Re: Ask the Expert: LAN Switching - Page 4

ciscomoderator · ‎03-09-2012

With Matt Blanshard

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask your toughest layer 2 questions to two of the technical leaders of the San Jose LAN Switching team, Matt Blanshard. Learn more about Spanning Tree, VTP, Trunking, Resilient Ethernet Protocol, IGMP Snooping, Private VLANS, Q-in-Q Tunneling, QoS, various switching platforms including all desktop switches, Metro Ethernet switches, 4500 and 6500 switches, Blade Center switches, and Nexus 7000 switches.

Matt Blanshard began his Cisco career as an intern in 2007. He is now a technical leader at the Cisco Technical Assistance Center on the LAN Switching team. He holds a bachelor's degree from the University of Phoenix in computer science, and has CCNA certification.

Remember to use the rating system to let Matt know if you have received an adequate response.

Matt might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through March 23rd, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

mpugina63 · ‎03-20-2012

I have a problem where I'm trying to add a switch at a remote location that I am connecting to over a VPN Tunnel to my main sites VTP domain. I have it configured correctly, but it won't join. Any ideas?

Main Site

VTP Version : running VTP1 (VTP2 capable)

Configuration Revision : 192

Maximum VLANs supported locally : 1005

Number of existing VLANs : 88

VTP Operating Mode : Server

VTP Domain Name : vtp-ebiz

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xA8 0x13 0xA8 0x55 0x70 0xF0 0x96 0xAD

Configuration last modified by 10.1.1.2 at 3-13-12 16:47:09

Local updater ID is 10.1.1.2 on interface Vl1 (lowest numbered VLAN interface found)

Remote Site

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 1005

Number of existing VLANs : 16

VTP Operating Mode : Client

VTP Domain Name : vtp-ebiz

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x8B 0xF5 0xD1 0x3C 0x6C 0x3D 0x38 0x33

Configuration last modified by 10.5.1.2 at 3-1-93 04:37:54

Matthew Blanshard · ‎03-20-2012

VTP adverstisements only go out across trunk links. Are these sites connected at layer 2?

-Matt

Limitless1801 · ‎03-20-2012

Hey Matt...

I would like to ask you a general question about Trunking which everyone has a different answer for. The question is about how you configure the native vlan in a trunk port. Here are some of the answers:

>> Do not configure native vlan. By the default, the switch uses Vlan1 for untagged packets even when Vlan1 is shutdown for many other different reasons

>> Configure the native vlan using your data vlan so all untagged traffic goes thru it

>> Configure the native vlan using a vlan that is not used anywhere else. In other words, configure a dumb vlan and use it as the native vlan

Thanks RG-

Matthew Blanshard · ‎03-20-2012

Hello RG,

This is another of those questions where everyone has an opinion . In my opinion there are two ways you can setup the native vlan. You either use it for your management vlan, or you use it for nothing and let it be a dead vlan. Either method is acceptable, but I wouldn't use it as a regular data vlan.

-Matt

mpugina63 · ‎03-20-2012

Matt,

Thanks for the reply, these site are connected via layer 3 tunnel. Is there anyway to make it work in that environment?

Thanks

Matthew Blanshard · ‎03-20-2012

You would have to setup something like L2TPv3 to tunnel the L2 over the L3. What kind of device is handling the tunnel?

-Matt

mpugina63 · ‎03-20-2012

Matt the tunnel is between two Juniper SRX firewalls. Do you know of a configuraiton guide for the L2TPv3 setup?

Thanks

mpugina63 · ‎03-20-2012

Matt,

Since the firewalls don't have a L2TPv3 or like configuraiton option, is it possible to setup the l2tpv3 tunnel between the switch on either side of the tunnel?

Matthew Blanshard · ‎03-20-2012

I am sorry, but the switches don't support that feature. You would have to put a router in between if you wanted to implement that.

-Matt

Henrik Grankvist · ‎03-21-2012

Hello!

If I enable "spanning-tree portfast default", do I have to disable it on the trunk ports with the command "spanning-tree portfast disable" ?

And if that is the case, if I use the command "spanning-tree portfast bpduguard default" do I have to disable that on the trunk ports aswell?

Matthew Blanshard · ‎03-21-2012

Hello Henrick,

Spanning-tree portfast default takes effect only on access ports. Spanning-tree portfast bpduguard default only takes effect on ports which are in portfast mode. So by enabling these two it won't do anything to your trunk ports.

-Matt

Henrik Grankvist · ‎03-21-2012

Thank you for the reply.

I know I have read this in the CCNA but when you enable "spanning-tree portfast default" it shows a message like: "portfast enabled on all port, disable it on ports connected to switches, hubs..."

Again, thank you

johnnylingo · ‎03-21-2012

It should say "portfast enabled on all non-trunk ports"

Matthew Hall · ‎03-21-2012

On the 3750/x and 3560/x switching platforms vlan based qos require an SVI to apply service policies to. In addition, functions such as NTP broadcast require this as well. I take it that if you have layer 2 only vlans with an SVI that is created but shutdown, then functions like NTP broadcasting will not work. I'm curious if there is a list (internal or otherwise) of the functions that still operate on an SVI regardless of it's administrative shutdown state.

Are vlan based qos service policies still applied? I would think they are, even if the SVI is shutdown? I could lab all of the possiblities, but I would hate to do this if Cisco has it documented. This would be very useful for design and security concerns.

Thanks

Matthew Blanshard · ‎03-21-2012

Hello Matthew,

I know the NTP broadcast won't work with the SVI shutdown. VACL's will work with the SVI shutdown, but I honestly have no idea if the qos policy is applied. I would think it should be, but I am going to lab it up and test it out since I don't know.

-Matt