Solved: VLAN Tagging ESW-540 and 3750g

s.haszard · ‎08-19-2011

Hi everyone!

I'm a self taught cisco type person who really specialises in ASA rather than routers, but have fumbled my way through many a task with the help of this site and google... However! I am currently tasked with setting up a network, pretty much from scratch, that requires some fairly hefty VLAN deployment.

My hardware on hand (already existed so can't can't change anything easily) 5x ESW-540-48 Switches, 1x3750g switch, 1x2811 router.

I don't believe the router should be required as the 3750 is capable of intervlan routing. So what i'm trying to achieve is as follows:

VLAN 1 - 172.16.8.0/22 (A)

VLAN 2 - 10.0.2.0/24 (B)

VLAN 3 - 10.0.3.0/24 (C)

VLAN 4 - 10.0.4.0/24 (D)

VLAN 5 - 10.0.5.0/24 (E)

VLAN 6 - 10.0.6.0/24 (F)

VLAN 7 - 10.0.7.0/24 (G)

VLAN 8 - 10.0.8.0/24 (H)

VLAN 9 - 10.0.9.0/24 (I)

Server Room - Servers connected to the 3750G

3750G connected to 5 ESW switches distributed around the building.

ESW-1 Will have VLAN(A) and VLAN(B) devices connected, specified at port level.

ESW-2 Will have VLAN(A) and (C) devices connected, specified at port level.

ESW-3 Will have VLAN(A), (D), (E) and (F) devices connected, specified at port level.

ESW-4 Will have VLAN(A), (G) devices connected specified at port level.

ESW-5 Will have VLAN(A), (H) and (I) devices connected, specified at port level.

Now at one point I actually had the VLAN's *working* in that I could specify an IP address and could ping to and from it! However DHCP wasn't passing despite numerous attempts with DHCP relay and IP-Helper configurations.

Also I was having issues with VLAN 1 as the native VLAN, the ESW switches don't allow you to do much with them, as they 'weren't created by the user'. So tried switching that out to VLAN11 also but with very little success there (I had to change the native vlan on all trunks to VLAN 11)

All the 10.x.x.x addresses need to be able to communicate with each other

All the ESW switches need to be able to handle their respective VLAN's as well as VLAN 1 (for Printers and wireless access points distributed around the building).

Partly i'm doing this in the hope that maybe some helpful soul can make some sense of it, but also just the fact of writing it down MAY firm it up in my head somewhat

Thanks in advance!

Simon

Amit Aneja · ‎08-20-2011

Not sure, if you have looked at the config guide of ESW.

http://www.cisco.com/en/US/docs/switches/lan/csbms/esw500/administration/guide/ESW_500_Administration_Guide.pdf

Let's do a cross check on ESW for the smartport roles and make sure they are configured as per config guide.

View solution in original post

s.haszard · ‎08-19-2011

Oh some IP addresses just for referencing when discussing!

3750G - VLAN 1 - 172.17.8.253

VLAN 2 - 10.0.2.254

VLAN 3 - 10.0.3.254

VLAN 4 - 10.0.4.254 through to VLAN 9 (you get the idea i'm sure).

ESW1 172.17.8.101

ESW2 172.17.8.102

ESW3 172.17.8.103

ESW4 172.17.8.104

ESW5 172.17.8.105

We also have an ASA in there, which is currently the default gateway for everyone at 172.17.8.1 - for simplification I'm going to be moving the 3750G VLAN 1 to 172.17.8.1 and moving the ASA to 172.17.8.253, adding a default route on the 3750G for 0.0.0.0 0.0.0.0 --> 172.17.8.253.

s.haszard · ‎08-19-2011

Ok so this isn't SUPPOSED to be a blog, but here's an update - still not working but have worked SOMETHING out at least.

On the 3750, when I specify a port to be explicitly VLAN 2, and connect one of the ESW switches to that port it WILL assign a DHCP address to a device connected to any port on the ESW from the alternate scope on my 2003 DHCP server. However, I need to be able to have numerous VLAN's specified on the 3750 port, and then specify on the ESW 540 switch on the other side what VLAN a device will be a member of, have it pass that info down to the 3750, back to the DHCP server and assign the address according to which VLAN I have specified!

(Does any of that make sense???)

At the moment, if I have numerous VLAN's specified on the 3750 port, then it only appears to take notice of VLAN 1 and assign an address from the default DHCP scope.

rocater · ‎08-20-2011

Hello Simon,

I must admit first that my work with Catalyst series is limited, but I can tell you the ESW switches look to be setup correctly for your vlan needs. I have found the following Cisco guide which may help you with what you are looking to do.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swdhcp82.html

Might I also recommend running a packet capture on the server to verify if the dhcp request is arriving. If the request is getting there and correct, then I would suggest looking at the reply the server gives.

