices on ports 2 to communicate. A router is needed for all of the devices to talk to each other.
VLAN diagram on Cisco Switches
Step 2: Configure the trunk interfaces
For this example, the gigabit interfaces are used for the trunk links.
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport mode trunk
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport mode trunk
At this point, the two networks should start communicating across switches once the gigabit interfaces are connected, but it is a good practice to manually configure a few parameters to improve the stability and reliability of the trunk connection.
Switch A
switchA(config)#interface gigabit 0/1
switchA(config-if)#switchport trunk encapsulation dot1q
This command specifies the protocol that the two switches will use to communicate vlan information in the data that is transfered rather than leaving it to auto-negotiate. Two Cisco switches will negotiate to ISL (Interswitch Switch Link) protocol which is Cisco proprietary rather than 802.1x, a recognized standard that is compatible with almost all switches and servers.
switchA(config-if)#switchport trunk native vlan 5
The native vlan command specifies the vlan that will be transmitted without VLAN tag information. It does not mtter which vlan is used, but both switches must agree for the link to operate properly. If a native vlan is not specified, then the switches will use vlan 1 by default. Using vlan 1 can cause problems because it is used as the default for so many other things in a switch network.
switchA(config-if)#switchport trunk allowed vlan 5,10
The allowed vlan command specifies which VLANs will be allowed to communicte over the trunk link. Otherwise, unnecessary traffic may go over the link.
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk encapsulation dot1q
switchB(config-if)#switchport trunk native vlan 5
switchB(config-if)#switchport trunk allowed vlan 5,10
Adding or removing a VLAN
If VLAN 15 was configured on the switches, then it would need to be added to the trunk port on each switch.
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan add 15
A VLAN can be removed with a similar command:
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan remove 15
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan remove 15
Be Carefull
Verify that you used the add or remove option in the command or it will overwrite the allowed VLANS with only the VLAN that was to be added and communication between the other VLANs wil be broken.
For more detailed information, visit Cisco’s technical article on configuring VLAN trunks.
The little flash devices are the modern day floppy disk and are handy, but they are also easy to forget about and leave on a table at a cafe or attached to a borrowed computer somewhere. Most people carry enough information on their thumb drives in the form of saved e-mails, spreadsheets, word processing documents and photos for their identities to be stolen.
Encrypting the files with free software before the drive is lost protects your privacy.
What is encryption and why is it so important?
Encryption scrambles the data in a way that the data cannot be accessed without a virtual key, or password, to unscramble the data. With the right type of encryption it is almost impossible for another computer to unscramble the data without a password. In most cases, identity thieves and hackers will try to guess your password, so it is important to choose a password that is difficult to guess and is not a standard word in a dictionary because most hackers have automated programs that try to break in using every word in the dictionary. Microsoft offers a free online password strength tester and notes about creating passwords that cannot be easily guessed.
Encrypting your thumb drive in Mac OS X 10.5
OS X has encrypted disk images built in from the ground up, so no extra software is needed. Insert the flash drive into the Mac where it mounts on the desktop and open Disk Utility, which is located in the Applications/Utilities Folder. Click File> New > New Blank Image. Next, a dialogue box appears with several options. Specify the name of the file in the Save as: box. Whatever you type in Volume Name is what the disk image volume name will show up as on your desktop when it is mounted. For Volume Size, choose about 80 percent of the flash drive size. For instance, if you have a 1GB portable flash drive, then you would want a 800 MB volume size. Leave Volume Format at the default Mac OS Extended (journaled). Under Encryption, specify 128-bit AES. 256-bit offers better encryption but it cannot be used on a Mac that is still running 10.3 or 10.4.
Leave Partitions to the default of Single partition - Apple Partition Map. Under Image Format, choose sparse disk image. This will allow the disk image to grow as you add files. That means you can upgrade to a larger thumb drive later without having to recreate the disk image.
