Solved: I changed port 11 to an

keith.magyar1 · ‎11-03-2016

Hi, I would appreciate any help I can get on this problem. I have a WS-C3750X-48P-S core that I am having some trouble with.

My goal is to move clients on VLAN1 (172.16.0.0/16) to two new vlans , vlan11 and vlan119, thats one for server and one for clients. I am connecting to a Meraki MX100 via port 29 on this switch.

My problem is that If I put myself on port 11 for example and assign myself a static IP of 10.3.1.2 gateway 10.3.1.1, I can ping my Meraki vlan interface and the internet but zero of anything else including the core switch that I am plugged into at port 11. If I chaneg my gateway to 10.3.1.254, I get no reply from anything.

Below are the core config and the Meraki 100 VLAN config along with the port settings. What am I missing here?

USDAYCORE#sh start
Using 12884 out of 524288 bytes
!
! Last configuration change at 10:40:17 EST Thu Nov 3 2016 by core
! NVRAM config last updated at 10:40:28 EST Thu Nov 3 2016 by core
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname USDAYCORE
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$sat3$INN4OF0IT/nbLHXHcuqOY/
!
username core privilege 15 secret 5 $1$A3IC$OBIRaX0.3s1MQbzsoNFdH0
username misadmin privilege 15 password 7 140507050201387F70
!
!
no aaa new-model
clock timezone EST -5
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
!
!
ip domain-name globe-motors.com
ip name-server 172.16.200.14
ip name-server 172.16.200.46
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-3106995200
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3106995200
revocation-check none
rsakeypair TP-self-signed-3106995200
!
!
crypto pki certificate chain TP-self-signed-3106995200
certificate self-signed 01 nvram:IOS-Self-Sig#3031.cer
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 5
lldp run
!
class-map match-all VOIP
!
!
policy-map Voice
!
!
!
interface Port-channel1
description Barracuda LAG
!
interface Port-channel2
description DAYIAP2_DRAFT01
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,21,75
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
description DAYIAP3_LAB0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/2
description Molly Gillium
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description Darren Taylor
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/5
description CableDrop105_Near_Shane_Knick_Office
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/6
description AT&T MPLS NETWORK
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/7
description Darren Taylor_202
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description DAYIAP4_SALES0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/9
description DAYBACKUP_BARRACUDA
channel-group 1 mode active
!
interface GigabitEthernet1/0/10
description DAYBACKUP_BARRACUDA
channel-group 1 mode active
!
interface GigabitEthernet1/0/11
description TEST PORT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/12
description DAYIAP2_DRAFT1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/13
description DAYIAP5_ADMIN0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/14
description LKNIGHT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/16
description S-Day1Flr2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/17
description Guest_Wifi VLAN 75
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/18
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/19
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
description S-DayTestLab
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,25,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/22
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
duplex full
!
interface GigabitEthernet1/0/24
description Connection to 2800 Router
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/27
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
description Meraki LAN2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,6,10,11,18,20,25,30,75,119,122
switchport mode trunk
!
interface GigabitEthernet1/0/30
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/31
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/32
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/33
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/34
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
description GuestTest
switchport access vlan 75
switchport mode access
!
interface GigabitEthernet1/0/37
description DAYIAP6_ENG0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/38
description OWNCLOUD
switchport access vlan 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface GigabitEthernet1/0/39
