Solved: Re: How can I pass another complete network over my network - Page 6

dajohnso · ‎04-27-2025

I have a network that connects two buildings with switch A and switch B. These two switches are connected with a pair of trunks using 1G dishes. I have about 10 vlans configures in my environment and everything works fine for my equipment and networks. I have a need to connect a 3rd parties network (switch C and D) over my network but I dont want to intermix the two networks. I have verified they have cisco switches as well and none of the vlans overlap (except we both have native vlan 1, I know, I'm already considering changing to a different native vlan). How can I bridge their switches using my link? I tried turning off lldp and connecting their trunk to my switch on an unused VLAN and that didnt work. I changes my ports to trunks and only allowed vlans 1,400,600,1002-1005 and I was able to ping from C to D (over A & B) with different IP blocks then I use in my network but when I added a vlan to switch C it did not show up on switch D vtp but they do when they are directly connected? So in short how can I connect C & D over my A & B so that C&D do not show up as cdp nei in my environment and C&D do not show my switches in cdp nei and so that all traffic and admin of C can reach D? I don't need to (or want to) be able to access anything on C or D and I certainly do not want C&D to see anything in my network. I can make any changes to my environment needed but I can only make suggestions for changes on the vendor network. Would it help if I moved everything in vlan 1 to vlan 2 and made it my native/management vlan? I want the connection between C&D to be as transparent as possible almost like they are directly connected. (I would rather NOT put them on one set of dishes and me on the other, I like having the redundant pair of dishes even though I do not need 2Gbps throughput, they are on a port channel group for load balance and redundancy)

Jens Albrecht · ‎05-02-2025

@dajohnso You were asking regarding differences of the default settings between the platforms.

So here is the config of interface Gi1/0/1 of switch A using the "show run all" command:

interface GigabitEthernet1/0/1
 mvrp timer leave-all 1000
 mvrp timer leave 60
 mvrp timer join 20
 no mvrp timer periodic
 no mvrp
 switchport
 switchport access vlan 100
 switchport trunk allowed vlan all
 no switchport autostate exclude
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode dot1q-tunnel
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 no switchport vepa enabled
 no switchport app-interface
 no switchport port-security mac-address sticky
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 logging event link-status
 load-interval 300
 carrier-delay 2
 no shutdown
 power inline port priority low
 power inline auto max 30000
 power inline static
 power inline never
 power inline police
 no medium p2p
 no cdp enable
  cdp log mismatch duplex
 ipv6 mld snooping tcn flood
 no macsec replay-protection
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel lldp
 no mka pre-shared-key
 mka default-policy
 bfd enable
 arp arpa
 arp timeout 14400
 lldp transmit
 lldp receive
 lldp tlv-select power-management
 lldp tlv-select 4-wire-power-management
 lldp med-tlv-select network-policy
 lldp med-tlv-select power-management
 lldp med-tlv-select location
 lldp med-tlv-select inventory-management
 channel-group auto
 spanning-tree port-priority 128
 spanning-tree cost 0
 hold-queue 2000 in
 hold-queue 40 out
 ip igmp snooping tcn flood
 no bgp-policy accounting input
 no bgp-policy accounting output
 no bgp-policy accounting input source
 no bgp-policy accounting output source
 no bgp-policy source ip-prec-map
 no bgp-policy source ip-qos-map
 no bgp-policy destination ip-prec-map
 no bgp-policy destination ip-qos-map
!

I also attach the complete output as a ZIP-file for your reference, in case you also want to compare the global settings.

Jens Albrecht · ‎05-02-2025

Just completed the swap test to see how the 3560s perform as ISP Core switches. To make things a bit easier, I left the vlans as they were and "only" reconfigured the connection between the 9200 and 3560 switches as well as setting a trunk between the 3560s.

Result:
The 3560s do a perfect job and everything is working as it should.
So the 9200 Customer side switches have full connectivity in vlans 1, 100 and 300 but no connectivity with the 3560s in vlan 1.

Config of the dot1-q tunnel interfaces:

interface GigabitEthernet0/1
 switchport access vlan 200
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 no cdp enable

Same interface with all defaults using the "show run all" command:

interface GigabitEthernet0/1
 switchport
 switchport access vlan 200
 switchport trunk encapsulation negotiate
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode dot1q-tunnel
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 1
 switchport port-security violation shutdown
 no switchport port-security mac-address sticky
 switchport port-security aging time 0
 switchport port-security aging type absolute
 no switchport port-security aging static
 no switchport port-security
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 mls qos cos 0
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 no cdp enable
 cdp tlv server-location
 arp arpa
 arp timeout 14400
 spanning-tree port-priority 128
 spanning-tree cost 0
 hold-queue 75 in
 hold-queue 0 out
 ip igmp snooping tcn flood
 no bgp-policy accounting input
 no bgp-policy accounting output
 no bgp-policy accounting input source
 no bgp-policy accounting output source
 no bgp-policy source ip-prec-map
 no bgp-policy source ip-qos-map
 no bgp-policy destination ip-prec-map
 no bgp-policy destination ip-qos-map

So the problems seem to be platform- or IOS-version-specific and not related to the configuration.

HTH!

dajohnso · ‎05-02-2025

THANK YOU. This proves the issue and now I will have to deal with the issues as best as I can with the hardware I have. I will see if the Vendor can add an IP to another VLAN for SSH/management or I could change my (2) core switches? Since the 4948 is 15.0 and the 4948E is 15.2 do we think that if I change out the cores with 4948E ti would fix it or is it a 4500 IOS issue. I only had one 4948E in the lab to I ordered another 4948E to test it out.