Encrypting your thumb drive in Mac OS X 10.4
Mac OS 10.4 doesn’t have as many options for disk image creation as 10.5. You only need to specify size encryption and format. Choose 128-bit AES for encryption and sparse image for format.
Don’t give away your password
Click save and another window will ask you for your password. De-select the Remember password in my keychain option or that computer can access the disk image without a password.
Next, simply copy the disk image to the thumb drive.
Using the the disk image on another Mac
Just insert the flash drive, double-click the disk image and it will ask for the password. Do not select the Remember password in my keychain option or you will be giving your password to that computer permanently. Now the disk image should show up on the Mac like another hard drive or flash drive where you can open and save files to. If you open the flash drive itself, only the disk image itself should be visible.
Encrypting your thumb drive in Windows
Windows does not have the same built-in encryption capabilities that Mac OS X does, but Trucrypt, a free encryption program for Windows and Linux offers the ability to create an encrypted file like a disk image in Mac OS X. Truecrypt calls the file a container file since other files are stored inside of it. By default, truecrypt must be installed on every computer where you want to access the container file. But with some tweaking, truecrypt can be taught to run in what is called ‘traveler mode’ where the program that decrypts the files runs directly from the flash drive and does not require any software to be installed. But knowledge of registry editing is required.
Truecrypt has an excellent beginner’s tutorial on their website that describes how to create and use encrypted container files. They also have a guide to setting Truecrypt up in traveler mode.
Disk images are one the great things that Mac OS X supports natively. There are so many things that can be done with them like store important data in them securely with the built-in encryption. The encrypted disk images can be taken anywhere and can be opened on any Mac.
All of this can be done through Disk utility, but if you do it repeatedl, creating a little script can save time. For example, in Terminal:
hdiutil create -encryption -stdinpass -srcfolder private encryptedfolder.dmg
So, it would look something like this:
hdiutil create -encryption -stdinpass -srcfolder /Users/Myaccount/Documents encryptedfolder.dmg
Note that the command is entered all in the terminal as one line with a return. This will encrypt the folder to a disk image called encryptedfolder.dmg and bring up a password dialogue box for you to enter a password. If you want to enter the password in the script then try this.
echo -n “password” | hdiutil create -encryption -stdinpass -srcfolder private encrypted.dmg
This will create the disk image with the password of “password” with bringing up an interactive dialogue box. Be warned that anyone with access to the computer may be able to read this script and see you password, but that is not a problem if you take the disk image away from the computer
Disk images make the perfect backup file. Without any extra software or cost, Mac OS X will compress and encrypt the data into a single file that can be copied anywhere.
While most backup programs need to be installed on a computer in order to be able to decrypt and read the backup, encrypted disk images can be opened on any Macintosh.
Creating the disk image with Disk Utility.
Disk Utility is located in the Applications/Utilities folder on the hard drive. Most people only use Disk Utility to repair disks and permissions, but it can also be used as a backup program.
Go under the File menu and select New. A pop-up menu will show up with two options: Blank Disk Image and Disk Image from Folder. Choose the Disk Image from Folder and a dialogue box comes up and asks you to select the folder that you wish to backup. After selecting the folder that you want to back up another dialogue box appears asking you to name the disk image to be created and specify the type of disk image to be created. For backups, select compressed for Image Format and 128-bit AES encryption for Encryption. Mac OS X 10.5 Leopard adds the option for 256-bit AES encryption with is more secure, but takes longer to create and open up. Next a box appears asking you to enter a password for the encrypted disk image. Choose a difficult password because disk images can be opened if someone can guess your password. Microsoft offers a free online password strength tester and notes about creating passwords that cannot be easily guessed.
Selecting the Save Password in Keychain option means that the password to the disk image will be stored under your account information on that Mac. The image can be opened up by manually entering a password. If you are the only user of that computer, then this option can save time. However, if you share the computer with other people and do not have separate user accounts, then they can open the backup file too.
Now that the file is created, the image can be moved to another computer or flash drive in case the primary hard drive fails.
