cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3367
Views
0
Helpful
6
Replies

Access mode port to access mode port with different VLAN each, possible to allow traffic??

Dear team, Good day. I have a question that puzzles me regarding my concern with our ISP. (Kindly refer to the attached network topology)

My distribution switch, 2960X, is connected to three different WAN (ISP) that we have.

port 1 is configured as access mode with vlan access 50 for "ISP #1" as our main internet line.

- directly connected to ISP #1 Cisco 3650 switch port 24

port 2 is configured as access mode with vlan access 51 for "ISP #2" my backup WAN (other provider).

- directly connected to ISP #2 modem

port 23 is configured as access mode with vlan access 52 for "ISP #3" charterer WAN (other provider)

- directly connected to ISP #3 modem

 

Now, I need to replace my 2960X with a new switch (other brand). Using the same approach, I prepared 3 ports on the new switch, with same setup as access mode and vlan access accordingly.

My ISP #2 and #3 works properly but for ISP #1 (connected to Cisco 3650 port 24) it is not working, both ports are just blinking amber.

When I reconnect back to my old 2960X I get internet connection again.

 

So I informed my ISP #1 about my problem and also stated the whole scenario.

They replied: "Our Cisco 3650 port 24 is configured as access mode, vlan access 302.."

- how is this possible? Both my 2960X port 1 and their 3650 port 24 are configured as access port and with different VLANs?!

 

I asked them the same question and this is their reply:

"A Cisco “Access Port” tag the VLAN ID when a packet is received in the Switchport but untagged on the outgoing delectation so two Access Ports can communication even if they are in different VLANs. The packet flows without tagging between them." - can someone explain to me what out provider just said and how it relates to my question. Thank you.

 

Since it is working with my 2960X, with the configs given (i don't know how), let's go back to my main problem, the new switch.

So, the new switch is just blinking amber, but the port is setup like what I have in 2960X, but in 2960X it works.

 

I made another test, using a spare switch, configured ports access modes and vlan access accordingly, and directly connected my three WAN ISPs.

ISP #2 and #3 works! But connection from spare switch to ISP #1's 3650 port 24 is just blinking amber.

I told them my tests and they said:

"You see the Switchport amber because its never activated. This is a L2 problem and as per the logs everything points to an Spanning Tree issue. What the log is saying is that we receive a BPDU in a Non-Trunk port. This means that the Edge Switch or the D-Link port is sending a BPDU to our port. There are two reasons for this error: any of those switches are trying to negotiate a Trunk or are using a wrong encapsulation (802.1q or ISL). Once these parameters are consistent, spanning tree automatically unblocks the interface. These ports are set to untagged so that leave us with the first option only."

Questions:

1. On my topology (attached) is their an STP issue? There is no redundant path, everything is just one direct line as it is.

2. They mentioned: "What the log is saying is that we receive a BPDU in a Non-Trunk port. This means that the Edge Switch (new) or the D-Link (spare) port is sending a BPDU to our port."

- yes, it is a non-trunk port, but why is their 3650 works on my 2960X which the port is also configured as a non-trunk port (access mode)?

3. They mentioned: "There are two reasons for this error: any of those switches are trying to negotiate a Trunk or are using a wrong encapsulation (802.1q or ISL)."

- why would my switches (new,spare) negotiate a trunk if both of them are access ports? And also, their port 24 in their 3650 is an access port as well.

4. They mentioned: "Once these parameters are consistent, spanning tree automatically unblocks the interface."

- correct me if I am wrong but I don't have a redundant path, I only have one direct line to their 3650, how would an STP take effect and block the port, but if I connect it to my new switch it blocks it?

 

Maybe I am just missing a picture here because of thinking too much, anyone's insight about this, specially with the small things I messed would be greatly appreciate!

 

Thank you so much.

Arturo

Network Engineer Net Pacific Philippines CCNA R&S CSCO12379161
6 Replies 6

Jaderson Pessoa
VIP Alumni
VIP Alumni

@Arturo Jr. Pacardo  hello,

 

Look it:

When you configure a port in access mode, you can specify which VLAN will carry the traffic for that interface. If you do not configure the VLAN for a port in access mode, or an access port, the interface carries traffic for the default VLAN (VLAN1).

You can change the access port membership in a VLAN by specifying the new VLAN. You must create the VLAN before you can assign it as an access VLAN for an access port. If you change the access VLAN on an access port to a VLAN that is not yet created, the system will shut that access port down.

