Re: VLAN on 2960 and 3560 switches

konstantin_miklos · ‎04-11-2011

Hi

We had a new building thats gone up and complete now and we're trying to get a ip phone working down that end of the school on a vlan. We seem to be having trouble with the VLAN going through on the 2960 switch but it works fine on our core 3560 switch.

There looks like a slight variation in the config of the switches, the 3560 switch supports the "switchport trunk encapsulation dot1q" command on the interface where as the 2960 doesn't support the "switchport trunk encapsulation dot1q". Is this why the vlan is working on the 3560 and not the 2960, or is it something else?

Both switches are using the 12.2 IOS

Heres the trunk port configured on the 3560 going down to the new building and connecting into the 2960 with a 1gbit fiber link

interface GigabitEthernet1/2
description 3560X Port UpLink as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root

Heres the trunk port configured on the 3560 going to a Linksys switch which then connects to the DHCP server (The other end of the 3560 is also configued as trunk)

interface GigabitEthernet0/6
description Edge Switch port for clients
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast

Heres the working vlan port on the 3560, the ip phone is able to get an ip and ring all other phones etc

interface GigabitEthernet0/7
description Edge Switch port for clients
switchport access vlan 2
switchport mode access
spanning-tree portfast

Ok now heres the config for the 2960

Heres the trunk port configured on the 2960 going back upto the 3560 switch

interface GigabitEthernet1/0/25
description Port UpLink as Trunk Mode
switchport mode trunk
udld port
storm-control broadcast level 60.00

Heres the access port configured on the 2960 which isn't passing on vlan information. Is there another command i need to use to enable encapsulation as dot1q?

interface GigabitEthernet1/0/19
description Edge Switch port for clients

switchport access vlan 2
switchport mode access
spanning-tree portfast

Edison Ortiz · ‎04-11-2011

The command is not available on the 2960 as it only support one form of encapsulation (ISL support has been removed).

The 3560 supports both forms of encapsulation hence the option is there.

You can verify the encapsulation method that is used with the command 'show interface trunk' (actually, can you paste the output here?).

Did you configure the switches as VTP Server/Client or Transparent?

Does Vlan2 exist on both switches' Vlan DB?

konstantin_miklos · ‎04-11-2011

Hi Edison

Thanks for you're quick reply

I'll be back at work in a few hours and i'll report my findings and verify that the encapsulation is set to dot1q. We currently dont have a VTP domain setup but I can do that later on today when im back in. Yep, I have manually created the vlans on the switches ( without using VTP)

Ok so by having a layer 3 switch and setting the trunk port with switchport trunk encapsulation dot1q the 2960 shouldnt have to be configured with any encapsualtion because the default is already set to dot1q?

Edison Ortiz · ‎04-11-2011

Correct.

The 'show interface trunk' command will tell you if Vlan2 is forwarding and active in both switches.

I have a question for you, are you running the phones on the same Vlan as the Data Vlan? That's not best practice.

Phones should run on their own Vlan.

konstantin_miklos · ‎04-11-2011

Yep, I've only just stepped into this school 2 months ago and this what the way it was setup.

At the moment the school only has 2 vlans. These are the only 2 subnets which have been allocated to us by the state school department. All the public schools in the state are on a big WAN using a class A addressing scheme.

VLan1 = /22 for all teachers and students

Vlan 2 = /24 for admin + phones

Id also like to point out we have a 2811 router which is solely managed by the ISP, we dont have access to it and we dont know the username / password. Its a shame because i would really love to see what settings are in effect there at the moment

This basically means we cant create new vlans right because we cant subnet down the ip blocks we are given?