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/40
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/41
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/42
description 3rd Floor WAP
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
!
interface GigabitEthernet1/0/43
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,119
switchport mode trunk
!
interface GigabitEthernet1/0/44
description DAYIAP1_AIRHND1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet1/0/45
description PRIMARY IPLEX
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/46
description BACKUP IPLEX
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/47
description SKYCUBE_CBTS_SIP
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet1/0/48
description SANNetwork Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,25,119,200
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
description Data Network
ip address 172.16.0.2 255.255.0.0
!
interface Vlan2
description Voice Network
ip address 192.168.16.1 255.255.255.0
!
interface Vlan5
description 3CX_Phone
ip address 192.168.5.1 255.255.255.0
!
interface Vlan11
description US-DAY-SRV
ip address 10.3.1.254 255.255.255.0
!
interface Vlan19
description Foundry
no ip address
!
interface Vlan20
description TestEnv
ip address 172.20.0.1 255.255.0.0
ip access-group DenyVLAN out
!
interface Vlan21
description US-DAY-GST
no ip address
ip access-group RestrictGuestWireless in
!
interface Vlan25
description SANNetwork
ip address 172.25.0.1 255.255.0.0
!
interface Vlan75
description Guest Wireless
ip address 192.168.75.1 255.255.255.0
ip access-group RestrictGuestWireless in
!
interface Vlan119
description US-DAY-GEN
ip address 10.3.92.254 255.255.255.0
!
interface Vlan200
description EMC_SAN_NETWORK
ip address 172.200.0.1 255.255.0.0
!
!
router eigrp 2275
network 172.16.0.0
eigrp stub connected summary
!
ip default-gateway 172.16.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.11
ip route 10.0.0.0 255.0.0.0 172.16.0.11
ip route 10.10.18.0 255.255.255.0 172.16.0.3
ip route 10.10.19.0 255.255.255.0 172.16.0.3
ip route 10.10.21.0 255.255.255.0 172.16.0.3
ip route 10.10.22.0 255.255.255.0 172.16.0.3
ip route 10.140.1.0 255.255.255.0 10.3.1.1
ip route 10.140.92.0 255.255.255.0 10.3.1.1
ip route 72.75.211.132 255.255.255.255 10.10.1.1
ip route 172.19.0.0 255.255.0.0 172.16.0.3
ip route 172.22.0.0 255.255.0.0 172.16.0.6
ip route 172.23.0.0 255.255.0.0 172.23.0.1
ip route 172.23.253.0 255.255.255.0 172.16.0.6
ip route 172.25.1.0 255.255.255.0 172.16.0.3
ip route 172.31.0.0 255.255.0.0 172.16.0.6
ip route 172.32.0.0 255.255.0.0 172.16.0.10
ip route 172.200.0.0 255.255.0.0 172.16.0.6
ip route 192.168.4.0 255.255.255.0 172.16.0.3
ip route 192.168.18.0 255.255.255.0 192.168.16.5
ip route 192.168.19.0 255.255.255.0 192.168.16.3
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended RestrictGuestWireless
permit ip 192.168.75.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.75.0 0.0.0.255 host 172.16.0.9
permit ip 192.168.75.0 0.0.0.255 host 172.16.0.15
permit ip host 172.16.6.14 192.168.75.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 172.16.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 172.18.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 172.19.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 172.23.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 172.21.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 172.200.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 10.10.18.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 10.10.19.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 10.10.21.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 10.10.22.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 192.168.75.0 0.0.0.255 192.168.16.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 192.168.18.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 192.168.19.0 0.0.0.255
deny ip 192.168.75.0 0.0.0.255 192.168.17.0 0.0.0.255
permit ip any any
permit ip 192.168.75.0 0.0.0.255 host 192.168.75.2
permit ip host 192.168.75.0 0.0.0.246 172.16.0.9
permit ip host 192.168.75.0 0.0.0.253 192.168.75.2
!
ip sla enable reaction-alerts
logging 172.16.6.14
snmp-server community private RO
snmp-server community monitor RO
snmp ifmib ifindex persist
!
!
line con 0
line vty 0 4
session-timeout 120
exec-timeout 120 0
login local
transport input telnet ssh
line vty 5 15
session-timeout 120
exec-timeout 120 0
login local
transport input telnet ssh
!
ntp clock-period 36027228
ntp server 172.16.200.46
end