If an access port receives a packet with an 802.1Q tag in the header other than the access VLAN value, that port drops the packet without learning its MAC source address.

 

1. On my topology (attached) is their an STP issue? There is no redundant path, everything is just one direct line as it is.

R: I looked your attached file and your topology doesn't has STP problem.

 

2. They mentioned: "What the log is saying is that we receive a BPDU in a Non-Trunk port. This means that the Edge Switch (new) or the D-Link (spare) port is sending a BPDU to our port."

 

 

R: if port in access mode, it cant negociate a trunk, but you can input on it  switchport nonegociate

 

- yes, it is a non-trunk port, but why is their 3650 works on my 2960X which the port is also configured as a non-trunk port (access mode)?

R:  if port in access mode, it cant negociate a trunk, but you can input on it  switchport nonegociate

 

3. They mentioned: "There are two reasons for this error: any of those switches are trying to negotiate a Trunk or are using a wrong encapsulation (802.1q or ISL)."

 

- why would my switches (new,spare) negotiate a trunk if both of them are access ports? And also, their port 24 in their 3650 is an access port as well.

 

4. They mentioned: "Once these parameters are consistent, spanning tree automatically unblocks the interface."

- correct me if I am wrong but I don't have a redundant path, I only have one direct line to their 3650, how would an STP take effect and block the port, but if I connect it to my new switch it blocks it?

 

 

 

 

Let me do some question;

 

This vlan is already created and his status is active?

Spanning-tree for this vlan is forwarding state?

 

Do you have access on his switch to check this information?

switchport mode access

switchport access vlan 302

 

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***

@Jaderson Pessoa Hi!

 

Thank you for your hasten response!

 

Ok just to clarify.

In my network, I have lots of VLANs, and each VLANs are routed specifically to where they would get internet access.

- To answer your question, yes all of those VLANs are created in my network including VLANs 50,51 and 52 for my ISPs.

 

In the topology "Gemini Network Topology" everything is working accordingly.

All of my ISPs are working.

Recently that I knew that on my 2960X port 1 with config:

(interface GigabitEthernet1/0/1
description Connected -> MTN|Internet|Switch - P24
switchport access vlan 50
switchport mode access
ip device tracking maximum 10
end)

Which is directly connected to my ISPs 3650 port 24 with config (according to provider):

(interface FastEthernet0/24
description MRTG:OUTIN vLAN 302 - Corporate Internet
switchport access vlan 302
switchport mode access
end)

 

This is my first question. With the configuration given above, how was the internet traffic from provider to my LAN possible? When my network doesn't even know about VLAN 302. Rest alone the possibility of allowing traffic from a direct connection, switch port to switch port, both in access mode but on different VLAN each? - Maybe there is a way but I haven't encountered yet.

 

You mentioned:

(R: if port in access mode, it cant negociate a trunk, but you can input on it  switchport nonegociate)

- neither of our ports (provider & mine) are configured with "switchport nonegociate'

- so there is no way my switches (new/spare) are negotiating.?

 

Your questions:

This vlan is already created and his status is active? - YES

Spanning-tree for this vlan is forwarding state? - YES

Do you have access on his switch to check this information? - NO

- I trust them of what they said that the config on their 3650 port 24 is:

(interface FastEthernet0/24
description MRTG:OUTIN vLAN 302 - Corporate Internet
switchport access vlan 302
switchport mode access
end)

 

Please let me know that you think about this, would you need more details please tell me.

 

Thank you so much!

Network Engineer Net Pacific Philippines CCNA R&S CSCO12379161

What is the new switch brand? 

It is okay to have different VLAN ID configured at your switch and their switch.  You have to make sure your switch is un-tagging frames outbound toward their ISP switch.

Example with brocade switch, see https://www.reddit.com/r/Brocade/comments/5icskb/tagged_vs_trunk/

@Arturo Jr. Pacardo hello,

 

 

This is my first question. With the configuration given above, how was the internet traffic from provider to my LAN possible? When my network doesn't even know about VLAN 302. Rest alone the possibility of allowing traffic from a direct connection, switch port to switch port, both in access mode but on different VLAN each? - Maybe there is a way but I haven't encountered yet.

 

R: Yes, it is possible,

 

 

Let me try explain how it working: SWITCH_2960X has a vlan 50 with some ip address (201.10.x.z exemple) and wants to communicate with address 201.10.x.y. Since the destination is in the same logical subnet there is no need for a gateway. This is a broadcast frame that s forwarded through every port in vlan 50 including g1/0/1 and since it is an access port it is sent with no vlan tag it is a simple ethernet frame.

