Several questions regarding L3 config (trunks, default routes, etc...)

c.ray.web · ‎12-23-2014

I am trying to understand what I am seeing in this output. This is from a 3560 w/PoE.

_____________________

TSG_SW1#show int trunk

Port        Mode             Encapsulation Status        Native vlan
Gi0/4       on               802.1q         trunking      8
Gi0/8       on               802.1q         trunking      8
Gi0/10      on               802.1q         trunking      8
Gi0/12      on               802.1q         trunking      8
Gi0/13      on               802.1q         trunking      8
Gi0/14      on               802.1q         trunking      8
Gi0/15      on               802.1q         trunking      8
Gi0/17      on               802.1q         trunking      8
Gi0/18      on               802.1q         trunking      8
Gi0/19      on               802.1q         trunking      8
Gi0/24      on               802.1q         trunking      104
Gi1/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/4       1-4094
Gi0/8       1-4094
Gi0/10      1-4094
Gi0/12      1-4094
Gi0/13      1-4094
Gi0/14      1-4094
Gi0/15      1-4094

Port        Vlans allowed on trunk
Gi0/17      1-4094
Gi0/18      1-4094
Gi0/19      1-4094
Gi0/24      1-4094
Gi1/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/4       1,8,21,52,100-101,104,112,120,128,500,999
Gi0/8       1,8,21,52,100-101,104,112,120,128,500,999
Gi0/10      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/12      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/13      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/14      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/15      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/17      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/18      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/19      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/24      1,8,21,52,100-101,104,112,120,128,500,999
Gi1/1       1,8,21,52,100-101,104,112,120,128,500,999

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/4       1,8,21,52,100-101,104,112,120,128,500,999
Gi0/8       1,8,21,52,100-101,104,112,120,128,500,999

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/10      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/12      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/13      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/14      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/15      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/17      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/18      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/19      1,8,21,52,100-101,104,112,120,128,500,999
Gi0/24      1,8,21,52,100-101,104,112,120,128,500,999
Gi1/1       1,8,21,52,100-101,104,112,120,128,500,999

__________________________

If I am reading that right, every active port on this switch is a trunk...?

I took this network over from someone else with no documentation. The only explanation I can think of is every port above that is configured as a trunk (for example: Gi0/10 which allows 1,8,21,52, etc...) is setup that way to allow the different devices to be connected simultaneously (i.e. Port Gi0/10 ----> VoIP phone ---> workstation). Would this config make sense if that is what is going on?

Is this redundant?

ip route 0.0.0.0 0.0.0.0 10.1.0.254
ip route 10.0.0.0 255.255.0.0 10.1.0.254

Why would I need the second "10.0.0.0 255.255.0.0 10.1.0.254" if I have an "any any" rule applied?

And finally, is the following config what enables this to communicate to the other parts of the network? You can probably guess that with dot1q this is a mixed switch environment.

interface GigabitEthernet1/1
description FIBER_FEED_TO_NETWORK
switchport trunk encapsulation dot1q
switchport mode trunk

Let me see if I can think out the logical path/process for switching and routing packets here....

If a packet or frame is created by a host connected to this switch and its destine for another host that is connected to this switch then it is delivered without looking at the default route right? If however a packet is created by a host on this switch that is destined for the internet/unknown network than this switch forwards that packet to its next hop which then processes the packet and see its bound for a network it also does not know about. It then sends it to the firewall --> then out to the router ---->then out to the ISP/internet....right?

Richard Burts · ‎12-23-2014

I am puzzled at your statement about every active port being a trunk, but since you do not show us what ports are active it is impossible to know whether you are right or not. But let me ask you what about Gig0/14, 2, 3, 5, 6, 7? Are any of them active? They do not show up as trunks in this list.

In trying to understand why they are configured this way it would be helpful to know what is connected on these ports. If these ports connect to another switch or to a host whose NIC is capable of trunking then configuring all these ports as trunks would make sense.

