The syntax for setting up VLAN trunks on Cisco switches is straight forward, but a simple typo can keep them from working. Here are some simple troubleshooting steps to resolve trunking problems.
Trunking problems usually come down to one of two things: Either the entire trunk will not establish or there is a problem with a single VLAN communicating across the trunk. A detailed explanation of setting up VLAN trunks can be found here.
Problem 1: The trunk will not establish.
Step 1: Verify the native VLAN
When working with 802.1q VLAN trunks, the most common error is that the native vlan is different on each trunk. Both switches will produce a native VLAN mismatch error at the console. Look at the difference in the configuration with the show run int gigabit 0/1 command.
Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Note that Switch A has a native VLAN of 5 and Switch B has a native VLAN of 15. This will prevent the trunk from establishing. Another problem is created when the native VLAN is specified on one switch, but not the other. The switch without a specified native vlan defaults to VLAN 1 as its native VLAN and creates the same native VLAN mismatch error as above, but finding the problem is not as obvious.
Switch A
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 5,10.15
No native VLAN is specified, so it defaults to VLAN 1
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Another problem that can keep the trunk from establishing is when the port is left is access mode. Mode access prevents the port from transmitting the proper VLAN information to the next switch. The improper configuration will look something like this:
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport mode access
switchport trunk native vlan 15
switchport trunk allowed vlan 5,10,15
Remove the mode access to resolve the problem
switchB(config-f)#int gigabit 0/1
switchB(config-f)#no switchpprt mode access
Problem 2: The trunk establishes, but there is a problem with a single VLAN on the trunk.
Step 1: Verify that the VLAN is created properly on each switch.
Cisco Switches will allow a VLAN to be added to a trunk port, but will not pass traffic unless the VLAN is configured on the switch. For example, if VLAN 15 is not working between the two switches, the show vlan command will show whether it is confgured.
SwitchA>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
switchB>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
15 Administration active fa0/3
Note that VLAN 15 appears on Switch B, but not Switch A. Add the VLAN to Switch A to resolve the issue.
SwitchA(conf t)#vlan 15
Switch(config-vlan)#description Administration
Step 2: Verify that the VLANs are allowed on the trunk ports. It is a good idea to specify the vlans that are allowed on the trunk, but that means that they must be added after the fact. Look at the configuration for the trunk ports on switch A and B.
switchA
interface gigabit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10
Switch B
interface gigbbit 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,15
VLAN 15 is configured on the trunk for Switch B, but not for Switch A. Add the VLAN to switch A.
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15
Archive for the 'IOS Fundamentals' Category
Configure VLAN trunks on Cisco Switches
Cisco Routers/Switches, How-to, IOS Fundamentals No Comments »VLAN trunks allow multiple networks to pass over a single physical connection. The trunk connection can be passed between two switches or between a switch and a computer. Before VLANs, each network connection required a separate corresponding physical connection, so using VLAN trunks reduces networking costs by reducing the need for expensive phycial connections and conserving the number of ports used on switches and servers.
Configuring VLAN trunks on Cisco switches and routers only takes a few steps. For an in-depth look at working with vlans, look at Understanding VLANs on Cisco Switches.
First verify that the VLANs are created on both switches that are to be connected. Verify VLANs are created with the show vlan command.
Step 1: Verify VLANS
switchA>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
switchB>show vlan
VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2
In the output above, we see that vlans 5 and 10 are configured on the switches and enabled on ports. A VLAN trunk between the two switches will allow devices on ports 1 on each switch to communicate and allow devices on ports 2 to communicate. A router is needed for all of the devices to talk to each other.
VLAN diagram on Cisco Switches
Step 2: Configure the trunk interfaces
For this example, the gigabit interfaces are used for the trunk links.
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport mode trunk
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport mode trunk
At this point, the two networks should start communicating across switches once the gigabit interfaces are connected, but it is a good practice to manually configure a few parameters to improve the stability and reliability of the trunk connection.