I hope this information helps you with your network setup.

s.haszard · ‎08-20-2011

Ok so - i gave up at 2am this morning, and going back to it with a fresh head! Here's the situation as it has unfolded...

I have configured up 4 of my vlans for the purpose of testing, so you'll note there are a few missing.

I have moved the Native to VLAN 11 because the ESW's were doing something weird, and wouldn't allow me to do anything with trunking... If anyone can see a MUCH easier way of doing this, please feel free to chime in!

Primarily my question though is - why isn't DHCP working? Do I need to configure DHCP relaying on the ESW switches? Or should the DHCP REQ be passed across the entire vlan back to the 3750 regardless. And if I do need to configure relaying on the ESW - how?

In my server room I have a 3750 and a bunch of servers.
One of these servers - 172.17.10.229 is a win 2k3 dhcp server (physical not virtualised)
On my dhcp server I have configured scopes for each vlan (not superscoped)
My servers are sitting on the first 16 ports of said 3750.
- I have set their ports to native vlan 11 and allow vlans 1-3 and 11.
My ESW switches are on ports 46, 47 and 48.
- Likewise, their native has been moved to vlan11 and allowed vlans 1-3 and 11.

My ESW switches have been moved to native vlan11 and trunked each of their port 48's to allow all vlans.

Test 1: Unmodified port #10 on ESW1 (default vlan 11).
- Connect DHCP device.
- IP address assigned from vlan 11: 172.17.10.101.
- Can ping all VLAN interface addresses.

Test 2: Modified port #11 on ESW1 (VLAN 2).
- Connect DHCP device.
- No IP address assigned.
- Set static IP address 10.0.2.55/24.
- Can ping all VLAN interfaces, DHCP server, entire network.
  - Change IP address of test device to 172.17.10.102 for testing.
  - No ICMP responses from anywhere - this is good!

So as you can see i've done my homework - well most of it obviously. Because it still isn't working

Here's the config of the 3750, the ESWs of course are a bit harder to just post my config, but the general state is something like this...

ESW Switch 1

Native VLAN 11

IP Address: 172.17.8.101 255.255.252.0

Default Gateway: 172.17.8.253

Port 48 802.1q trunk - allowed VLAN's 1-3 (tagged), 11 (untagged)

ESW Switch 2

Native VLAN 11

IP Address: 172.17.8.102 255.255.252.0

Default Gateway: 172.17.8.253

Port 48 802.1q trunk - allowed VLAN's 1-3 (tagged), 11 (untagged)

ESW Switch 3

Native VLAN 11

IP Address: 172.17.8.103 255.255.252.0

Default Gateway: 172.17.8.253

Port 48 802.1q trunk - allowed VLAN's 1-3 (tagged), 11 (untagged)

hostname 3750switch

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

switch 2 provision ws-c3750g-48ts

system mtu routing 1500

udld aggressive

ip subnet-zero

ip routing

ip domain-name mydomain.com

ip name-server 172.17.10.216

ip name-server 172.17.10.229

!

mls qos map cos-dscp 0 8 16 26 32 46 48 56

mls qos srr-queue input bandwidth 90 10

mls qos srr-queue input threshold 1 8 16

mls qos srr-queue input threshold 2 34 66

mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2 1

mls qos srr-queue input cos-map queue 1 threshold 3 0

mls qos srr-queue input cos-map queue 2 threshold 1 2

mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7

mls qos srr-queue input cos-map queue 2 threshold 3 3 5

mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue input dscp-map queue 1 threshold 3 32

mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48

mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56

mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 2 4

mls qos srr-queue output cos-map queue 4 threshold 2 1

mls qos srr-queue output cos-map queue 4 threshold 3 0

mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39

mls qos srr-queue output dscp-map queue 4 threshold 1 8

mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7

mls qos queue-set output 1 threshold 1 138 138 92 138

mls qos queue-set output 1 threshold 2 138 138 92 400

mls qos queue-set output 1 threshold 3 36 77 100 318

mls qos queue-set output 1 threshold 4 20 50 67 400

mls qos queue-set output 2 threshold 1 149 149 100 149

mls qos queue-set output 2 threshold 2 118 118 100 235

mls qos queue-set output 2 threshold 3 41 68 100 272

mls qos queue-set output 2 threshold 4 42 72 100 242

mls qos queue-set output 1 buffers 10 10 26 54

mls qos queue-set output 2 buffers 16 6 17 61

mls qos

!

macro global description cisco-global

errdisable recovery cause link-flap

errdisable recovery interval 60

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet2/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/2

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/3

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/4

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/5

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/6

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/7

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/8

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/9

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

!

interface GigabitEthernet2/0/10

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/11

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

!

