Solved: Allowing Interface VLANs on Port-Channels

JohnRosso3555 · ‎05-21-2021

Hello

I am running Gibraltar 16.12.2 on a pair of 9500-16x and was able to create 2 different port-channels successfully as well as an interface-vlan with an IP address. However, under the port-channel configs I set the switchport trunk and then allow all VLANs. I am unable to ping even myself and it still says the vlan and protocol are down even though I did a "no shut" to the interface VLAN. It is in the default VRF, I believe, there is a MGMT-VRF as well, but I should be able to ping the IP of the VLAN. The other thing is the "switchport trunk allowed vlan all" does not show up under the port-channel config.

Thank you for your assistance.

ilay · ‎05-22-2021

no, the physical interface needs to be up status, that is to say, there needs to be a device connected to this interface

"At least one interface (trunk or access interface) belongs to this vlan" refers to the interface that needs to have an up state

View solution in original post

ilay · ‎05-21-2021

Switched Virtual Interface（SVI) up needs to meet two conditions:

1. There is a corresponding vlan on the switch.

2. At least one interface (trunk or access interface) belongs to this vlan

please check the vlan database（show vlan brief）, whether there is a corresponding vlan id
"switchport trunk allowed vlan all" is a default configuration and will not be displayed in "show running-config"

JohnRosso3555 · ‎05-22-2021

DRF312cisco9500#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Te1/0/1, Te1/0/2, Te1/0/3, Te1/0/4, Te1/0/5, Te1/0/9, Te1/0/10, Te1/0/11, Te1/0/12, Te1/0/13, Te2/0/1, Te2/0/2, Te2/0/3, Te2/0/4, Te2/0/5, Te2/0/9
Te2/0/10, Te2/0/11, Te2/0/12, Te2/0/13
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
3003 VLAN3003 active
DRF312cisco9500#

Surprised that the VLAN 3003 does not show up under the Ports since I allowed it on both port channels

DRF312cisco9500#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

A - formed by Auto LAG

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(SD) LACP Te1/0/2(s) Te2/0/2(s)
20 Po20(SD) LACP Te1/0/10(s) Te2/0/10(s)

DRF312cisco9500#

ilay · ‎05-22-2021

From "show etherchannel summary" , the status of the two port-channel interfaces are both down,

-----

DRF312cisco9500#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

A - formed by Auto LAG

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(SD) LACP Te1/0/2(s) Te2/0/2(s)
20 Po20(SD) LACP Te1/0/10(s) Te2/0/10(s)

-----

Port-channel negotiation is abnormal,Is the etherchannel configuration of the device connected to the opposite end of the 9500switch port-channel10 and port-channel20 correct? At the same time, it is necessary to confirm the existence of vlan3003 on the peer device

JohnRosso3555 · ‎05-22-2021

Ahhh - yes. Since I do not have control of the Firewall - I can just do a test and place any other 9500-16x port into that VLAN, then the VLAN should come up. Let me try that and I can report back. Thank you.

JohnRosso3555 · ‎05-22-2021

I put ten 1/0/1 into VLAN 3003 - although it is not connected to anything, should I not at least be able to ping myself 192.168.100.1?

DRF312cisco9500#show vlan br

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Te1/0/2, Te1/0/3, Te1/0/4, Te1/0/5, Te1/0/9, Te1/0/10, Te1/0/11, Te1/0/12, Te1/0/13, Te2/0/1, Te2/0/2, Te2/0/3, Te2/0/4, Te2/0/5, Te2/0/9, Te2/0/10, Te2/0/11, Te2/0/12, Te2/0/13
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
3003 VLAN3003 active Te1/0/1
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#
DRF312cisco9500#show ip int vlan 3003
Vlan3003 is up, line protocol is down
Internet address is 192.168.100.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
DRF312cisco9500#

ilay · ‎05-22-2021

no, the physical interface needs to be up status, that is to say, there needs to be a device connected to this interface

"At least one interface (trunk or access interface) belongs to this vlan" refers to the interface that needs to have an up state

JohnRosso3555 · ‎05-22-2021

Thank you!

balaji.bandi · ‎05-22-2021

First make sure you have VLAN created respected switches.

you can verify with show vlan, show sppaning sumary

i would advise to pos the configuration here

show run

show ip interface brief

show etherchanel summary

The other thing is the "switchport trunk allowed vlan all" does not show up under the port-channel config.

show run all - show the information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎05-22-2021

In addition to the other commands that have been suggested it might be helpful to see the output of show interface trunk and verify what vlans are active on the port channels. And make sure that the vlan interface you have configured is for one of the active vlans. If the suggestions so far do not identify the issue then posting the running config might be the next step.

HTH

Rick

JohnRosso3555 · ‎05-22-2021

Thank you everyone. I've been working on nothing but Ruckus & Extreme network switches the past 4 years. Greatly appreciate all your assistance. Here is the show run. I deleted the SVI. Then created the VLAN, then the SVI, then added the trun valn all command. Still cannot ping myself 192.168.100.1. I have attached the show run below. I have 2 port channels 10 & 20 that I am trying to allow VLAN 3003. I figured I'd be able to ping myself at least.

Richard Burts · ‎05-22-2021

Thanks for posting the configuration. I do not have much experience with 9500 and might have missed something, but the config seems to me to be straightforward. The vlan is created, port channels are defined, interfaces are configured as trunk and assigned to the port channels. Seems like it ought to work. But it is not so we need to look further.

- my first question is can we verify that connections are working? Does show cdp neighbor show neighbors? Perhaps the output of show interface status might be helpful.

- my next question is can we verify that the trunks are working? the output of show interface trunk should help answer that.

- the output of show ip interface brief would help to verify the state of the SVI

HTH

Rick

JohnRosso3555 · ‎05-22-2021

I'm hearing you Richard - I came from a Nexus 7K,5K,2K house. This IOS-XE SVL technology is new to me as well. But thanks for looking and here are some outputs of what I am seeing. One would think that I should at least be able to ping myself. Currently I only have the MGMT port connected (mgmt VRF) for remote telent access and the PortChannels are hooked to a CHeckpoint Firewall, but currently they are down.

Maybe I just need to add an access port? But I thought that "switchport trunk allowed vlan all" would take care of that.

Mahalo

JohnRosso3555 · ‎05-22-2021

Thanks for taking a look BB - attached show run all

balaji.bandi · ‎05-22-2021

as i see this was marked as resolved before i read full history?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help