03-09-2012 01:37 PM - edited 03-07-2019 05:28 AM
With Matt Blanshard
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask your toughest layer 2 questions to two of the technical leaders of the San Jose LAN Switching team, Matt Blanshard. Learn more about Spanning Tree, VTP, Trunking, Resilient Ethernet Protocol, IGMP Snooping, Private VLANS, Q-in-Q Tunneling, QoS, various switching platforms including all desktop switches, Metro Ethernet switches, 4500 and 6500 switches, Blade Center switches, and Nexus 7000 switches.
Matt Blanshard began his Cisco career as an intern in 2007. He is now a technical leader at the Cisco Technical Assistance Center on the LAN Switching team. He holds a bachelor's degree from the University of Phoenix in computer science, and has CCNA certification.
Remember to use the rating system to let Matt know if you have received an adequate response.
Matt might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through March 23rd, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
03-20-2012 09:54 AM
I have a problem where I'm trying to add a switch at a remote location that I am connecting to over a VPN Tunnel to my main sites VTP domain. I have it configured correctly, but it won't join. Any ideas?
Main Site
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 192
Maximum VLANs supported locally : 1005
Number of existing VLANs : 88
VTP Operating Mode : Server
VTP Domain Name : vtp-ebiz
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xA8 0x13 0xA8 0x55 0x70 0xF0 0x96 0xAD
Configuration last modified by 10.1.1.2 at 3-13-12 16:47:09
Local updater ID is 10.1.1.2 on interface Vl1 (lowest numbered VLAN interface found)
Remote Site
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Client
VTP Domain Name : vtp-ebiz
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x8B 0xF5 0xD1 0x3C 0x6C 0x3D 0x38 0x33
Configuration last modified by 10.5.1.2 at 3-1-93 04:37:54
03-20-2012 10:01 AM
VTP adverstisements only go out across trunk links. Are these sites connected at layer 2?
-Matt
03-20-2012 10:33 AM
Hey Matt...
I would like to ask you a general question about Trunking which everyone has a different answer for. The question is about how you configure the native vlan in a trunk port. Here are some of the answers:
>> Do not configure native vlan. By the default, the switch uses Vlan1 for untagged packets even when Vlan1 is shutdown for many other different reasons
>> Configure the native vlan using your data vlan so all untagged traffic goes thru it
>> Configure the native vlan using a vlan that is not used anywhere else. In other words, configure a dumb vlan and use it as the native vlan
Thanks RG-
03-20-2012 10:55 AM
Hello RG,
This is another of those questions where everyone has an opinion . In my opinion there are two ways you can setup the native vlan. You either use it for your management vlan, or you use it for nothing and let it be a dead vlan. Either method is acceptable, but I wouldn't use it as a regular data vlan.
-Matt
03-20-2012 10:51 AM
Matt,
Thanks for the reply, these site are connected via layer 3 tunnel. Is there anyway to make it work in that environment?
Thanks
03-20-2012 10:53 AM
You would have to setup something like L2TPv3 to tunnel the L2 over the L3. What kind of device is handling the tunnel?
-Matt
03-20-2012 12:43 PM
Matt the tunnel is between two Juniper SRX firewalls. Do you know of a configuraiton guide for the L2TPv3 setup?
Thanks
03-20-2012 02:39 PM
Matt,
Since the firewalls don't have a L2TPv3 or like configuraiton option, is it possible to setup the l2tpv3 tunnel between the switch on either side of the tunnel?
03-20-2012 07:15 PM
I am sorry, but the switches don't support that feature. You would have to put a router in between if you wanted to implement that.
-Matt
03-21-2012 07:50 AM
Hello!
If I enable "spanning-tree portfast default", do I have to disable it on the trunk ports with the command "spanning-tree portfast disable" ?
And if that is the case, if I use the command "spanning-tree portfast bpduguard default" do I have to disable that on the trunk ports aswell?
03-21-2012 09:10 AM
Hello Henrick,
Spanning-tree portfast default takes effect only on access ports. Spanning-tree portfast bpduguard default only takes effect on ports which are in portfast mode. So by enabling these two it won't do anything to your trunk ports.
-Matt
03-21-2012 09:50 AM
Thank you for the reply.
I know I have read this in the CCNA but when you enable "spanning-tree portfast default" it shows a message like: "portfast enabled on all port, disable it on ports connected to switches, hubs..."
Again, thank you
03-21-2012 06:57 PM
It should say "portfast enabled on all non-trunk ports"
03-21-2012 04:51 PM
On the 3750/x and 3560/x switching platforms vlan based qos require an SVI to apply service policies to. In addition, functions such as NTP broadcast require this as well. I take it that if you have layer 2 only vlans with an SVI that is created but shutdown, then functions like NTP broadcasting will not work. I'm curious if there is a list (internal or otherwise) of the functions that still operate on an SVI regardless of it's administrative shutdown state.
Are vlan based qos service policies still applied? I would think they are, even if the SVI is shutdown? I could lab all of the possiblities, but I would hate to do this if Cisco has it documented. This would be very useful for design and security concerns.
Thanks
03-21-2012 10:34 PM
Hello Matthew,
I know the NTP broadcast won't work with the SVI shutdown. VACL's will work with the SVI shutdown, but I honestly have no idea if the qos policy is applied. I would think it should be, but I am going to lab it up and test it out since I don't know.
-Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide