VTP/ISL Issue - Spanning VLANs over two switches

TALLCHRIS · ‎09-07-2004

Hi All

We're trying to span multiple VLAN's over two Catalyst 3524's. We've used VTP to mirror the VLAN setup/database on both switches and connected the switches using an ISL Trunk. The VLAN's work but the problem arises when data travels over the ISL Trunk.

I require packets from VLAN1 on Switch A to be delivered to VLAN1 on Switch B, instead the traffic is currently able to leave VLAN1 Switch A and then travel to any VLAN on Switch B.

Any ideas ?

Thanks

smif101 · ‎09-07-2004

The first thing I would do is not run anything on VLAN 1, use VLAN 2 and 3 for your configuration. The next thing I would do is run dot1q encapsulation on the trunk instead of ISL. Try that and if that doesn't work, post the relevant configs of the switches.

aashish.c · ‎09-07-2004

Hi,

Do u mean that data from vlan 1 is going to any other vlan like vlan 2 or 3????

please post the sh run from 2 switches.

regards

aashish C

Kevin Dorrell · ‎09-08-2004

Could you, also post the output of "show vtp status" on the two switches please.

Kevin Dorrell

Luxembourg

TALLCHRIS · ‎09-09-2004

Hi

Below is the show run for both switchs and at the bottom is the show vtp status as well.

Current configuration:

!

! Last configuration change at 09:59:11 UTC Thu Sep 9 2004

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SRT_SW_C6_RW

!

enable secret ***************************

!

ip subnet-zero

!

interface FastEthernet0/1

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/5

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/6

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/7

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/8

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/9

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/10

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/11

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/12

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/13

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/14

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/15

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/16

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/17

spanning-tree portfast

!

interface FastEthernet0/18

spanning-tree portfast

!

interface FastEthernet0/19

spanning-tree portfast

!

interface FastEthernet0/20

spanning-tree portfast

!

interface FastEthernet0/21

spanning-tree portfast

!

interface FastEthernet0/22

spanning-tree portfast

!

interface FastEthernet0/23

spanning-tree portfast

!

interface FastEthernet0/24

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface VLAN1

ip address X.X.X.X 255.255.252.0

no ip redirects

no ip directed-broadcast

ip nat outside

no ip route-cache

standby 1 priority 254 preempt

standby 1 name StartekUK_standby

standby 1 ip X.X.X.X

!

ip default-gateway X.X.X.X

snmp-server engineID local 00000009020000049B532280

snmp-server community private RW

snmp-server community public RO

!

line con 0

exec-timeout 0 0

transport input none

stopbits 1

line vty 0 4

password *********

login

line vty 5 15

password *********

login

!

end

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 254

Number of existing VLANs : 13

VTP Operating Mode : Client

VTP Domain Name : startekuk

VTP Pruning Mode : Enabled

VTP V2 Mode : Enabled

VTP Traps Generation : Disabled

MD5 digest : 0x3C 0x2D 0x49 0x53 0xD8 0x94 0x1F 0xEC

Configuration last modified by X.X.X.X at 9-7-04 15:38:47

Cheers

TALLCHRIS · ‎09-09-2004

Current configuration:

!

! Last configuration change at 09:59:11 UTC Thu Sep 9 2004

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SRT_SW_C6_RW

!

enable secret ***************************

!

ip subnet-zero

!

interface FastEthernet0/1

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/5

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/6

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/7

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/8

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/9

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/10

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/11

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/12

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/13

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/14

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/15

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/16

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/17

spanning-tree portfast

!

interface FastEthernet0/18

spanning-tree portfast

!

interface FastEthernet0/19

spanning-tree portfast

!

interface FastEthernet0/20

spanning-tree portfast

!

interface FastEthernet0/21

spanning-tree portfast

!

interface FastEthernet0/22

spanning-tree portfast

!

interface FastEthernet0/23

spanning-tree portfast

!

interface FastEthernet0/24

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface VLAN1

ip address X.X.X.X 255.255.252.0

no ip redirects

no ip directed-broadcast

ip nat outside

no ip route-cache

standby 1 priority 254 preempt

standby 1 name StartekUK_standby

standby 1 ip X.X.X.X

!

ip default-gateway X.X.X.X

snmp-server engineID local 00000009020000049B532280

snmp-server community private RW

snmp-server community public RO

!

line con 0

exec-timeout 0 0

transport input none

stopbits 1

line vty 0 4

password *********

login

line vty 5 15

password *********

login

!

