Solved: allowing only vlans needed on uplink trunks (two links bundled in a PO) disconnects me from the node...

m-abooali · ‎10-20-2018

Hello,

I have this Cisco 3750 stack of 3 switches. two trunks going to a distribution stack (same Switch type) but when I allow only three vlans that I need instead of allowed all, I lose connectivity altogether!?

is it related to vlan 1? Native VLAN?

I am trying to limit broadcast and ARP chats.

any input and assistance will be greatly appreciated.

Best Regards,

Masood

Alex Pfeil · ‎10-20-2018

Please do show vlan | in active
Show int “interface” trunk
Show up interface brief

What VLAN is management of switch in? If it is out of band management or one of those three VLANs, you would not have to include the native VLAN.

The native VLAN is not required to be allowed to cross a trunk. It would only be required if you are using it.

Please rate helpful posts.

View solution in original post

m-abooali · ‎10-20-2018

example of phone interface:

interface GigabitEthernet1/0/17
switchport access vlan 212
switchport mode access
mls qos trust cos
spanning-tree portfast

I will change vlan to voice vlan as it had bad mask in the FW that I do not manage. after fixing I will change to vlan 195 and will add

switchport voice vlan 195

too.

Best Regards,

Masood

@Alex Pfeil wrote:
I was also going to say that you were probably experiencing a spanning-tree issue.

If the switch supports auto QoS, you would do auto QoS srnd4
Interface range gig or fa 1-48
Auto QoS trust dscp.

Make sure that the phones are automatically marking the packets as dacp46.

Thank you!

View solution in original post

Alex Pfeil · ‎10-24-2018

Auto QoS should be on the trunks as well. It has to be on every switch in the path as well. If you have older equipment that does not support auto qos, my recommendation would be to upgrade. On some port-channels, you have to add the auto qos on the physical port and not the port channel.

Please rate helpful posts.

View solution in original post

m-abooali · ‎10-20-2018

the moment I applied the following to the second trunk, i lost connectivity.

2a70-accs-sw01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
2a70-accs-sw01(config)#int gi3/0/25
2a70-accs-sw01(config-if)# switchport trunk allowed vlan 224,212,195
2a70-accs-sw01(config-if)#
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Session stopped
- Press <return> to exit tab
- Press R to restart session
- Press S to save terminal output to file

Network error: Software caused connection abort

m-abooali · ‎10-20-2018

hello,

I hate to reply to myself. but the stack came back up with only vlans needed under the trunk. I am not sure if native vlan must be allowed or not tho!?

Best regards,

Masood

Alex Pfeil · ‎10-20-2018

Please do show vlan | in active
Show int “interface” trunk
Show up interface brief

What VLAN is management of switch in? If it is out of band management or one of those three VLANs, you would not have to include the native VLAN.

The native VLAN is not required to be allowed to cross a trunk. It would only be required if you are using it.

Please rate helpful posts.

m-abooali · ‎10-20-2018

now that only three vlans that are needed are allowed across the trunk, I need ot see how Fuze phone react. I have no experience with Fuze phones.

I added mls qos trust cos under interfaces.

I may need to turn on Auto QoS of Cisco Switches tho!?

Best Regards,

Masood

Alex Pfeil · ‎10-20-2018

I was also going to say that you were probably experiencing a spanning-tree issue.

If the switch supports auto QoS, you would do auto QoS srnd4
Interface range gig or fa 1-48
Auto QoS trust dscp.

Make sure that the phones are automatically marking the packets as dacp46.

Thank you!

m-abooali · ‎10-20-2018

I check spanning-tree and no blocked ports.

I am not sure what Fuze phones support but I will try as your recommendations. will see how they behave.

Cisco 3750G, not sure if they support Auto QoS tho!?

Best Regards,

Masood

m-abooali · ‎10-20-2018

auto QoS is supported and I turned it on but no INterface commands were available after:

2a70-accs-sw01(config)#Auto ?
qos Configure AutoQoS global

2a70-accs-sw01(config)#Auto qos ?
srnd4 QoS configurations based on solution reference network design 4.0

2a70-accs-sw01(config)#Auto qos srnd4 ?
<cr>

2a70-accs-sw01(config)#Auto qos srnd4
2a70-accs-sw01(config)#

so, should i go under interfaces to add auto QoS as well?

m-abooali · ‎10-20-2018

example of phone interface:

interface GigabitEthernet1/0/17
switchport access vlan 212
switchport mode access
mls qos trust cos
spanning-tree portfast

I will change vlan to voice vlan as it had bad mask in the FW that I do not manage. after fixing I will change to vlan 195 and will add

switchport voice vlan 195

too.

Best Regards,

Masood

@Alex Pfeil wrote:
I was also going to say that you were probably experiencing a spanning-tree issue.

If the switch supports auto QoS, you would do auto QoS srnd4
Interface range gig or fa 1-48
Auto QoS trust dscp.

Make sure that the phones are automatically marking the packets as dacp46.

Thank you!

m-abooali · ‎10-24-2018

Hi,

well, I did turn on auto QoS and thing look better however we still have serious issues. should I turn on QoS under the trunk links as well (upinks to distribution Switch stack)? - I understand that switches with phones (access Switches) must have that QoS but not sure on the trunks because of portfast spanning-tree!?

I decided to allow voice vlan to go directly to the Sonicwall firewall as we don;t have proper Core switch(s) for now.

of course vlan voice had some issues and we are using a dfferent vlan for voie ad data using TCP of course. do I need to crate class-map and ACL to allow vice vlan subnet over udp higher ports?

NOT Applied yet:

!
policy-map PHONE+PC
class PHONE-VOICE
    police 128000 8000 exceed-action drop
   set dscp ef
class PHONE-SIGNAL
    police 32000 8000 exceed-action drop
   set dscp cs3
class class-default
   set dscp default

ip access-list extended PHONE-SIGNAL
permit udp 10.x.x.0 0.0.127.255 any range 2000 2002
permit udp 10.x.x.0 0.0.127.255 any range 2000 2002
ip access-list extended PHONE-VOICE
permit udp 10.x.127.0 0.0.127.255 any range 16384 32767
permit udp 10.x.127.0 0.0.127.255 any range 16384 32767

Any input will be greatly appreciated.

Best Regards,

Masood

Alex Pfeil · ‎10-24-2018

Auto QoS should be on the trunks as well. It has to be on every switch in the path as well. If you have older equipment that does not support auto qos, my recommendation would be to upgrade. On some port-channels, you have to add the auto qos on the physical port and not the port channel.

Please rate helpful posts.

m-abooali · ‎10-24-2018

Thank you.

Best Regards,

masood

m-abooali · ‎10-24-2018

Hi,

I have two trunks on a stack of 3 Cisco 3750 switches but cannot add auto QoS under the trunks? switch doesn't allow QoS under trunks bundled to PO!?

any solutions?

Please advsie,

Best Regards,

Masood

Alex Pfeil · ‎10-24-2018

If you can’t apply it to the port channel, apply it to each physical port.

Please mark helpful posts.

m-abooali · ‎10-24-2018

I think these Fuze phone need to have a class-map and making vlan 195 to use udp instead of TCP.!?

Please advsie if possible

Regards,

masood

allowing only vlans needed on uplink trunks (two links bundled in a PO) disconnects me from the node/closet Switch- Cisco 3750G