interface GigabitEthernet2/0/12

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

!

interface GigabitEthernet2/0/13

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

!

interface GigabitEthernet2/0/14

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/15

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/16

switchport access vlan dynamic

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

**************

snip

**************

!

interface GigabitEthernet2/0/47

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet2/0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1-3,11

switchport mode trunk

!

interface GigabitEthernet2/0/49

!

interface GigabitEthernet2/0/50

!

interface GigabitEthernet2/0/51

!

interface GigabitEthernet2/0/52

!

interface Vlan1

ip address 10.0.1.254 255.255.255.0

ip helper-address 172.17.10.229

!

interface Vlan2

ip address 10.0.2.254 255.255.255.0

ip helper-address 172.17.10.229

!

interface Vlan3

ip address 10.0.3.254 255.255.255.0

ip helper-address 172.17.10.229

!

interface Vlan11

ip address 172.17.8.253 255.255.252.0

!

ip default-gateway 172.17.8.1

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.8.1

ip http server

!

control-plane

!

line con 0

line vty 0 4

password xxxxxxxxxxxxxxxxxxxxx

login

length 0

line vty 5 15

password xxxxxxxxxxxxxxxxxxxxx

login

length 0

!

end

3750switch#

s.haszard · ‎08-20-2011

Thanks Robert, i'll look at doing a packet capture - and see if i can figure out where the packets disappearing to!

Cheers

Simon

Amit Aneja · ‎08-20-2011

Simon,

Let me verify the topology first:

ESW500 -----3750---DHCP server(172.17.10.229)

Lot of vlans defined on the ESW500. You need DHCP for the devices in the vlans on ESW. If this is correct, following is what you need:

1) How would 3750 route packets to 172.17.10.229? Where exactly on the 3750 switch is this server connected? I would advise to put it in a vlan, let's say vlan 17, create its SVI, let's say 172.17.10.1.

2) Vlans (L2) should be defined both on ESW & 3750 switch so that both can understand vlan tagging.

I would like to make sure by looking at "show vlan br" from 3750.

3) All the vlans should be forwarded on the trunk.

I would like to make sure by looking at "show int trunk" from 3750.

The answer to your question on whether you should define "helper-address" on ESW is NO, this isn't required. As long as the frames from different vlans can get to 3750 & hit their specific SVI, we should be good.

Please check if the above points help you or else share the outputs I mentioned above.

Let's make it working

Regards,

Amit Aneja

Amit Aneja · ‎08-20-2011

Also, there is one more thing that I would like to test, i.e. if we create DHCP server on the 3750 itself, do the devices in different vlans get the DHCP or not.

Following is the config that you would need to configure the switch as DHCP server:

ip dhcp excluded-address 10.0.2.254 10.0.2.255

ip dhcp excluded-address 10.0.3.254 10.0.3.255

ip dhcp excluded-address 10.0.1.254 10.0.1.255

!

ip dhcp pool VLAN2

network 10.0.2.0 255.255.255.0

default-router 10.0.2.254

!

ip dhcp pool VLAN1

network 10.0.1.0 255.255.255.0

default-router 10.0.1.254

!

ip dhcp pool VLAN3

network 10.0.3.0 255.255.255.0

default-router 10.0.3.254

Regards,

Amit Aneja

s.haszard · ‎08-20-2011

putting DHCP server on 3750 didn't work either - i'm wondering if it's some broadcast security feature on the esw. Anyway, i'm working through the items you mentioned, and as a start, here's the show int trunk...

Oh and the dhcp server exists on the native vlan 11 along with all the other servers in the 172.17.8.0/22 network.

And yes the topology is correct.