The route for 10.0.0.0 255.255.0.0 does seem to be redundant. I can think of some scenarios where a configuration like that would be appropriate (for example if there were something like ip route 10.0.0.0 255.0.0.0 192.168.11.1). Since we do not know what is configured on the switch we can not advise whether this route should be kept or not.

I am puzzled about your last question. You start by showing the configuration of a trunk port (which operates only at layer 2) and then launching into an explanation of layer 3 forwarding. And since we do not know whether this switch is operating as a layer 2 switch or a layer 3 switch it is difficult to say how it relates to forwarding. But your grasp of host to host within the same subnet/same vlan and host to gateway when going between subnet/vlan is pretty much right.

HTH

Rick

HTH

Rick

c.ray.web · ‎12-23-2014

Rick, thank you for the help.

I was hesitant about posting the running config, I am not certain if that creates a security issue...I removed everything I could think of that could be an issue.

L3_IN_816#show run
Building configuration...

Current configuration : 6488 bytes
!
! Last configuration change at 08:24:48 EST Tue Dec 23 2014
! NVRAM config last updated at 09:12:35 EST Wed Nov 12 2014
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname L3_IN_816
!
boot-start-marker
boot-end-marker
!
logging buffered 32768
enable secret 5 ---
!
!
!
no aaa new-model
clock timezone EST -5
system mtu routing 1500
ip routing
!
!
ip name-server 10.1.0.10
!
mls qos
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,8,21,52,100-101,104,112,120,128,500,999 priority 16384
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet0/1
description SERVER
switchport access vlan 500
switchport mode access
!
interface GigabitEthernet0/2
description AP_controller
switchport access vlan 104
!
interface GigabitEthernet0/3
description backupdevice
switchport access vlan 500
!
interface GigabitEthernet0/4
description PHONE_EXT_125
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/5
description PHONE_EXT_201
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/6
description CONFERENCE_ROOM_WEST_WALL
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
!
interface GigabitEthernet0/7
switchport access vlan 120
!
interface GigabitEthernet0/8
description PHONE_EXT_102
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/9
description workstation
switchport access vlan 8
!
interface GigabitEthernet0/10
description PHONE_EXT_115
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/11
description PRINTER
switchport access vlan 21
!
interface GigabitEthernet0/12
description PHONE_EXT_124
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/13
description workstation
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/14
description PHONE_EXT_101
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/15
description PHONE_EXT_119
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/16
description PHONE_EXT_207
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/17
description PHONE_EXT_103
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
power inline static
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/18
description PHONE_EXT_123
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/19
description PHONE_EXT_122
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
switchport voice vlan 52
mls qos vlan-based
spanning-tree portfast
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
switchport access vlan 8
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
description PRINTER
switchport access vlan 21
!
interface GigabitEthernet0/24
description Wireless AP
switchport trunk encapsulation dot1q
switchport trunk native vlan 104
switchport mode trunk
!
interface GigabitEthernet1/1
description FIBER_FEED_TO__NORTH_BUILDING
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan8
ip address 10.1.8.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan21
ip address 10.1.21.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan52
ip address 10.1.52.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan101
ip address 10.1.101.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan104
ip address 10.1.104.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan112
ip address 10.1.112.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan120
ip address 10.1.120.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan128
ip address 10.1.128.1 255.255.255.0
ip helper-address 10.1.0.10
!
interface Vlan500
ip address 10.1.0.1 255.255.255.128
ip helper-address 10.1.0.10
!
interface Vlan999
ip address 10.1.0.129 255.255.255.128
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.254
ip route 10.0.0.0 255.255.0.0 10.1.0.254
ip http server
no ip http secure-server
!
logging source-interface Vlan101
logging ---
!
banner login ^C
***************************************
UNAUTHORIZED LOGIN PROHIBITED
***************************************
^C
!
line con 0
exec-timeout 15 0
password 7 ---
logging synchronous
login
line vty 0 4
exec-timeout 15 0
password 7 ---
logging synchronous
login
line vty 5 15
exec-timeout 15 0
password 7 ---
logging synchronous
login
!
ntp clock-period 36026259
ntp server ----
end

You can see Ports 2, 3, 5, 6, 7, 14 are active, some are access and some are trunks. I was wrong when I said "every active port is a trunk". The only "switch to switch" link is Gi1/1, all of the rest go to workstations, phones, printers, etc...