Edison Ortiz · ‎04-11-2011

You can break the subnets at the 3560 switch but again you have to deal with whoever manages your call manager/dhcp server for ip assignment.

konstantin_miklos · ‎04-11-2011

Heres the output of the show interface trunk:

Port        Mode             Encapsulation Status        Native vlan
Gi1/0/25    on               802.1q         trunking      1
Po2         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/25    1-4094
Po2         1-4094

Port        Vlans allowed and active in management domain
Gi1/0/25    1-2
Po2         1-2

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/25 1-2

konstantin_miklos · ‎04-11-2011

still having trouble with the vlans on the 2960

heres the 3560 vlans, ive now setup VTP and the 3560 is the vtp server

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/8, Gi0/9, Gi0/10
                                                Gi0/11, Gi0/12, Gi0/13, Gi0/14
                                                Gi0/15, Gi0/16, Gi0/17, Gi0/18
                                                Gi0/19, Gi0/20, Gi0/21, Gi0/22
                                                Gi0/23, Gi0/24, Gi1/2, Gi1/3
                                                Gi1/4
2    admin                            active    Gi0/7 VLAN works fine here

Heres the vlan output from the 2950

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/9, Gi1/0/10
                                                Gi1/0/11, Gi1/0/12, Gi1/0/13
                                                Gi1/0/14, Gi1/0/15, Gi1/0/16
                                                Gi1/0/17, Gi1/0/18, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/26, Gi1/0/27, Gi1/0/28
2    admin                            active    Gi1/0/19, Gi1/0/20 Doesn't work here

konstantin_miklos · ‎04-11-2011

I thought id also post the config file for the switches. Ive removed password and certificate info

3560

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 0040_3560_01
!
boot-start-marker
boot-end-marker
!

no aaa new-model
clock timezone UTC 10
clock summer-time EDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name services.education.vic.gov.au
ip name-server 10.135.204.21
ip igmp snooping querier
!
!

!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree vlan 1 priority 0
!
!
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1
description Edge Switch port for WAN/VicSmart router
switchport mode access
!
interface GigabitEthernet0/2
description Edge Switch port for NAS Device
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/5
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/6
description Edge Switch port for clients
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/7
description Edge Switch port for clients
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/8
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/9
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/10
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/12
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/14
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/15
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/16
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/17
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/19
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/20
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/21
description Existing switch or hub connection as Access mode
switchport mode access
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet0/22
description Existing switch or hub connection as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet0/23
description Existing switch or hub connection as Access mode
switchport mode access
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet0/24
description Existing switch or hub connection as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet1/1
description 3560X Port UpLink as Access Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet1/2
description 3560X Port UpLink as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet1/3
description 3560X Port UpLink as Access Mode
switchport mode access
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface GigabitEthernet1/4
description 3560X Port UpLink as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface TenGigabitEthernet1/1
description 3560X Port UpLink as Access Mode
switchport mode access
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface TenGigabitEthernet1/2
description 3560X Port UpLink as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root
!
interface Vlan1
description Cirric/Management VLAN
ip address 10.135.204.2 255.255.252.0
!
interface Vlan2
description admin
ip address 10.161.105.1 255.255.255.0
!
ip default-gateway 10.135.204.1
ip classless
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list standard SNMP_LMS_ACCESS
permit 10.10.22.0 0.0.0.255

!
line con 0
login local
line vty 0 4
exec-timeout 15 0
login local
length 0
transport input ssh
line vty 5 15
exec-timeout 15 0
login local
length 0
transport input ssh
!
ntp clock-period 36028000
ntp server 10.10.20.69
end

2960

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 0040_2960_01
!
boot-start-marker
boot-end-marker
!
!

