Trunking switch

fsck · February 19, 2018, 02:39:41 AM

I need to add a switch to my network to provide some camera's connectivity. I am still using older switches right now, but I am having some issues that I'm confused as to why it's happening.

On my 2960 I have the port configured as
interface Gi0/1
switchport trunk native vlan 10
switchport trunk allowed vlan 20, 30, 40
switchport mode trunk
speed 100

On 3550 switch
interface Fa0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 20,30,40
switchport mode trunk

When I connected the 3550 switch with a cross over cable, I drop the whole network. I can no longer get out to the Internet or communicate between computers on the network. The logs just show the interfaces going down. Why would this happen? I think that's how the port would be configured, if not at the simplest form I tried:
switchport trunk encapsulation dot1q
switchport trunk mode

icecream-guy · February 19, 2018, 07:30:38 AM

If you already checked the cable, and if it's an older switch, the 2960 may still support ISL trunking,
can you configure "switchport trunk encapsulation dot1q" on the 2960 port ?
If you can't, the switch doesn't support ISL trunking and wouldn't be the issue
may be just a matter of the encapsulations are incompatible
post output of show interface gi0/1 trunk on the 2960
and output of show interface fa0/1 trunk on the 3550
also a show vlan brief, to make sure all your vlan's exist.

fsck · February 19, 2018, 01:13:47 PM

Ya, looks like the 2960 doesn't support ISL. I also confirmed that the VLANs are on both ends.

Both show (notconnect) at the moment because I wouldn't be able to reach the switches if they were connected, to grab the info you asked for. From what I've read and done in the labs in the past, this should work.

I also saw nothing in the logs on either switch to show the cause of the network dropping or errors. I swapped cables too just to eliminate a L1 issue.

2960

GigabitEthernet0/1 is down, line protocol is down (notconnect)
Hardware is Gigabit Ethernet, address is 0023.05f6.8801 (bia 0023.05f6.8801)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 10:32:41, output 10:32:41, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
386690 packets input, 28647766 bytes, 0 no buffer
Received 363207 broadcasts (363191 multicasts)
0 runts, 0 giants, 0 throttles
2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 363191 multicast, 0 pause input
0 input packets with dribble condition detected
290931 packets output, 53919609 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

3550

FastEthernet0/1 is down, line protocol is down (notconnect)
Hardware is Fast Ethernet, address is 0017.5a61.ed83 (bia 0017.5a61.ed83)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 10:30:40, output 10:30:40, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
290933 packets input, 53921517 bytes, 0 no buffer
Received 264195 broadcasts (156355 multicasts)
0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 156355 multicast, 0 pause input
0 input packets with dribble condition detected
386691 packets output, 28647676 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

icecream-guy · February 19, 2018, 03:58:21 PM

post output of show interface gi0/1 trunk on the 2960
and output of show interface fa0/1 trunk on the 3550

would be more helpful than a simple show interface

fsck · February 20, 2018, 11:02:15 PM

My bad ristau.

When I was looking at the commands you recommended, I did notice that no vlans were allowed. Yet I do have the command to allow specific VLAN's in the port config. The commands look like this on both switches.

sh int gi0/1 trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q other 10

Port Vlans allowed on trunk
Gi0/1 none

Port Vlans allowed and active in management domain
Gi0/1 none

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 none

SimonV · February 21, 2018, 04:09:10 AM

Have you created those VLANs on your switch?

fsck · February 21, 2018, 10:49:20 PM

Yes I have. The VLANs exist on both switches too.

icecream-guy · February 22, 2018, 06:01:44 AM

Are the vlan's active? do you have ports assigned to the VLANs?
The fact that they are in the trunk port configuration, should make them active.
hummmm....
Where are the SVIs? If configured on a switch are they "no shut"?

fsck · February 27, 2018, 01:37:37 AM

The VLANs are active but no ports assigned to them. But I thought since they are part of a trunk they won't show like that, only when they are access ports. I might have mixed that up, I just remember reading something about that in my studies.

I configured SVI's on both switches. Originally I only had SVIs on my 2960 which is my main switch. I also confirm they are not "no shut"

fsck · February 28, 2018, 06:17:32 PM

Is that correct how I have my SVI's setup?

SimonV · March 01, 2018, 12:44:55 PM

If the VLAN is active (forwarding) on a trunk the SVI will also become active.

Perhaps it's better you post full configs (minus the sensitive and unrelated info)?

fsck · March 03, 2018, 11:43:19 PM

Sure thing Simon. Here we go

Code Select


version 15.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SWITCH-875
!
boot-start-marker
boot-end-marker
!
no logging console

!
no aaa new-model
system mtu routing 1500
!
!
!
!
crypto pki trustpoint TP-self-signed-100042752
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-100042752
 revocation-check none
 rsakeypair TP-self-signed-100042752
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
 switchport trunk native vlan 30
 switchport trunk allowed vlan 20,30,40
 switchport mode trunk
!
!
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan20
 description Prod Wireless
 ip address 192.168.20.3 255.255.255.0
 no ip route-cache
!
interface Vlan30
 description Prod LAN 
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
!
interface Vlan40
 description Prod AP network
 ip address 192.168.40.2 255.255.255.0
 no ip route-cache
!
!
ip http server
ip http secure-server
!
!
no vstack
!
line con 0
 speed 115200
line vty 0 4
 password 7 
 login
line vty 5 15
 password 7 
 no login
!
end

The second switch

Code Select


version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Access-SW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1516367232
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1516367232
 revocation-check none
 rsakeypair TP-self-signed-1516367232
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 30
 switchport trunk allowed vlan 20,30,40
 switchport mode trunk
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
!
interface Vlan20
 ip address 192.168.20.4 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
interface Vlan40
 ip address 192.168.40.3 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
ip classless
ip http server
ip http secure-server
!
!
line con 0
 logging synchronous
 speed 115200
line vty 0 4
 login
line vty 5 15
 login
!
end

SimonV · March 05, 2018, 02:18:11 AM

The second switch is running the default (per vlan) STP in stead of PVRST+.
STP priority has only been defined for VLAN1 and not for the others, or is there another switch defined with lower priorities for those VLANs?

fsck · March 05, 2018, 04:04:36 AM

I haven't played with STP in a long time, almost never needed I pretty much forgot about it. That did it Simon it was the STP not configured correctly. What I did was change stp type on switch 2 to rapid-pvst and match my other switch. These are only two switches in scenario so to answer your question, no other switch defined with lower priorities for the VLANs.
I made the spanning tree for the vlan 4096 on the main switch and when i plugged in the 2nd switch the network no longer went down like before.

I want to better understand what happened here. So we had a mismatch in STP type between switches and we then didn't have priority set, so switches were fighting for priority? Am I correct in this assessment? Thank you for pointing me in right direction Simon. Ristau I thank you to you too for your help.

SimonV · March 06, 2018, 01:59:37 AM

Your 3550 switch could have been come root for VLAN20, 30 and 40 and caused a reconvergence. Have you waited more than 50 seconds?