USDAYCORE#

Routes at Meraki

Routing

VLANs

Routes

Subnet

Type

Details

172.16.0.0/16

Local VLAN

Name	US-DAY-LGY

MX IP	172.16.0.11
VLAN	1
In VPN	yes

192.168.16.0/24

Local VLAN

Name	US-DAY-LGY-VCE

MX IP	192.168.16.5
VLAN	2
In VPN	yes

10.3.1.0/24

Local VLAN

Name	US-DAY-SRV

MX IP	10.3.1.1
VLAN	11
In VPN	yes

10.3.224.0/24

Local VLAN

Name	US-DAY-GST

MX IP	10.3.224.1
VLAN	21

192.168.75.0/24

Local VLAN

Name

GLB-Guest

MX IP	192.168.75.11
VLAN	75

10.3.92.0/24

Local VLAN

Name	US-DAY-GEN

MX IP	10.3.92.1
VLAN	119
In VPN	yes

192.168.19.0/24

Static Route

Name	US-TRY-VCE_LCY

Next hop IP	172.16.0.2
Active	always
In VPN	yes

172.19.0.0/16

Static Route

Name	US-TRY-LGY

Next hop IP	172.16.0.2
Active	always
In VPN	yes

172.32.0.0/32

Static Route

Name	DAY-CLIENT-VPN

Next hop IP	172.16.0.2
Active	always
In VPN	yes

Port config at Meraki MX100

chrihussey · ‎11-10-2016

So if you are using a VoIP phone on the port the configuration would be:

!
interface GigabitEthernet1/0/3
description Darren Taylor
switchport access vlan 119
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!

View solution in original post

chrihussey · ‎11-03-2016

If you are connecting a PC or laptop to port 11 I'll bet the device is still in VLAN 1. How the Meraki responds is beyond me from the VLAN 11 interface, I cannot explain, but that could just be the way it handles the packet.

Regardless, configure the port as an access port in VLAN 11 and see if that makes things work for you:

!
interface GigabitEthernet1/0/11
description TEST PORT
switchport access vlan 11
switchport mode access
spanning-tree portfast
!

glen.grant · ‎11-03-2016

Port 11 is setup as a trunk , change it to an access port in vlan 11 and set your DG as 3.254 on your client and retry your ping tests . Its not going to ping right if the port is set as a trunk .

keith.magyar1 · ‎11-03-2016

I changed port 11 to an access port allowing vlan 11 and it works as you mentioned. Though can you help me understand why this works? I was understanding that a port set to trunk can allow multiple vlans across it? My lack of understanding this tells me that it should work. Any help is appreciated and thanks for the reply.

chrihussey · ‎11-03-2016

A dot1q trunk inserts a 4 byte tag in the IP header. This identifies the VLAN to which the packet belongs. The native VLAN for the trunk is untagged. So when you plugged your PC into the port the untagged packets were assumed to be in VLAN 1.

If you have a device that needs to send multiple VLANs, then that device's interface will need to be configured as a trunk.

If your just connecting a single network device (PC, laptop, printer, etc) configure the port as an access port in the proper VLAN and you should be OK.

keith.magyar1 · ‎11-03-2016

Just for my clarification, You said devices interface, you mean switch port, correct?

and

switchport trunk encapsulation dot1q was what prevented communication between vlans?

chrihussey · ‎11-04-2016

It's difficult to understand what requirements users are trying to fulfill just by short discussion posts. In your case, all ports were configured as trunks and there were servers involved. So if you had a device like a virtual server that had multiple VMs in different subnets /VLANs, that server interface would need to be a trunking interface and the switch port would have to be set accordingly.

However, if that does not apply here, and you're connecting single IP PCs, servers, etc., just set up the switch ports as access ports in the proper VLAN. I hope that makes sense in that it answers your first question.

As for the second question, it was the fact that you had the port defined as a trunk along with the encapsulation. On some platforms you have to specify the encapsulation to allow the "switchport mode trunk" command at all.

