Cisco SG350 Port channel interface doesn't hold allowed vlan conf

Joe Hunter · ‎10-30-2023

Hi,

I have a cisco SG350 configured to connect with a cisco WS-C2960X over etherchannel, both switch are on LACP.

I want to add a Vlan as allowed one on port channel interface of SG350, but this one doesn't take the config.

By the way, I was able to add the vlan on WS-C2960X.

You find below my config:

WS-C2960X:

Building configuration...

Current configuration : 241 bytes
!
interface Port-channel2
description "Vers Switch-SA-FABLAB-46"
switchport trunk native vlan 2
switchport trunk allowed vlan 2,12,60
switchport mode trunk
spanning-tree link-type point-to-point
spanning-tree guard root
end

SG350:

interface Port-Channel1
description "Vers Switch"
ip dhcp snooping trust
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk native vlan 2

Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Te1/0/1(P) Te2/0/1(P)
2 Po2(SU) LACP Gi4/0/45(P) Gi4/0/46(P)

Can you please help ?

Best regards,

DanielP211 · ‎10-30-2023

Hello,

Are you trying over GUI or CLI? You should add the tagged vlans and it should work. Could you paste the config from the 350?

BR

****Kindly rate all useful posts*****

Joe Hunter · ‎10-30-2023

Hello,

Thank you DanielP211 for your answer.

I'm trying to configure this over CLI.

Please find below the SG350 conf:

config-file-header
EIFFEL-E1-SA-FABLAB-46
v2.4.0.94 / RTESLA2.4_930_181_045
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
cdp device-id format hostname
vlan database
vlan 2,12,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname E1-SA-FABLAB-46
line console
exec-timeout 45
exit
line ssh
exec-timeout 45
exit
line telnet
exec-timeout 45
exit
line console
no autobaud
exit
encrypted radius-server host
encrypted radius-server host
management access-list MGMT-SSH
permit ip-source 10.4.252.100 service snmp
permit ip-source 10.22.1.92 service snmp
permit ip-source 10.22.1.249 service snmp
permit ip-source 10.22.1.250 service snmp
permit ip-source 10.3.1.77 service snmp
permit ip-source 10.3.1.202 service ssh
permit ip-source 10.3.1.202 service telnet
permit ip-source 10.3.5.62 service https
permit ip-source 10.3.5.62 service ssh
permit ip-source 10.3.5.62 service telnet
permit ip-source 10.7.3.0 mask 255.255.255.0 service https
permit ip-source 10.7.3.0 mask 255.255.255.0 service ssh
permit ip-source 10.7.3.0 mask 255.255.255.0 service telnet
permit ip-source 10.34.100.0 mask 255.255.255.0 service https
permit ip-source 10.34.100.0 mask 255.255.255.0 service ssh
permit ip-source 10.34.100.0 mask 255.255.255.0 service telnet
permit ip-source 10.22.1.99 service snmp
exit
management access-class MGMT-SSH
aaa authentication login SSH radius local
aaa authentication enable SSH radius enable
aaa authentication login Telnet radius local
aaa authentication enable Telnet radius enable
aaa authentication login Console local
aaa authentication enable Console enable
aaa authentication login default radius local
line telnet
login authentication Telnet
enable authentication Telnet

exit
line ssh
login authentication SSH
enable authentication SSH

exit
line console
login authentication Console
enable authentication Console

exit
enable
passwords complexity min-length 12
passwords complexity no-repeat 5
passwords aging 0
username admin
ip ssh server
snmp-server server
snmp-server engineID local

snmp-server group snmpv3 v3 priv
encrypted snmp-server user adm-snmp snmpv3 v3 auth sha
no ip http server
no ip http secure-server
clock timezone EU +1
clock summer-time eu recurring last sun mar 02:00 last sun oct 03:00

!
interface vlan 1
shutdown
!
interface vlan 2
name IID2_Management
ip address 10.5.2.46 255.255.255.0
!
interface vlan 12
name "PC-Peda VID12"
!
interface GigabitEthernet1
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet2
description "PC-Peda VID10"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 10
no cdp enable
!
interface GigabitEthernet3
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet4
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet5
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet6
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet7
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet8
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet9
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet10
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet11
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet12
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet13
negotiation 100h
description "PC-Peda VID60"
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport access vlan 60
no cdp enable
!
interface GigabitEthernet14
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet15
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet16
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet17
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet18
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet19
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet20
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet21
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet22
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet23
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet24
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet25
description "Vers Switch"
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode trunk
switchport trunk native vlan 2
!
interface GigabitEthernet26
description "Vers Switch"
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode trunk
switchport trunk native vlan 2
!
interface Port-Channel1
description "Vers Switch"
ip dhcp snooping trust
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk native vlan 2
!
exit
banner login

macro auto disabled
ip dhcp snooping
ip default-gateway 10.5.2.1

Joe Hunter · ‎10-30-2023

i'm trying to do this over CLI.

