Trunk issues

KMNRuser · ‎09-24-2024

We are in the process of replacing a legacy Juniper Core switch with a 2 stack Cisco 9300 configuration.

The VM Hosts within the environment are all configured in the current Vlan 1 on the Juniper switch.

We are trunking to these hosts.

We have the following configuration on the majority of these ports:

interface TwentyFiveGigE1/0/13

description "Hostname Rack number Port number

switchport trunk allowed vlan 1,3,6,22,80,254,255

switchport mode trunk

We ran into issues wherein after the physical connections were moved, we were unable to ping these hosts in vlan 1.

I am curious if in fact that by using the "allowed" command, is it possibly tagging vlan1, vs. if we simply did not use the "allowed" command, and let the port natively trunk all the vlans by default, which in that scenario does not tag the native vlan, could that possibly be causing the issue?

We do not route on the switch. The routing takes place on the Firewall uplink.

We do have a Management IP on another vlan to access the switch.

Thank you for any input or feedback.

Sincerely,

Kevin

MHM Cisco World · ‎09-24-2024

"" We ran into issues wherein after the physical connections were moved, we were unable to ping these hosts in vlan 1. ""

Dont get this, can you more elaborate what is move?

MHM

MHM Cisco World · ‎09-24-2024

Vlan1 is tag from juniper so try use native tag vlan under trunk in cisco side, it can mismatch tag make issue.

To be sure this issue here check stp

MHM

KMNRuser · ‎09-24-2024

MHM,

Thanks for the heads up. How would we tag Vlan 1. It is already the default Native Vlan, do we have to change the native vlan to some other vlan in order that vlan 1 gets tagged in this scenario? thx!

Joseph W. Doherty · ‎09-24-2024

Ah, the problem could be your VM hosts are expecting VLAN 1 to be tagged. (Which outside of Cisco, I believe is the expectation for trunks.)

If so, define a dummy VLAN and make it the native VLAN.

MHM Cisco World · ‎09-24-2024

Sure using different vlan as native can solve issue

MHM

KMNRuser · ‎09-24-2024

MHM,

Yes i meant to "disconnect" the SFP/cable from the physical port on the Juniper, and then "insert" into the corresponding configured physical port on the Cisco 9300..

Flavio Miranda · ‎09-24-2024

@KMNRuser

Allowed command does not change the tagging behavior on the switch, the only command that could cause this is the command "native vlan".

But, it seems to me that the problem is something else. If you setup a layer3 vlan on both switches for test purpose, can you ping?

KMNRuser · ‎09-24-2024

Hi Flavio,

It is interesting that you have asked that question. We did, on the fly, put an IP address on vlan 1 that was in the corresponding subnet. I have a collegue whom had a ping nailed up, and i do remember initially something that previously could not be pinged was able to be pinged. I should have done a "clear arp" but i did not think about it in the moment..

Joseph W. Doherty · ‎09-24-2024

As already described by @Flavio Miranda the allowed VLAN should not cause a change in the untagged/native VLAN. It's possible untagged frames could be tagged for L2 CoS, but unlikely you're configured for that. Most likely you have a L3 issue.

Do these VM hosts have an IP for VLAN 1? Can such hosts ping other hosts and gateway in VLAN 1? Can these hosts, using their VLAN 1 interface, ping any other subnet IPs?

KMNRuser · ‎09-24-2024

Joseph,

The VM hosts all have addresses within the subnet range for Vlan 1. the Gateway is on the Firewall interface, which is a trunk link off of the switch. I do not know as it was not tested whether those hosts could ping the gateway. I know that they had become unreachable from our NMS, so my guess is that they probably could not ping the gateway.

Giuseppe Larosa · ‎09-24-2024

Hello @KMNRuser ,

can you provide the model and JUNOS version of the Juniper switch the two Cat9300 in stack are replacing ?

you can use the following to check the configuration on the Juniper switch

https://www.juniper.net/documentation/us/en/software/junos/interfaces-ethernet-switches/topics/topic-map/switches-interface-flexible.html

Old switches use the Enterprise Style of configuration.

As far as I remember Juniper switches should have the same native vlan 1 as Cisco switches.

The main difference was that the default list of allowed VLANs was none = empty and that VLANs use names not numbers in configuration.

However, to be noted that at some point in time they started to say that user traffic in native vlan ( ie untagged ) could become deprecated so you may find your device that is using tagged frames for vlan 1 for user traffic.

as noted by @Flavio Miranda on the Cisco side you can set native vlan tagged if it is the case.

Hope to help

Giuseppe

KMNRuser · ‎09-24-2024

Hi Guiseppe,

the model of the Juniper switch in question is:

Model: qfx5100-48s-6q

Thank you!
KMNRuser

Giuseppe Larosa · ‎09-24-2024

Hello @KMNRuser ,

QFX 5100 are data center edge switches.

They support 802.1Q with native VLAN untagged or with native VLAN tagge see below

https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-understanding.html

Warning: if the current QFX provides L2 services to a server farm the best replacement would be a pair of Nexus 9300 in VPC. QFX may have greater per port and per ASIC packet buffers when compared to Calalyst 9300.

Using low level Cat9300 you may experience output drops caused by microbursts, increasing the soft-multiplier to 1200 can help but it may be not enough.

There are actually different models of Cat 9300, probably the Cat 9300 X might be the best choice.

As a reference the link to Cat 9300 architecture white paper where the different models are described

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-architecture-cte-en.html

Hope to help

Giuseppe

KMNRuser · ‎09-25-2024

Guiseppe,

The model of 9300 we are attempting to use is the C9300X-24Y-A.

Thank you,

KMNRuser