end

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 254

Number of existing VLANs : 13

VTP Operating Mode : Client

VTP Domain Name : startekuk

VTP Pruning Mode : Enabled

VTP V2 Mode : Enabled

VTP Traps Generation : Disabled

MD5 digest : 0x3C 0x2D 0x49 0x53 0xD8 0x94 0x1F 0xEC

Configuration last modified by X.X.X.X at 9-7-04 15:38:47

smif101 · ‎09-09-2004

Well I see that you have both switches setup as client. I would first set one to be a server and the other one a client or set them both to be transparent with the command.

switch(config)#vtp mode transparent

The next thing is I don't see where you have the trunk setup between the switches. Configure your gig E interfaces as such.

Switch1(config)#interface gigabitethernet 0/1

Switch1(config-if)#switchport trunk encapsulation dot1q

Switch1(config-if)#switchport mode trunk

Switch2(config)#interface gigabitethernet 0/1

Switch2(config-if)#switchport trunk encapsulation dot1q

Switch2(config-if)#switchport mode trunk

See if that fixes your problems

Jason Smith

www.smif101.com

Kevin Dorrell · ‎09-09-2004

I assumed he was using F0/24 as his trunk. Can you confirm that, tallchris? If so, then you don't have any other switches connected via trunks, so Jason is right, you do need one of the switches to be a VTP server. It is also interesting that both of you switches are configuration version 1, which implies VTP is not working. However, I don't yet see why this should cause the VLAN hopping you are describing.

Kevin Dorrell

Luxembourg

TALLCHRIS · ‎09-09-2004

Sorry i've pasted the same config twice... the other config for the switch is below. With regards to the trunk we are using port 24 as the trunk using a crossover cable between the switches. This is just while the project is on the test bench, when it goes live we're going to use one of the Gigabit ports for the trunk. From what i've seen VTP does seem to be propogating the settings from the server to the client.

Current configuration:

!

! Last configuration change at 09:49:00 UTC Thu Sep 9 2004

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SRT_SW_C9_RW

!

enable secret xxxxx

!

ip subnet-zero

!

interface FastEthernet0/1

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 65

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 66

spanning-tree portfast

!

interface FastEthernet0/5

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/6

switchport access vlan 67

spanning-tree portfast

!

interface FastEthernet0/7

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/8

switchport access vlan 68

spanning-tree portfast

!

interface FastEthernet0/9

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/10

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/11

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/12

switchport access vlan 70

spanning-tree portfast

!

interface FastEthernet0/13

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/14

switchport access vlan 71

spanning-tree portfast

!

interface FastEthernet0/15

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/16

switchport access vlan 72

spanning-tree portfast

!

interface FastEthernet0/17

spanning-tree portfast

!

interface FastEthernet0/18

spanning-tree portfast

!

interface FastEthernet0/19

spanning-tree portfast

!

interface FastEthernet0/20

spanning-tree portfast

!

interface FastEthernet0/21

spanning-tree portfast

!

interface FastEthernet0/22

spanning-tree portfast

!

interface FastEthernet0/23

spanning-tree portfast

!

interface FastEthernet0/24

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface VLAN1

ip address X.X.X.X 255.255.252.0

no ip redirects

no ip directed-broadcast

ip nat outside

no ip route-cache

standby 1 priority 255 preempt

standby 1 name StartekUK_standby

standby 1 ip X.X.X.X

!

ip default-gateway X.X.X.X

snmp-server engineID local xxxxx

snmp-server community private RW

snmp-server community public RO

!

line con 0

transport input none

stopbits 1

line vty 0 4

password **********

login

line vty 5 15

password **********

login

!

end

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 254

Number of existing VLANs : 13

VTP Operating Mode : Server

VTP Domain Name : startekuk

VTP Pruning Mode : Enabled

VTP V2 Mode : Enabled

VTP Traps Generation : Disabled

MD5 digest : 0x3C 0x2D 0x49 0x53 0xD8 0x94 0x1F 0xEC

Configuration last modified by 10.50.22.2 at 9-7-04 15:38:47

Kevin Dorrell · ‎09-10-2004

First let's see if VTP is working correctly. I see both of your VTP configurations are version 1. Try adding a VLAN on the VTP server switch. The configuration version will go up to 2. If the configuration version on the VTP client switch also goes up to 2, and the client switch inherits the new VLAN, then VTP is working correctly.

If VTP is working correctly, then the trunk must be working correctly.

