Solved: Basic Cisco Catalyst 4900m Interface Configuration Question

danmartinnorhrop · ‎01-07-2013

Hello Everyone,

I am simply trying to get my cisco switch to allow traffic on 3 TenGigabitEthernet ports under one vlan in layer 2 mode. I have the servers connected to the switch ports now and I have pretty much done the bare bones switch configuration so far in accordance to the get me started guide located here

on the CD they sent me.

At this point I cannot ping accross the switches. When I do a show ip interface brief

TenGigabitEthernet1/1 unassigned YES unset up up

TenGigabitEthernet1/2 unassigned YES unset up up

TenGigabitEthernet1/4 unassigned YES unset up up

The ports seem to be up. I was thinking maybe I need to configure access control so I then created an IP access-list to permit all TCP and applied it to all the ports both outgoing and incoming. I even started to configure a mac access-group to allow all mac addresses. And I did do a no shutdown command on the ports also.

So basically I am just confused as to what I need to do to allow traffic to go through the interfaces. I honestly would think pretty much just plugging in the cables it should work.

Any help/comments/suggestions would be appreciated,

Thanks,

Dan

Peter Paluch · ‎01-07-2013

Hello Dan,

Thank you for posting the information. Okay. This looks fairly nice - let me suggest a few things here:

Remove the ACLs from your ports. Not only are the unnecessary, they are actually harmful at this point (note that for example, pings are ICMP, not TCP, so in trying to permit the connectivity, you have prohibited the pings from ever working).
Try to configure the ports as follows:

interface Ten1/1 - 8

switchport mode access

switchport access vlan 1 ! This command is for completeness, it is already present though invisible

spanning-tree portfast

This way, we will force the ports to act as access ports in VLAN1 and to become unblocked in STP immediately as they are connected. Once again, please remove the ACLs from the ports.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎01-07-2013

Hello Dan,

Can you post the output of the following commands?

show running-config

show vlan brief

show spanning-tree

Thank you!

Best regards,

Peter

danmartinnorhrop · ‎01-07-2013

Hey Peter,

Thanks for your attention and help. I have posted the output below. Thank again.

show running config

bswitch#show running-config

Building configuration...

Current configuration : 1735 bytes

!

! Last configuration change at 13:05:02 UTC Mon Jan 7 2013

! NVRAM config last updated at 11:53:49 UTC Mon Jan 7 2013

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service compress-config

!

hostname labswitch

!

boot-start-marker

boot system flash bootflash:cat4500e-ipbase-mz.122-53.SG5.bin

boot-end-marker

!

####enable secret 5

enable password ###############3

!

username test privilege 15 password 0 hackme4fun

no aaa new-model

ip subnet-zero

ip domain-name cyber

!

ip vrf mgmtVrf

!

vtp mode transparent

!

power redundancy-mode redundant

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet1

ip vrf forwarding mgmtVrf

ip address 192.168.1.29 255.255.255.0

speed auto

duplex auto

!

interface TenGigabitEthernet1/1

ip access-group ip-acl in

ip access-group ip-acl out

mac access-group mac-acl in

!

interface TenGigabitEthernet1/2

ip access-group ip-acl in

ip access-group ip-acl out

!

interface TenGigabitEthernet1/3

!

interface TenGigabitEthernet1/4

ip access-group ip-acl in

ip access-group ip-acl out

!

interface TenGigabitEthernet1/5

!

interface TenGigabitEthernet1/6

!

interface TenGigabitEthernet1/7

!

interface TenGigabitEthernet1/8

!

interface Vlan1

ip address 192.168.1.30 255.255.255.0

!

ip http server

ip http authentication local

ip http timeout-policy idle 180 life 360 requests 25

!

ip access-list extended ip-acl

permit tcp any any

!

banner motd ^Comans Cyber Lab

Cyber Lab^C

!

line con 0

stopbits 1

line vty 0 4

password terminal-password

login

line vty 5 15

password terminal-password

login

!

end

show spanning-tree

bswitch#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address d48c.b5d0.b2c0

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address d48c.b5d0.b2c0

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Te1/1 Desg FWD 2 128.1 P2p

Te1/2 Desg FWD 2 128.2 P2p

Te1/4 Desg FWD 2 128.4 P2p

labswitch#

show vlan brief

labswitch#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Te1/1, Te1/2, Te1/3, Te1/4

Te1/5, Te1/6, Te1/7, Te1/8

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Peter Paluch · ‎01-07-2013

Hello Dan,

Thank you for posting the information. Okay. This looks fairly nice - let me suggest a few things here:

Remove the ACLs from your ports. Not only are the unnecessary, they are actually harmful at this point (note that for example, pings are ICMP, not TCP, so in trying to permit the connectivity, you have prohibited the pings from ever working).
Try to configure the ports as follows:

interface Ten1/1 - 8

switchport mode access

switchport access vlan 1 ! This command is for completeness, it is already present though invisible

spanning-tree portfast

This way, we will force the ports to act as access ports in VLAN1 and to become unblocked in STP immediately as they are connected. Once again, please remove the ACLs from the ports.

Best regards,

Peter

danmartinnorhrop · ‎01-07-2013

Thanks for your help Peter,

You were pretty much spot on. I had to add the range command in the code that you gave. Then it still did not work. Then I reconfigured the IP's on the servers and then things worked so thanks.

Joseph W. Doherty · ‎01-08-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Try to configure the ports as follows:

interface Ten1/1 - 8
 switchport mode access
 switchport access vlan 1 ! This command is for completeness, it is already present though invisible
 spanning-tree portfast

This way, we will force the ports to act as access ports in VLAN1 and to become unblocked in STP immediately as they are connected. Once again, please remove the ACLs from the ports.

BTW, regarding Peter's suggestion for using portfast, you can often make it the default for access ports. This makes it less likely to "forget" to configure it for an edge access port, and reduces the "clutter" of the config. For access ports that should not be using portfast, you can disable it per port which also "flags" that access port as unusual.

Also, when using portfast, some like to also enable BPDUguard for the same ports. It too can be set as an access port default and, also if enabled as a default, overridden per port too.