Switch A
switchA(config)#interface gigabit 0/1
switchA(config-if)#switchport trunk encapsulation dot1q
This command specifies the protocol that the two switches will use to communicate vlan information in the data that is transfered rather than leaving it to auto-negotiate. Two Cisco switches will negotiate to ISL (Interswitch Switch Link) protocol which is Cisco proprietary rather than 802.1x, a recognized standard that is compatible with almost all switches and servers.
switchA(config-if)#switchport trunk native vlan 5
The native vlan command specifies the vlan that will be transmitted without VLAN tag information. It does not mtter which vlan is used, but both switches must agree for the link to operate properly. If a native vlan is not specified, then the switches will use vlan 1 by default. Using vlan 1 can cause problems because it is used as the default for so many other things in a switch network.
switchA(config-if)#switchport trunk allowed vlan 5,10
The allowed vlan command specifies which VLANs will be allowed to communicte over the trunk link. Otherwise, unnecessary traffic may go over the link.
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk encapsulation dot1q
switchB(config-if)#switchport trunk native vlan 5
switchB(config-if)#switchport trunk allowed vlan 5,10
Adding or removing a VLAN
If VLAN 15 was configured on the switches, then it would need to be added to the trunk port on each switch.
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan add 15
A VLAN can be removed with a similar command:
Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan remove 15
Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan remove 15
Be Carefull
Verify that you used the add or remove option in the command or it will overwrite the allowed VLANS with only the VLAN that was to be added and communication between the other VLANs wil be broken.
For more detailed information, visit Cisco’s technical article on configuring VLAN trunks.
Route-maps allow to you deal with traffic on your router by policy rather than traditional means.
In this example, we will route traffic by source address, or who is sending the traffic, rather than by destination, or where the traffic is going. Typically routers just look at where traffic is headed, compare that destination to their routing table and send the packets on their way. To override basic routing on a Cisco router, a route-map configuration is required.
What are route-maps?
Essentially, Route-maps are like a scripting language for routers. They define traffic and then process it according to a defined list of statements almost like a miniature computer program.
Why would you want to route by source address?
Perhaps you have internet connections from two internet service providers along with IP addresses provided by both and you want to send traffic from the IP address that belongs to each ISP to the correct internet connection. Another application of router-maps would be to migrate traffic from one firewall to another in steps rather than all at once.
Understanding the Route-Map structure
Route-maps inherit their structure from if-then statements in programming. First, it creates a step (10 and 20 in this example), matches a criteria in each step and then performs an action.
route-map permit 10
perform-action-1
route-map route-map-name permit 20
match criteria-2
set perform-action-2
Configuring the Route-Map for routing traffic by source
Step1: Define the traffic with an access-List
RouterA(config)#access-list 25 10.10.25.0 0.0.0.255
Step 2: Create a Route-Map with an action
RouterA(config)# route-map Traffic_to_ISP_A 10
RouterA(config-route-map)#match ip 25
RouterA(config-route-map)#set next hop 10.15.15.1
Step 3: Apply the Route-Map to the router interface that the traffic enters into
RouterA(config)#interface gig0/1
RouterA(config-int)#ip policy Traffic_to_ISP_A
Now all traffic from the 10.10.25.0 network will be forced to the router at 10.15.15.1 rather than looking at the routing table in the router.
Now that the traffic is routed correctly by policy, perhaps you find one server within the 10.10.25.0 network that needs to be routed normally rather than being forced to a new network by the route-map. To have the server 10.10.25.10 bypass, just create a new route-map step.
Historically, creating multiple networks required multiple switches, but VLANs (Virtual Local Area Networks) changed all of that. Now, more than one network can be created on a single switch.
If the switch has 24 ports, then it can have 24 separate networks on it. In most cases, Cisco switches support 1024 or more created VLANs per switch. Cisco’s command structure for creating multiple networks and assigning them to ports is simple and straight forward.
What are VLANs anyway?
