2960 get an IP from DHCP and Vlan in Trunk mode but not in acces Mode

Kaeser49 · ‎09-17-2023

Hi,
I have a simple setup. One Fortigate 60D and one Switch Cisco 2960.
Both works well together when I use Trunk Ports on the switch Ports. I mean, it works as I think it should. A NIC gets only an IP if it has the appropriate set of VLAN predefined.
If I use an Access Port I don't get an IP from the DHCP Router (Fortigate). I always end up with "not identified network".
I tried many combinations, but I cannot get an IP in access mode with an predefined Vlan on a NIC.
Except for a NIC with no Vlan defined. Then the NIC gets an IP from the proposed Port (switchport access Vlan eg. 2 or 10).

Is this the standard behavior? I'm an experienced IT Engineer just coming across an Network environment and Cisco world in a bigger company. In this field I am a rookie.

I wonder, if we should use only trunk ports or only access ports on the Port side of a switch. What is the best practice when people are working on different locations.

Best, Werner

M02@rt37 · ‎09-17-2023

Hello @Kaeser49,

Access ports are used to connect end-user devices like computers, printers, or phones to the network.

The device connected to an access port should be configured to use the same VLAN ID that is set on the access port for proper communication and DHCP requests.

Trunk ports are typically used between switches or between a switch and a router to allow traffic from multiple VLANs to pass through a single interface.

Devices connected to trunk ports need to be configured to handle VLAN tagging (e.g., servers, other switches, routers, Firewall).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi · ‎09-17-2023

Can you post trunk config connected to Fotigate FW and also post the access port config ?

what VLAN you getting the IP address to the device ?

what access port config you configured so PC does not get IP address ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Kaeser49 · ‎09-18-2023

Hi BB,
when I attach a NIC to the switch set as a trunk port, I get the IP from the DHCP (set on Fortifate) corresponding to the VLAN i set on the NIC. This works well besides that it takes abit 40 secs to get the IP.
Attaching the NIC to an access port on Port 7 there are two results depening on the VLAN settings on the NIC.
If the NIC has no VLAN ID set, I get the IP corresponding to the VLANS DHCP.
If the NIC has a VLAN ID set I get "not identified network".

the picture is from my Fortigate.
This is my Cisco 2960 configuration:

Switch-1#sh runn
Building configuration...

Current configuration : 3480 bytes
!
! Last configuration change at 01:45:23 UTC Wed Mar 30 2011
! NVRAM config last updated at 05:07:38 UTC Thu Mar 31 2011
!
version 15.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
!
!
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-483838080
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-483838080
revocation-check none
rsakeypair TP-self-signed-483838080
!
!
crypto pki certificate chain TP-self-signed-483838080
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34383338 33383038 30301E17 0D393330 33303130 30303230
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 33383338
30383030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CC7C1B88 DEC3549C 845D4BB2 0509C557 CAB30360 9CC29507 5A828B1E 403AEF95
73F48368 4FF354AC 8C53C6E3 5C417ECB 80707450 433D7C08 51403EA0 501B5FA1
E528C8CA D7226822 81EC3010 30A83E4D 53E9E678 71974995 B994746D F9240B72
D7536C1D 31EBF935 BDD73201 04F2D5E3 22803237 411D5034 CEC17FFE F674E5DB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820953 77697463 682D312E 301F0603 551D2304 18301680 14D4A19B
FFB01578 FDC18393 E0B6BEB3 F27EB4B1 E8301D06 03551D0E 04160414 D4A19BFF
B01578FD C18393E0 B6BEB3F2 7EB4B1E8 300D0609 2A864886 F70D0101 04050003
81810066 6133104E 1205722D 11FAE0B1 34572AB7 6BDE8E18 FB44380E 265F2E29
F5921CAD FA016671 BDFA27C6 EB8C3EEE 29A68A87 044C7945 8E901CDB EABE20EA
1B49E2B2 2B3A47CF B54761FA 7B05823A F2A56CCB BD190543 EDF4383C 6C91D241
6324BF94 72ECDD41 2422E241 4757DC17 894E8E9D 24F19F0D 5D0293FE 3A32655A A7D22E
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 2
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk allowed vlan 10
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk allowed vlan 2,10
switchport mode trunk
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
switchport trunk allowed vlan 2,10,88
switchport mode trunk
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 2,10,88
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 2,10,88
switchport mode trunk
!
interface Vlan1
ip address dhcp
!
interface Vlan2
ip dhcp relay information trusted
ip address 192.168.2.2 255.255.255.0
ip helper-address 192.168.2.99
!
interface Vlan10
ip dhcp relay information trusted
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.99
!
interface Vlan88
ip dhcp relay information trusted
ip address dhcp
ip helper-address 192.168.88.99
!
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end