I can concur with someone's earlier comment though, that you might consider using 802.1Q encapsulation rather than ISL. ISL is an older proprietary trunking protocol, and has a larger overhead. Some recent Cisco equipment does not support it. 802.1Q, on the other hand, is an open standard.

Kevin Dorrell

Luxembourg

TALLCHRIS · ‎09-10-2004

I've tried what you have suggested with regards to VTP over ISL and also Dot1Q. Both work.. as the client inherits any new VLAN(s) that i create on the server.

It looks as though that any VLAN can go to any other VLAN on another switch after passing over the trunk. Could this be potentially an ACL issue ? Could they be used to resolve the issue ?

One other thing to be aware of is that each of the 8 VLANs that we have configured is going to handle a different subnet.

Kevin Dorrell · ‎09-10-2004

That's good. The trunk and the VTP are working correctly.

No, it's not an ACL issue. If you have to use ACLs to fix it, then it's a kludge. VLANs simply shouldn't leak so easily, otherwise Cisco would be very red-faced.

"The 8 VLANs will be configured with different subnets." Good also. That's exactly as I would expect it to be.

I'm starting to clutch at straws here, but I love a challenge, so here goes:

I wonder what you test setup looks like? What is your evidence that the VLANs are leaking? Perhaps there is some other unexpected effect going on.

I see you are using HSRP. Is it working correctly? You show addresses x.x;x.x for security reasons. Could you give us some clues please? Make up the addresses, but so that we can see the relationship between them.

The "ip nat outside" does not seem to fit in with anything else. Try removing it for a moment. Shouldn't make any difference though.

I suppose you don't have any other router attached to the test network? Just thought I'd ask.

If two machines on different VLANs can talk to each other, then what do they have in their ARP cache for each other? Is it their own MAC addresses, or something else? Do the two machines' netmasks include each other's addresses?

That's all I can think of for the moment. Good luck.

Kevin Dorrell

Luxembourg

TALLCHRIS · ‎09-10-2004

Thanks for the info... i think its about time we supplied you with the full picture. We're trying to load balance two Checkpoint NG FP3 Firewalls using a package called RainWall. Rainwall simply load balances each subnet on a virtual IP.

The diagram currently shows the gigabit port as the Trunk, at the moment this is Ethernet Port 24 for the purpose of testing.

Evidence of VLAN leakage is apparent by the fact that machines on seperate VLANs can see eachother even when the Firewall(s) is denying access (according to the logs the packets dont go near the firewall) and this is proved by disconnecting the trunk which stops the machines accessing eachother.

HSRP ? We didnt intend to use this and weren't aware that it was turned on. Also the "ip nat outside" again we have not intentionally turned this on... how can this be disabled ?

You're correct with the assumption of the lack of router... there are only switches on the test network and it is currently not connected to the outside world using the top set of routers and switches shown in the attached diagram.

I'll get back to you with regards to the ARP Cache etc... just thought the diagram may help you to understand what we're trying to achieve.

Kevin Dorrell · ‎09-10-2004

"Evidence of VLAN leakage is apparent by the fact that machines on seperate VLANs can see eachother even when the Firewall(s) is denying access (according to the logs the packets dont go near the firewall) and this is proved by disconnecting the trunk which stops the machines accessing each other."

Are the DL380g3 plugged in, and can they do routing? (I suppose they can, like most firewalls). When you disconnect the trunk, it stops the traffic between the test machines. But this could still be the fault of the DL380g3. Here is the scenario:

If a machine A on VLAN A on the left switch tries to talk to a machine B on VLAN B on the right switch, what does it do? It goes to its default router, which I suppose is an interface of the (left) DL380g3. Machine A won't have an ARP cache entry for machine B, it will have an entry for its default gateway.

So, what does the left hand DL380 do. Well, it has a route to VLAN B, so it ARPs for machine B on VLAN B. That goes back into a VLAN B port on the left switch. The ARP travels across (note across) the trunk to the right switch and finds machine B.

The path from machine A to machine B is up into the DL380 on VLAN A, back into the same switch on VLAN B, then along the trunk.

On the other hand I could be totally wrong.

Kevin Dorrell

Luxembourg

P.S. To get rid of the NAT, conf t into the interface and do "no ip nat outside". We'll think about the HSRP later, but it revoves around those "standby" commands.

moament · ‎12-06-2004

To disable HSRP use commands

no standby group-no

also for the problem , I agree with you that the DL380 may act as a router , so all vlans can talk, we can test with only switches and trunks