VLANs are simply a way of separating traffic logically rather than physically. Each data packet that the switch receives is labeled with a VLAN id that tells the switch which network that the packet belongs to. Sometimes the process is called “tagging” because of the VLAN id tag that is added to the data packet. The switchport access VLAN command demonstrated above tells the switch to remove the VLAN id before the data packet is forwarded onto the computer connected to that switch port.
First, create the VLANs.
switchA>en
switchA#configure terminal
switchA(config)#vlan 5
switchA(config-vlan)#description Accounting
switchA(config)#vlan 10
switchA(config-vlan)#description Marketing
This defines two separate networks on the switch that can by used for ports. VLAN 5 could be used for the Accounting department and VLAN 10 could be used for the Marketing department. After the ports are assigned to the correct VLAN, computers in the Accounting department will not be able to see the Marketing department. It will be as if each department had its own switch.
Configure the ports
switchA(config)#int fa0/1
switchA(config-if)#description Markg-1
switchA(config-if)#switchport mode acess
switchA(config-if)#switchport access vlan 5
switchA(config)#int fa0/2
switchA(config-if)#description Acctg-1
switchA(config-if)#switchport mode acess
switchA(config-if)#switchport access vlan 10
Troubleshoot CPU spikes on Cisco switches and routers
Cisco Routers/Switches, How-to, IOS Fundamentals No Comments »CPU spikes on switches and routers can cause crazy problems in the network because of the way that traffic flowing through the network gear can be discarded or paused. Applications like Solarwinds that track network utilization only show the processor usage average rather than tracking spikes that occur periodically. Network problems can still occur when the processor spikes close to 100 percent even for a few seconds.
Thankfully, Cisco has included a new command that can track cpu spikes. You must be at the enable prompt in order to issue this command.
routerA#show process cpu history
This command will show CPU usage charts of the switch or router for the past 60 seconds, 60 minutes and 72 hours. The charts are neatly created in text format and show average CPU usage with the # sign and maximum CPU with * symbols. Note that the charts are not retained after the router or switch has rebooted. For the most part, anything above 80 percent is a concern. If the maximum CPU reaches above that point, then the network device probably created some sort of network disruption because there wasn’t enough CPU cycles leftover to process the traffic. The symptoms are unusual, unexplainable and intermittent network problems– almost like ghosts or gremlins are causing havoc in the network.
Isolating what is causing the CPU spikes
Unfortunately, most of the detective work comes after diagnosing the CPU spike. The simplest way is to watch the device and enter the following command during the processor spike.
RouterA#show process cpu sorted
The process occupying the most processor time will pop up to the top. That should isolate what type of traffic that is causing the spike. Notice that this command shows CPU utlization for the five seconds, one minute and for five minutes
Cisco gear is designed to process typical traffic in its special hardware rather than in the CPU, so a CPU spike is a sign that something atypical is occurring on the network. The exact cause can be almost anything. For example, some types of traffic are designed to be processed by the processor in newer Cisco equipment like Appletalk and IPX, which are older protocols that have been replaced by TCP/IP. An overly complicated configuration with too many Access Control Lists can cause problems too. Perhaps the device is under attack from hackers, called a Denial of Service attack, or or the network utilization is beyond the device’s capacity and an upgrade is needed.
Port Channels are a quick way to get more bandwidth by aggregating multiple connections in one virtual pipe. For instance, tie four gigabit ports together into a channel and it becomes a four gigabit connection.
Channels can also offer redundancy fault tolerance for physical connections. If one of the links involved in a channel loses connection, the channel will continue on with the existing ports and three quarters of the bandwidth.
Ports involved in a channel must be on the same blade in a modular switch like a Catalyst 4500 or 6500.
Configuring port channels has become much easier in recent IOS versions. First, designate the desired ports into a channel group.
My_Switch(config)#interface GigabitEthernet2/1
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode desirable
My_Switch(config)#interface GigabitEthernet2/2
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode desirable