The interfaces have descriptions, I had to remove some of the descriptions but I put generic descriptions in their place to give you an idea of what type of devices are connected.

As for the last section, sorry about the ramblings. I have several things (in my head) that I want to accomplish and it spilled out into my response...in the running config above you can see this switch has IP routing enabled, so it is operating at both L2 & L3. My last paragraph was me "thinking out loud" looking for feedback to make sure my understanding of the data flow is accurate.

Jon Marshall · ‎12-23-2014

I think most of the ports are trunks because you have a phone and a PC connected to that port so you are using a vlan for each hence it needs to be a trunk link.

In terms of packet flow if the switch is L3 it knows about all the subnets that it has SVIs (interface vlan <x>) for.

As you are not running a dynamic routing protocol on the switch then if the destination IP address is not within any of those subnets it will then use the default route as you say.

Edit - just to be precise because you have that other static route if the destination subnet was a 10.x.x.x subnet that was not being used on the switch it would use that route rather than the default but it amounts to the same thing as they both have the same next hop IP.

Jon

Richard Burts · ‎12-23-2014

Thanks for posting the config. It does help us understand the environment.

It does clarify that some ports are configured as access ports while many ports are trunk ports. As Jon notes many of the connections seem to be configured as trunk to support connecting a phone and a workstation on the port. I have several customers who routinely configure switch ports that connect phone and workstation as trunk ports, so this is not uncommon. I will note that many of the ports are configured with switchport voice vlan 52 but this does not take effect when the port is configured as a trunk.

Seeing the config does clarify that the static route for 10.0.0.0 255.255.0.0 is redundant and I do not see any reason for it to be in the config. I wonder if that route was configured first and the default route was configured later and they just did not bother to remove the original route?

The switch is configured with ip routing so it is acting as both layer 2 and layer 3 switch. Your talking out loud in the last paragraph is pretty close but I will suggest a couple of refinements. When you say "If a packet or frame is created by a host connected to this switch and its destine for another host that is connected to this switch then it is delivered without looking at the default route right? " I would refine that to say that if the source host and the destination host are in the same subnet (and therefore in the same vlan) then they communicate directly (they arp for each other and send packets directly to each other and the switch role here is to do the layer 2 forwarding but the switch has no layer 3 involvement). Then if a host in one subnet (one vlan) builds a packet for a host in a different subnet (and therefore a different vlan) then the host sends the packet to its default gateway, which would be the switch. The switch receives the packet, looks up the destination address (which will be in the routing table as a connected route) and forwards the packet to the destination. If a host in some subnet creates a packet with destination outside of the switch then the host sends the packet to its default gateway (which is the switch). The switch will look at the destination address and will use the default route to forward the packet toward its destination.

HTH

Rick

HTH

Rick

c.ray.web · ‎12-23-2014

That was very helpful.

So its not unusual to setup a port as a trunk to accommodate two devices that are in two different VLANs? I never considered how that was setup...but like you said, designating the port to be placed into VLAN 52 is nullified when you set it as a trunk.

Also thanks for clearing up my ip logic.

Richard Burts · ‎12-23-2014

You are quite welcome. Yes it is not unusual to configure a trunk port when a phone and a workstation will connect to the single port.

And your IP logic was pretty close and I just wanted to refine it a bit.

Good luck as you continue to learn about networking.

HTH

Rick

HTH

Rick