cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3401
Views
0
Helpful
33
Replies

vlan traffic not traversing fiber link

simon.howard
Level 1
Level 1

Hi, got a problem thats driving my nuts so need some advise. I have two office spaces (call them Office-A and Office-B) about 150 feet apart. Office-A has 5 x c3650-48tq switches stacked via stacking module with 3 x Meraki MR18 AP's coming off them. Theres about 8 vlans working on this stack with vlan2 allocated to internet access on a dedicated firewall port. The MR18's are configured to connect to this vlan so wifi traffic is segregated from network traffic for security reasons.

This stack is connected to Office-B which has 2 x c3650-48tq's and 1 x MR18, via a 10gigabit fibre line. Normal network traffic works fine, users can login without a problem. The issue is I cant get vlan2 to appear on the Office-B switch stack so the MR18 can make use of it. Wifi traffic is miggling with vlan1 traffic which I dont want.

I've set both ends of the fibre line to trunk ports but everytime I try adding the AP's interface to vlan2, (command below) it drops off the network and shutsdown. There isnt a managemtn ip on Office-B's stack yet but I dont think that would be the issue so what am I missing?

Interface gig 2/0/47

Switchport mode access

Switchport access vlan 2

33 Replies 33

It seems to me that this discussion has had two focuses: VTP on the switches, and why is he MR18 not in a separate vlan. I suggest that we drop the discussion about VTP (why is it not working and how to fix it) and concentrate on the issue of MR18 in a separate vlan.

The original poster says this "manually creating vlans in Office-B wouldnt fix the problem". I question this. Why would manually creating vlans in Office B not fix the problem? If vlan 2 is manually created then the port for the MR18 ought to be able to be assigned to that vlan. And the way that the trunk ports are configured if vlan 2 exists on Office B and has an active port then it should be transported over the trunk to Office A.

The original poster also says "with no firewall in Office-B creating a vlan2 on that end isnt an option". Why is this? What would cause a dependency on creating vlan 2 that requires a firewall at Office B? It seems to me that if vlan 2 is created at Office B and is transported over the trunk then the traffic from the MR18 is in a vlan separated from other user traffic. The MR18 traffic is carried over the trunk in a separate vlan and is delivered to vlan 2 at Office A where there is a firewall that will send the MR18 traffic to the Internet and maintain the separation from other user traffic. Is there something in the environment there that I do not understand? Is please clarify.

HTH

Rick

HTH

Rick

I've tried creating a vlan2 manually in Office-B and adding a test port to it (with a laptop plugged in). the port removed itself from vlan1 (as you would epect) but no vlan2 was listed when I ran a 'show vlan brief'

Simon,

my bad, VTP passwords would indeed require a domain, which is not configured, so that can't be it.

Can you try and add a bogus VLAN to the server switch, swnavlhr5, and remove it ? This should in theory force a VTP server update...

bizarrely enough I do actually have to create a vlan today for vsphere so this will kill two birds with one stone. i'll let you know the results asap :)

Hello Simon,

yesterday you wanted to add a VLAN to the server switch, which should in theory send a VTP update downstream. Has that happened as expected ?

unfortunately i didn't get round to it. time allowing i will try it today, otherwise in the morning.

ok thought to hell with it dropped what i was doing and did it anyway. still no joy. I've even put the Office-B switches into transparent mode when manually assigning vlan2 to the wifi port and although it shows up correctly on 'show vlan brief' there sstill no tarffic.

Im now convinced I need to create a vtp domain but wont be able to do that till next week out of hours. i'll update the post as soon as i can.

Would you post the output of the commands show vlan and show interface trunk from Office B?

I continue to believe that it may not be worth much to have VTP on a network consisting of two switches. But I am beginning to wonder if VTP is in fact part of the problem here. Do these switches support setting VTP to disable? If not then you may need to try to fix VTP. I would have thought that setting the switches to transparent would be sufficient. But if that does not work I will offer the observation that in some of the posts earlier in this thread the vtp show commands seem to indicate that there is no name specified. You might start with that.

HTH

Rick

HTH

Rick

Simon,

in addition to Richard's post, have you verified the vtp passwords ? The MD5 digest values do not match, as far as I can tell. Just set a new password on both switches:

vtp password <password>

wouldn't the vtp passwords be required if a vtp domain was in existence? 

If the original poster has attempted to manually create the vlan and it did not work then we need to figure out why. Could you cut and paste from your session the commands that you use to create the vlan and assign the port to the vlan and then the output of the command show vlan (not show vlan brief). Probably would be good to enter terminal monitor before you start the config changes.

HTH

Rick

HTH

Rick

Hello,

issue a 'show vtp statistics' command on the switches and check for config digest errors. Possibly, passwords are set on the switches that do not match.

Heres the counters from Office-A, I've troed putting the Office-B switches into transparent mode and manually setting them to vlan2 which has a partial effect. Vlan2 is present and you can add an interface to it, but its not making a connection back to Office-A. Cisco have advised me to go down the route of creating a vtp domain which I will probably do next week some time after hours.

Can you post the output of the commands show vlan and show interface trunk and show cdp neighbor from both offices?

HTH

Rick

HTH

Rick

i've also forced a refresh of vlan information by placing an unused port into a different vlan. then checked to see if vlan2 is available in Office-B and it isnt, even after putting a port into it (with no shutdown).

Review Cisco Networking for a $25 gift card