 

So, SWITCH_ISP on g0/24  receive the frame generated by 2960x and forward to every port on vlan 50, now both switch has learned mac address and add it on layer 2 forwarding table. At this point  both switch_ISP and 2960x vlan interfaces have participated in the arp process and each has learned the MAC address of the other device.

 

 

- neither of our ports (provider & mine) are configured with "switchport nonegociate'

- so there is no way my switches (new/spare) are negotiating.? NO, in mode access the ports do not negociate trunks.

 

Could you share output from commands here;

 

show interface gigabitethernet g1/0/1

show spanning-tree active

show vlan brief

 

Thanks in advance

Jaderson Pessoa
*** Rate All Helpful Responses ***

ghostinthenet
Level 7
Level 7

Addressing point-by-point.

 

> 1. On my topology (attached) is their an STP issue? There is no redundant
> path, everything is just one direct line as it is.

 

There's no specific issue with your STP here, but your ISP is complaining because they don't want to see anyone else's STP processes interfering with theirs.

 

> 2. They mentioned: "What the log is saying is that we receive a BPDU in a

> Non-Trunk port. This means that the Edge Switch (new) or the D-Link (spare)

> port is sending a BPDU to our port."

> - yes, it is a non-trunk port, but why is their 3650 works on my 2960X which

> the port is also configured as a non-trunk port (access mode)?

 

By default, the switch isn't going to care about BPDUs, but it's a good practice to defend against STP interference by filtering/guarding against foreign STP influence. It sounds like your ISP has a BPDU guard set and is blocking the interface when BPDUs are received.

 

There are two solutions to this:

 

1. Put a BPDU filter on the ISP-facing interface. This will prevent the ISP from receiving BPDUs and complaining.

2. Disable STP for the ISP VLAN, which will disable BPDUs on all member interfaces.

 

> 3. They mentioned: "There are two reasons for this error: any of those switches are trying

> to negotiate a Trunk or are using a wrong encapsulation (802.1q or ISL)."

> - why would my switches (new,spare) negotiate a trunk if both of them are access ports?

> And also, their port 24 in their 3650 is an access port as well.

 

Trunk negotiation is on by default. You've manually set access mode, so trunk negotiation won't change the status of the port, but the negotiation will still occur. Wrong encapsulation isn't going to be an issue as the 2960X and 3650 only do 802.1q. ISL isn't supported on either switch. As has been mentioned earlier, "switchport nonegotiate" will turn that process off, but it looks like the STP interference is the real problem here.

 

> 4. They mentioned: "Once these parameters are consistent, spanning tree automatically

> unblocks the interface."

> - correct me if I am wrong but I don't have a redundant path, I only have one direct line to

> their 3650, how would an STP take effect and block the port, but if I connect it to my new

> switch it blocks it?

 

It's likely the BPDU guard on their interface. I suspect it's not actually STP that's unblocking their interface, but an error recovery timer that re-enables interfaces after a period of time. If no BPDUs are received after the interface comes up, it doesn't go down again.

 

> Maybe I am just missing a picture here because of thinking too much, anyone's insight about

> this, specially with the small things I messed would be greatly appreciate!

 

I would add a BPDU filter on the ISP-facing interface, give it a few minutes and see if forwarding starts again. It's one way to verify.

mgreenlee1
Level 1
Level 1

So with regards to the connection to switch not working, my first question would be whether it is just a basic MDIX issue, and that the switch you removed was auto sensing and the new switch was not.  Have you tried a crossover cable instead of straight through on that connection?  Cheaper switches don't always auto sense.  

 

For the VLAN bit, it sounds like you have some confusion with regards to how the tagging works.  Traffic going OUT an access port isn't assigned that dot1q tag in the header it is sent out untagged (assuming no QinQ or other 'multiple tagging' ).  Traffic IN on an access port has the VLAN tag added if it is exiting the switch on a trunk port.

 

So if I have a switch that has a port configured for VLAN 10, and the other end of that cable is a switch that is in VLAN 20, when my switch sends out that port, it sends it without the dot1q tag for 10, and you receive it untagged.  From your switch's perspective, it is inbound traffic on port 20, but at the time of ingress on your access port, it doesn't have a dot1q tag.  From your switch's perspective, it was received as traffic on VLAN 20.  Logically, if no trunks are involved, VLANs assigned are only locally significant to that switch.

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: