Trunk between 3560 and Root Bridge

Unanswered Question
Feb 17th, 2009

Hi,

I have two 1310G bridges, one configured as a Root the other as Non Root. The root is attached to a 3560 switch. I have configured VLAN 15 (Management) and VLAN 573 (Client) on the 3560. The Root and Non Root bridges have the same VLANS, and VLAN 15 is configues as the Native VLAN.

I can ping on both VLANS (10.4.0.x = VLAN 15 and 192.168.0.x = VLAN 573)separately from the switch or laptops. As soon as I trunk the VLANS across the 3560, I cannot ping to either IP. What am I doing wrong?

I'm running software Version 12.4(10b)JDA2 on both Root and Non Root.

Here are the respective configs:

JRGRE_ROOT#

---------------------------------------------

dot11 vlan-name JRGRE_TBI vlan 573

dot11 vlan-name MANAGEMENT_VLAN vlan 15

!

dot11 ssid JRG_RE_573

vlan 573

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxx

!

dot11 ssid MANAGEMENT

vlan 15

authentication open

authentication key-management wpa version 2

infrastructure-ssid

wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxx

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 15 mode ciphers aes-ccm

!

encryption vlan 573 mode ciphers aes-ccm

!

ssid JRG_RE_573

!

ssid MANAGEMENT

station-role root bridge

!

interface Dot11Radio0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.573

encapsulation dot1Q 573

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.573

encapsulation dot1Q 573

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

!

interface BVI1

ip address 10.4.0.104 255.255.0.0

no ip route-cache

JRGRE_NROOT#

--------------------------------------------

dot11 vlan-name JRGRE_TBI vlan 573

dot11 vlan-name MANAGEMENT_VLAN vlan 15

dot11 ssid JRG_RE_573

vlan 573

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxx

!

dot11 ssid MANAGEMENT

vlan 15

authentication open

authentication key-management wpa version 2

infrastructure-ssid

wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid JRG_RE_573

!

ssid MANAGEMENT

!

station-role non-root bridge

!

interface Dot11Radio0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.573

encapsulation dot1Q 573

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.573

encapsulation dot1Q 573

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

!

interface BVI1

ip address 10.4.0.105 255.255.0.0

no ip route-cache

My 3560 Switch config:

Switch3560_01#sh run int fa0/1

Building configuration...

--------------------------------------

interface FastEthernet0/1

Description Trunk connection to Root Bridge

switchport trunk encapsulation dot1q

switchport trunk native vlan 15

switchport trunk allowed vlan 15,573

switchport mode trunk

speed 100

duplex full

priority-queue out

no cdp enable

spanning-tree portfast

spanning-tree bpdufilter enable

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeff.kish Tue, 02/17/2009 - 14:52

Keep in mind that you can only have one SSID active at a time on a bridge link. You need to remove one of your SSIDs in order to properly configure these bridges.

I don't know if that will fix your issue, but try that first and see if it works. Use your native-vlan SSID, delete your other one. The VLANs will be carried across the trunk due to configuration on the subinterfaces.

rambrosio Fri, 02/20/2009 - 07:09

Jeff, thanks for your suggestion.

I made the changes last night, keeping only the Managent SSID and the associated VLAN, which in my case is 15, and configured as Native.

I still could not get the client VLAN to work with this switch port config:

Switch3550#sh run int fa0/2

Building configuration...

Current configuration : 577 bytes

!

interface FastEthernet0/2

switchport trunk encapsulation dot1q

switchport trunk native vlan 15

switchport trunk allowed vlan 15,827

switchport mode trunk

speed 100

duplex full

priority-queue out

random-detect

no cdp enable

spanning-tree portfast

spanning-tree bpdufilter enable

end

So, I've had to remove the trunk config and change it to access VLAN 827. Client circuit is up, but obviously no management.

I've ready cisco docs on this type of setup and each VLAN is associated with a SSID.

Does anyone have a sample config I can use.

b_ferguson Wed, 03/18/2009 - 20:29

Did you ever get your issue resolved? I seem to be having the same problem.

thanks,

jeff.kish Thu, 03/19/2009 - 06:58

Somehow I never saw this response, many apologies to Rambrosio. That switchport configuration is exactly how it should be, so I'm not sure that the problem lies with the switchport. Did you ever get it working?

Ferguson, if you can, please post your configs for the switchport and the bridge.

b_ferguson Thu, 03/19/2009 - 20:00

My issue is now resolved, i wiped the configs of the wireless bridge and the switch and reconfigured, all is well now.

David Ritter Mon, 03/23/2009 - 12:20

You mean you did not use the 'concatenation' command on the SSID to bind all the subs to the one ssid?

jeff.kish Mon, 03/23/2009 - 12:32

Actually, concatenation has nothing to do with trunking or SSIDs. Concatenation is a technique that aggregates multiple packets together in order to send them all as one "super packet". The goal here is to reduce the wireless overhead that exists with each packet transmission.

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/command/reference/cr34main.html#wp2480488

rambrosio Tue, 03/24/2009 - 08:54

Sorry for not getting back to anyone on this. Firstly, I was on vacation.

Secondly I just recieved a new set of 1310s so I can start troubleshooting on them once I set them up in my office.

The ones that are having this issue are in production and would rather have them working until I have resolved the issue.

Prior to posting my issue I had wiped the configs clean on both the 1310 and 3560 trunk port on at least 2 occations. That never helped me.

So right now, I still dont have a solution to this issue. I will try and get the new 1310 up by end of week.

b.ferguson. Would you be kind enough to post your config here? Much appreciated.

Rob

AJAZ NAWAZ Mon, 08/17/2009 - 12:16

I'm attempting this tomorrow and will post the results. Main issue for me is to mitigate against the risk of vlan1 jumping!

Ajaz

AJAZ NAWAZ Thu, 09/17/2009 - 01:21

Hi Rob,

Thanks for your email buddy - I did get this working. Would you like me to post some working configs?

Ajaz

rambrosio Thu, 09/17/2009 - 05:03

That would be very much appreciated and is excellent timing. I'm going, for the third time, to erase all configs and start from scratch.

Looking forward to your reply.

Thanks,

Rob

AJAZ NAWAZ Thu, 09/17/2009 - 06:22

Just some notes:

1. Make sure c1310-k9w7-tar.124-10b.JDA2 is loaded and running on each AP

2. Apply the config below in the same order as it appears

3. You must use BVI1 for mgt. The bridge group number does not relate to the VLAN id e.g. see my vlan496 which maps to bridge-group no.196

4. Enable CDP to start with and disable if you want afterwards.

5. Take your time and be patient - keep it simple.

6. If you have any qtns fire them back n/probs.

***************

RootAP

***************

RootAP#

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid vlan199

!

ssid vlan496

!

station-role root bridge

no cdp enable

!

interface Dot11Radio0.199

encapsulation dot1Q 199 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.496

encapsulation dot1Q 496

no ip route-cache

no cdp enable

bridge-group 196

bridge-group 196 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.199

encapsulation dot1Q 199 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.496

encapsulation dot1Q 496

no ip route-cache

no cdp enable

bridge-group 196

bridge-group 196 spanning-disabled

!

dot11 ssid vlan199

vlan 199

authentication open

infrastructure-ssid

!

dot11 ssid vlan496

vlan 496

authentication open

!

interface BVI1

ip address 10.10.14.83 255.255.255.248

no ip route-cache

!

ip default-gateway 10.10.14.84

no ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

bridge 1 route ip

!

RootAP#

***************

NON_RootAP

***************

NonRootAP#

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid vlan199

!

ssid vlan496

!

station-role non-root bridge

no cdp enable

!

interface Dot11Radio0.199

encapsulation dot1Q 199 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.496

encapsulation dot1Q 496

no ip route-cache

no cdp enable

bridge-group 196

bridge-group 196 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.199

encapsulation dot1Q 199 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.496

encapsulation dot1Q 496

no ip route-cache

no cdp enable

bridge-group 196

!

dot11 ssid vlan199

vlan 199

authentication open

infrastructure-ssid

!

dot11 ssid vlan496

vlan 496

authentication open

!

interface BVI1

ip address 10.10.14.82 255.255.255.248

no ip route-cache

!

ip default-gateway 10.10.14.81

no ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

bridge 1 route ip

!

NonRootAP#

-----------------------------------------

The config on the switch at each end will look something like this:

interface GigabitEthernet9/47

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 199

switchport trunk allowed vlan 199,496

switchport mode trunk

spanning-tree portfast trunk

end

rambrosio Fri, 10/16/2009 - 04:40

I finally got around to implementing this setup.. The upgrade to

c1310-k9w7-tar.124-10b.JDA2 addressed my inability to trunk two vlans to my 3560 switch. So I got that working. I think there must be a bug in the .JA version.

I'm still having an issue passing two VLANs across the link. One, VLAN 15 is my management VLAN and is configured Native. The other is the Client VLAN 192.

If I drop VLAN 15 the client can connect.

I want to have the ability to Manage the 1310 and still allow the cleint's traffic though to my MAN.

Each VLAN is associated with it's own SSID, just like your example so I have two SSIDs I want to pass accross the link.

Any help would be appreciated.

Thanks

Rob

AJAZ NAWAZ Fri, 10/16/2009 - 05:49

Rob,

Please post your configs from both AP's and switches here please. The best way probably is attachments.

thanks

Ajaz

rambrosio Fri, 10/16/2009 - 08:11

Hi Ajax,

Switch 3560 port:

interface FastEthernet0/7

description Connection to AP ROOT

switchport trunk encapsulation dot1q

switchport trunk native vlan 15

switchport trunk allowed vlan 15,192

switchport mode trunk

load-interval 30

speed 100

duplex full

priority-queue out

random-detect

no cdp enable

spanning-tree portfast trunk

spanning-tree bpdufilter enable

end

Attachment: 

Actions

This Discussion