Below the SG350 config:

config-file-header
EIFFEL-E1-SA-FABLAB-46
v2.4.0.94 / RTESLA2.4_930_181_045
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
cdp device-id format hostname
vlan database
vlan 2,12,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname E1-SA-FABLAB-46
line console
exec-timeout 45
exit
line ssh
exec-timeout 45
exit
line telnet
exec-timeout 45
exit
line console
no autobaud
exit
encrypted radius-server host
encrypted radius-server host
management access-list MGMT-SSH
permit ip-source 10.4.252.100 service snmp
permit ip-source 10.22.1.92 service snmp
permit ip-source 10.22.1.249 service snmp
permit ip-source 10.22.1.250 service snmp
permit ip-source 10.3.1.77 service snmp
permit ip-source 10.3.1.202 service ssh
permit ip-source 10.3.1.202 service telnet
permit ip-source 10.3.5.62 service https
permit ip-source 10.3.5.62 service ssh
permit ip-source 10.3.5.62 service telnet
permit ip-source 10.7.3.0 mask 255.255.255.0 service https
permit ip-source 10.7.3.0 mask 255.255.255.0 service ssh
permit ip-source 10.7.3.0 mask 255.255.255.0 service telnet
permit ip-source 10.34.100.0 mask 255.255.255.0 service https
permit ip-source 10.34.100.0 mask 255.255.255.0 service ssh
permit ip-source 10.34.100.0 mask 255.255.255.0 service telnet
permit ip-source 10.22.1.99 service snmp
exit
management access-class MGMT-SSH
aaa authentication login SSH radius local
aaa authentication enable SSH radius enable
aaa authentication login Telnet radius local
aaa authentication enable Telnet radius enable
aaa authentication login Console local
aaa authentication enable Console enable
aaa authentication login default radius local
line telnet
login authentication Telnet
enable authentication Telnet

exit
line ssh
login authentication SSH
enable authentication SSH

exit
line console
login authentication Console
enable authentication Console

exit
enable
passwords complexity min-length 12
passwords complexity no-repeat 5
passwords aging 0
username admin
ip ssh server
snmp-server server
snmp-server engineID local

snmp-server group snmpv3 v3 priv
encrypted snmp-server user adm-snmp snmpv3 v3 auth sha
no ip http server
no ip http secure-server
clock timezone EU +1
clock summer-time eu recurring last sun mar 02:00 last sun oct 03:00

!
interface vlan 1
shutdown
!
interface vlan 2
name IID2_Management
ip address 10.5.2.46 255.255.255.0
!
interface vlan 12
name "PC-Peda VID12"
!
interface GigabitEthernet1
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet2
description "PC-Peda VID10"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 10
no cdp enable
!
interface GigabitEthernet3
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet4
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet5
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet6
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet7
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet8
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet9
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet10
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet11
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet12
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet13
negotiation 100h
description "PC-Peda VID60"
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport access vlan 60
no cdp enable
!
interface GigabitEthernet14
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet15
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet16
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet17
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet18
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet19
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet20
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet21
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet22
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet23
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet24
description "PC-Peda VID12"
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 12
no cdp enable
!
interface GigabitEthernet25
description "Vers Switch"
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode trunk
switchport trunk native vlan 2
!
interface GigabitEthernet26
description "Vers Switch"
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode trunk
switchport trunk native vlan 2
!
interface Port-Channel1
description "Vers Switch"
ip dhcp snooping trust
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk native vlan 2
!
exit
banner login

macro auto disabled
ip dhcp snooping
ip default-gateway 10.5.2.1

Torbjørn · ‎10-30-2023

I believe you need to add allowed vlans with the "add" keyword, not as a complete list like on regular IOS. E.g.

switchport trunk allowed vlan add 2
switchport trunk allowed vlan add 12
switchport trunk allowed vlan add 60
! You might be able to add them as a list, but the "add" is required.
switchport trunk allowed vlan add 2,12,60

See the relevant configuration guide: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb4986-vlan-configuration-via-cli-on-300-500-series-managed-switche.html

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Joe Hunter · ‎10-30-2023

I did this, but when i check the interface i dont see the allowed vlan line:

E1-SA-FABL...(config-if)#switchport trunk allowed vlan add 60
E1-SA-FABL...(config-if)#switchport trunk allowed vlan add 2
E1-SA-FABL...(config-if)#switchport trunk allowed vlan add 12
E1-SA-FABL...(config-if)#do show running-config interface po1
interface Port-Channel1
description "Vers Switch"
ip dhcp snooping trust
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk native vlan 2

Torbjørn · ‎10-30-2023

Hmm, this should work. I wonder if it truncates this line due to being equal to "all" vlans? Could you try to add just 2 of the VLANs to the allowed list on the trunk to see if it behaves differently?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

DanielP211 · ‎10-30-2023

Hello!

Use the command:

int po1

switchport trunk allowed vlan 2,12,60

You can later check with the show vlan command which VID's are assigned.

BR

****Kindly rate all useful posts*****