!
no aaa new-model
clock timezone UTC 10
clock summer-time EDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
switch 1 provision ws-c2960s-24ps-l
authentication mac-move permit
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name services.education.vic.gov.au
ip name-server 10.135.204.21
!

spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
!
errdisable recovery interval 30
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
!
!
interface Port-channel2
description Port-Channel for WLC-5508 Port Aggregation
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
storm-control broadcast level 60.00
ip dhcp snooping trust
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/0/1
description Edge Switch port for clients or for WAN/VicSmart router
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description Edge Switch port for eduSTAR Branch Server Port 1
switchport mode access
ip arp inspection trust
spanning-tree portfast
ip dhcp snooping trust
!
interface GigabitEthernet1/0/3
description Edge Switch port for eduSTAR Branch Server Port 2
switchport mode access
ip arp inspection trust
spanning-tree portfast
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
description Edge Switch port for eduSTAR Branch Server Lights-Out Card
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
description ** Link WLC Port 1 **
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
mls qos trust cos
storm-control broadcast level 60.00
no cdp enable
spanning-tree portfast trunk
channel-group 2 mode on
ip dhcp snooping trust
!
interface GigabitEthernet1/0/6
description ** Link WLC Port 2 **
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
mls qos trust cos
storm-control broadcast level 60.00
no cdp enable
spanning-tree portfast trunk
channel-group 2 mode on
ip dhcp snooping trust
!
interface GigabitEthernet1/0/7
description ** Link WLC Port 3 **
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
mls qos trust cos
storm-control broadcast level 60.00
no cdp enable
spanning-tree portfast trunk
channel-group 2 mode on
ip dhcp snooping trust
!
interface GigabitEthernet1/0/8
description ** Link WLC Port 4 **
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
mls qos trust cos
storm-control broadcast level 60.00
no cdp enable
spanning-tree portfast trunk
channel-group 2 mode on
ip dhcp snooping trust
!
interface GigabitEthernet1/0/9
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
description Edge Switch port for clients
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
description Edge Switch port for clients
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description Edge Switch port for clients
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
description Existing switch or hub connection as Access mode
switchport mode access
udld port
storm-control broadcast level 60.00
!
interface GigabitEthernet1/0/24
description Existing switch or hub connection as Trunk Mode
switchport mode trunk
udld port
storm-control broadcast level 60.00
!
interface GigabitEthernet1/0/25
description 3560X Port UpLink as Access Mode
switchport mode trunk
udld port
storm-control broadcast level 60.00
!
interface GigabitEthernet1/0/26
description 3560X Port UpLink as Trunk Mode
switchport mode trunk
udld port
storm-control broadcast level 60.00
!
interface GigabitEthernet1/0/27
description 3560X Port UpLink as Access Mode
switchport mode access
udld port
storm-control broadcast level 60.00
!
interface GigabitEthernet1/0/28
description 3560X Port UpLink as Trunk Mode
switchport mode trunk
udld port
storm-control broadcast level 60.00
!
interface Vlan1
description Cirric/Management VLAN
ip address 10.135.204.6 255.255.252.0
!
interface Vlan2
description admin
ip address 10.161.105.1 255.255.255.0
!
ip default-gateway 10.135.204.1
no ip http server
ip http authentication local
ip http secure-server
!

!
line con 0
login local
line vty 0 4
exec-timeout 15 0
login local
length 0
transport input ssh
line vty 5 15
exec-timeout 15 0
login local
length 0
transport input ssh
!
ntp clock-period 22518725
ntp server 10.10.20.69

Edison Ortiz · ‎04-12-2011

You have the same IP address under interface Vlan2 on both switches.

Remove the Vlan2 interface from the 2960 switch as you can manage it with the interface Vlan1 IP address.

konstantin_miklos · ‎04-12-2011

Thanks Edison, we picked up on that after spending hours trying to work out what was going on. We now have removed the vlan 2 ip on the 2960. But also had to remove something else on the 3560

3560 switch

interface GigabitEthernet1/1
description 3560X Port UpLink as Trunk Mode
switchport trunk encapsulation dot1q
switchport mode trunk
udld port
storm-control broadcast level 60.00
spanning-tree guard root

Turns out we needed to remove spanning-tree guard root also. How does this command effect switching and vlans?

Edison Ortiz · ‎04-12-2011

If the 2960 was the root for Vlan2, the traffic via that port will be blocked.

The command guidelines provides more detailed info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/command/reference/cli3.html#wp1945808