Client ---- ESW ----3750 ----- DHCP

Port Mode Encapsulation Status Native vlan

Gi2/0/1 on 802.1q trunking 11

Gi2/0/2 on 802.1q trunking 11

Gi2/0/3 on 802.1q trunking 11

Gi2/0/4 on 802.1q trunking 11

Gi2/0/5 on 802.1q trunking 11

Gi2/0/6 on 802.1q trunking 11

Gi2/0/7 on 802.1q trunking 11

Gi2/0/8 on 802.1q trunking 11

Gi2/0/10 on 802.1q trunking 11

Gi2/0/14 on 802.1q trunking 11

Gi2/0/15 on 802.1q trunking 11

Gi2/0/16 on 802.1q trunking 11

Gi2/0/47 on 802.1q trunking 11

Gi2/0/48 on 802.1q trunking 11

Port Vlans allowed on trunk

Gi2/0/1 1-3,11

Gi2/0/2 1-3,11

Gi2/0/3 1-3,11

Gi2/0/4 1-3,11

Gi2/0/5 1-3,11

Gi2/0/6 1-3,11

Port Vlans allowed on trunk

Gi2/0/7 1-3,11

Gi2/0/8 1-3,11

Gi2/0/10 1-3,11

Gi2/0/14 1-3,11

Gi2/0/15 1-3,11

Gi2/0/16 1-3,11

Gi2/0/47 1-3,11

Gi2/0/48 1-3,11

Port Vlans allowed and active in management domain

Gi2/0/1 1-3,11

Gi2/0/2 1-3,11

Gi2/0/3 1-3,11

Gi2/0/4 1-3,11

Gi2/0/5 1-3,11

Gi2/0/6 1-3,11

Gi2/0/7 1-3,11

Gi2/0/8 1-3,11

Gi2/0/10 1-3,11

Gi2/0/14 1-3,11

Gi2/0/15 1-3,11

Gi2/0/16 1-3,11

Port Vlans allowed and active in management domain

Gi2/0/47 1-3,11

Gi2/0/48 1-3,11

Port Vlans in spanning tree forwarding state and not pruned

Gi2/0/1 1-3,11

Gi2/0/2 1-3,11

Gi2/0/3 1-3,11

Gi2/0/4 1-3,11

Gi2/0/5 1-3,11

Gi2/0/6 1-3,11

Gi2/0/7 1-3,11

Gi2/0/8 1-3,11

Gi2/0/10 1-3,11

Gi2/0/14 1-3,11

Gi2/0/15 1-3,11

Gi2/0/16 1-3,11

Gi2/0/47 1-3,11

and heres the show vlan br

VLAN Name Status Ports

---- -------------------------------- --------- ----------------------------

1 default active Gi2/0/9, Gi2/0/11, Gi2/0/12

Gi2/0/13, Gi2/0/17, Gi2/0/18

Gi2/0/19, Gi2/0/20, Gi2/0/21

Gi2/0/22, Gi2/0/23, Gi2/0/24

Gi2/0/25, Gi2/0/26, Gi2/0/27

Gi2/0/28, Gi2/0/29, Gi2/0/30

Gi2/0/31, Gi2/0/32, Gi2/0/33

Gi2/0/34, Gi2/0/35, Gi2/0/36

Gi2/0/37, Gi2/0/38, Gi2/0/39

Gi2/0/40, Gi2/0/41, Gi2/0/42

Gi2/0/43, Gi2/0/44, Gi2/0/45

Gi2/0/46, Gi2/0/49, Gi2/0/50

Gi2/0/51, Gi2/0/52

2 Performance active

3 Design active

11 Servers active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Amit Aneja · ‎08-20-2011

Simon,

I missed noticing that vlan 11 is /22. I have worked with this ESW switch just once, so, I am not sure if there is a problem with trunking/native vlan issue.

Guess, the best way to rule out any issues with 3750 switch is to put one of the clients directly on 3750 in different vlans & see if gets an IP for all the vlans one by one. If that's the case, it has to be a trunk issue b/w the 3750 & ESW or else the vlan issue on ESW.

Regards,

Amit

s.haszard · ‎08-20-2011

Yep, it works fine when i specify a vlan to a port on the 3750, will assign address happily. Likewise if i connect a dumb switch to the port on the 3750 all clients connected get a dhcp address. So beginning to look more and more like a trunking issue

Amit Aneja · ‎08-20-2011

I would agree with you.

I read your posts again & you mentioned that at one point you were able to ping the SVI. So, you can ping SVI of vlan 3 on 3750 if you assign a static IP address on one of the devices in vlan 3 on ESW. Is that what you meant?

So, for now, we can concentrate on ESW thing. have you configured native vlan as 11 on that as well?

How about the allowed vlans on it? I am guessing that you are using smartport Macros to define the config on that switch. How are access ports on ESW configured?

Amit Aneja · ‎08-20-2011

Not sure, if you have looked at the config guide of ESW.

http://www.cisco.com/en/US/docs/switches/lan/csbms/esw500/administration/guide/ESW_500_Administration_Guide.pdf

Let's do a cross check on ESW for the smartport roles and make sure they are configured as per config guide.

s.haszard · ‎08-20-2011

So I just went through the smart port config again now that the 3750's configured, and while the vlan connectivity is still good, i still have no dhcp *sigh*!

s.haszard · ‎08-20-2011

Smart ports weren't very smart - tended to cause me more grief than not, so i stopped using them.

The ports are set up on the ESW for the clients as VLAN 2 untagged, all others Excluded, setup in access mode.

Yes i can ping the SVI's from these ports if i specify an IP address on the machine.

The ESW is set native 11, but i have modified the pvid of the client ports to be VLAN 2.

The uplink port is configured as 11 untagged, everything else tagged.

Thanks again for all your help everyone by the way Hopefully i'll get it sorted today!