Did you mention which IOS versions you had on your switches?

Jens Albrecht · ‎05-02-2025

You are welcome! Always glad if I can help. I trust that it's worth to check whether your 4948E can do the job.

Yes, I did mention the IOS version when I posted the full lab setup using the 9200s for the ISP Core.

Cisco IOS Software, C3560-IPSERVICESK9-M, Version 15.0(2)SE11

dajohnso · ‎05-02-2025

ah yes, same as what I am using on the 4948, when my 4948E arrives well find out if it was a "feature" of 15.0 that was fixed in 15.2

Joseph W. Doherty · ‎05-02-2025

Just curious, did you ever try changing C&D trunks native VLAN to something unused? (This to get VLAN 1 frames tagged.)

Joseph W. Doherty · ‎05-02-2025

I only had one 4948E in the lab

BTW, I suspect you could test the 4848 and 4948E, individually, i.e. just use one core switch with two .1Q interfaces. I think it less like the possible issue is on the trunk ports between A&B.

dajohnso · ‎05-02-2025

I can try that with the 4948E but my original lab test had 3 4948's and when I had issues I went and grabbed the 4948E to see if it was an issue with everything on one switch. So with the 4948 I could not pass traffic on VLAN 1 from C to D either. I'll try again with the 4948E and see what happens.

dajohnso · ‎05-02-2025

ok, so I did the test with a single 4948E as the "core" configuring ports gi1/1 and gi1/2 as the dot1q tunnel and........ Switch C&D CAN ping each other on vlan 1. What ever the issue is, was fixed in the 4500E release and is working on IOS 15.2

so, I think I will upgrade the two core switches to 4948E just to reduce the changes of an issue and make my dish link "more transparent". to my customer "vendor network". I couldn't find what the newest release supported by the older 4948? Its only showing the 4948E (4500E) IOS version. Does anyone happen to know what the last release of the 4500 was (not the 4500e)

Thank you all, for all the help and input. I have learned so much in the last week.

dajohnso · ‎05-02-2025

ok, now I need to add another level of complexity here...In my diagram I had a "vendor network" well, I actually have two vendors that need to pass over my link. The last test that worked I had the dot1q trunks set to use "switchport access vlan 22", I assume that I can then set another interface to "switchport access vlan 23" and create a "different" tunnel for the second vendor?

Joseph W. Doherty · ‎05-02-2025

Thank you too for letting us know it was the 4948 platform, not working as expected.

If you ever have the spare time, in your "lab" setup, with 3 switches, using your 4948 as the "core", I'm still curious to know whether tagging VLAN 1 would have allowed it to work correctly.

As to the latest version of IOS for the 4948, mostly what I found in public release notes is something like 12.2(54)SG1. However, on these forums, there's mention made moving to 15.0.2-SG10. So, your 15.0.2-SG11 would appear to be the subsequent release. Possibly, pretty close to a final, if not a final, release. The latest for the 4500 Sup V may have also been the 15.0(2)SG# series (or 15.1(2)SG#).

BTW, I recall on the 3560/3750 series, the 15.0 versions were not nearly as stable as the previous 12.2 series.

Jens Albrecht · ‎05-03-2025

@dajohnso ok, now I need to add another level of complexity here...I

Actually it is pretty easy to add more vendors/customers to your network. I used the following setup for further testing:

In order to test the isolation of the customer networks I configured both to use Vlan 1 as their native vlan and both also use Vlan 222 in addition to their unique Vlans.
The ISP Core switches use "switchport access vlan 10" towards customer 1 and "switchport access vlan 30" towards customer 2 on the dot1q-tunnel interfaces. Otherwise same config as previous setups.

Results:
Everything works as expected with clear separation between the networks of customer 1 and 2.
Customer 1 has connectivity between switches C and D in Vlans 1, 20, 40 and 222.
Customer 2 has connectivity between switches X and Y in Vlans 1, 50, 60 and 222.
No connectivity between customer 1 and 2 in Vlans 1 and 222 so tagged and untagged traffic is separated as expected.
No connectivity from customers 1 and 2 to the ISP Core in Vlan 1.
CDP, LLDP, STP and VTP work as expected between switches C and D as well as between switches X and Y.

In summary everything looks fine and you should be ready to go with your 4948Es.

@Joseph W. Doherty I also had a chance to test this setup in CML and results are identical to the physical setup.
For this lab I used 2 x cat9000v-q200 and 4 x IOSvL2 switches. The cat9000v are still labeled BETA but nevertheless doing a good job here.

HTH!

Joseph W. Doherty · ‎05-04-2025

I also had a chance to test this setup in CML and results are identical to the physical setup.
For this lab I used 2 x cat9000v-q200 and 4 x IOSvL2 switches. The cat9000v are still labeled BETA but nevertheless doing a good job here.

@Jens Albrecht , just curious, as I mentioned my PC just didn't have the resources to spin up a 9k, what CML version (an 2.8 version?) are you using, and the resources provided to it (RAM, number of CPUs)?

Jens Albrecht · ‎05-05-2025

I use CML version 2.8.1 with 8 CPUs and 40 GB of RAM assigned to this VM.
That's good enough for 2 x C9Kv plus some IOSv devices and for more complex labs I still use hardware.

The basic dot1q-tunnel lab runs fine but after adding some more switches to answer the latest questions, I face some issues. IP connectivity still works but the L2-control traffic does not behave as expected any longer. So going to lab this up in hardware once I have the time to do this.

dajohnso · ‎05-03-2025

Thanks for the detailed post. That is what I expected for adding a second vendor.