This would not prevent the interface from coming up if when you connect your PC to the port. However, by default the native vlan on a dot1q trunk is VLAN 1 and the packets in this VLAN are for the most part no different than any other Ethernet packet. All other packets in other VLANs insert a tag in to the IP header. So when you changed the IP address of your PC, it stayed in VLAN 1. Like I said, how the Meraki allowed some of the results in this state I cannot say.

When you defined it as an access port in VLAN 11, the packet from your PC enters the switch in that VLAN, when it leaves the switch on the trunk port to the Meraki, the switch inserts that 4 byte tag into the IP header to identify it is in VLAN 11. Similarly, when the Meraki sends the packet back to the switch, it sends it with the same tag, the switch receives the packet, strips the tag and sends it to the access port.

Kind of wordy I know, but I hope that helps. If you have any questions just let me know.

Richard Burts · ‎11-04-2016

Here is a slightly different perspective on explaining the issue. As explained in previous posts when you configure a switch port as a trunk it does support multiple vlans to be carried on that port. One of those vlans is treated as the native vlan and frames in that vlan are sent without vlan tags while frames in all other vlans are sent with vlan tags.

The important point here is what kind of devices connect to switch ports that do support tagged frames. Switches and some servers do support sending Ethernet frames with tags and it is appropriate to connect them on trunk ports. But most host PCs do not support tagged frames. So for these devices it is appropriate to connect them to access ports and not to trunk ports.

HTH

Rick

HTH

Rick

keith.magyar1 · ‎11-09-2016

Still trying to grasp this completely. I failed to mention the fact that I have VLAN 2 for voice (IP Phones), they all pass through to client PCs. I realized this was a problem when I changed gi1/0/3 from trunk to access.

so how to I assign a different default vlan using

switchport trunk encapsulation dot1q when trunking?

gi1/0/3 needs to allow both vlan 2 and 119 in this case. Any help to understand is very much appreciated.

Richard Burts · ‎11-09-2016

Especially if the phones are Cisco phones then what you want to do is to configure the interface as an access port accessing vlan 119 and then in the interface configure voice vlan as 2. This will treat the interface as an access port on vlan 119 for data but will also process phone traffic on vlan 2.

HTH

Rick

HTH

Rick

chrihussey · ‎11-10-2016

So if you are using a VoIP phone on the port the configuration would be:

!
interface GigabitEthernet1/0/3
description Darren Taylor
switchport access vlan 119
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!

keith.magyar1 · ‎11-10-2016

Thanks for that information.

Is this a valid question?

how to I assign a different default vlan using "switchport trunk encapsulation dot1q" when trunking?

I need to change the ip address for the Aruba access point on this port to vlan 11. it will carry vlan 75 for guest access and vlan 119 for employee wifi.

interface GigabitEthernet1/0/8
description DAYIAP4_SALES0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable

chrihussey · ‎11-10-2016

Yes it is a valid question if I am understanding what you are asking. Currently the Aruba AP trunks to the switch and has a management IP in VLAN 1 and you want to change the management IP and put it in VLAN 11. I also assume that the management IP of the AP has to be in the trunk's native VLAN (like a Cisco AP).

interface GigabitEthernet1/0/8
description DAYIAP4_SALES0
switchport trunk encapsulation dot1q
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable

keith.magyar1 · ‎11-14-2016

Thank you for your reply, I made the change as follows; for an Access Point on port 37. I wanted to put the AP in the same VLAN that my wireless clients get dhcp from so this is what I have;

interface GigabitEthernet1/0/37

description WIFI AP DAYIAP6
switchport trunk encapsulation dot1q
switchport trunk native vlan 119
switchport trunk allowed vlan 1,2,11,21,75,119
switchport mode trunk
spanning-tree portfast disable

I had a problem but it was due to another AP interfering. I cut the problem out of this reply.

VLAN config help needed

Routing