01-05-2012 09:16 AM - edited 03-07-2019 04:11 AM
Hi all,
I am working on a crazy thing since 2 days, we are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.
I want to protect the management IP VLAN of the swich using vrf on the 4507
so we :
SHUT VLAN 1 on every switch (2960 + 4507)
CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26
L3 VLAN on every switch
VLAN 289 in the VRF XXX on the 4507
create tunk between the switch and the 4507 :
switch mode trunk allowed vlan 200-230
sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507
I can access to the 4507 using the IP in the VLAN 289
but i cannot access to the 2960 behind the 4507
CDP connectivity is ok
Can you help me ?
Thanks
01-05-2012 09:34 AM
Hi,
I think you will need to allow VLAN 289 on the trunk too.
!
switch mode trunk allowed vlan 200-230,289
!
You will need to allow VLAN 289 at both ends of the trunk.
HTH
Alex
01-05-2012 09:37 AM
thanks for the quick reply but I did try already
01-05-2012 09:42 AM
The vlan 289 UP/DOWN on the 2960 is probably the key.
This implies the L3-vlan exists but the L2 is not yet defined.
Depending on how you operate VTP, you may need to manually create vlan 289 on several switches.
regards,
Leo
01-05-2012 09:42 AM
Hi,
On the 2960 have you added the management address
!
int vlan 1
no ip address
shut
!
int vlan 289
desc *** SWITCH MANAGEMENT ***
ip address 10.32.126.XXX 255.255.255.192
no shut
!
May just be better to post the show runn
HTH
Alex
01-05-2012 09:44 AM
yes the management can ping himself on the mgmt ip address and i didn't use vtp
01-05-2012 09:50 AM
Hi,
Have you added a default gateway or rouute out of the 2960
!
ip route 0.0.0.0 0.0.0.0 10.32.126.YYY
!
or
ip default-gateway 10.32.126.YYY
YYY is the address of int vlan 289 on the 4500
Regards
Alex
01-05-2012 09:52 AM
I did but in same IP network the default-gateway should be necessary
2960 ip is : 10.32.126.193/26
4507 ip is : 10.32.126.250/26
all in vlan 289
01-05-2012 09:57 AM
Hi,
Can you post the show runn of the 2960 and
the 4507 int vlan 289, and the trunk port to the 2960
Regards
Alex
01-05-2012 10:01 AM
yann.boulet wrote:
yes the management can ping himself on the mgmt ip address and i didn't use vtp
Apparently you do not understand my point.
Perform a sh vlan on the switch where vlan 289 is UP/DOWN.
Make sure vlan 289 is listed.
01-05-2012 10:05 AM
I will send you the configuration of the ports and the vlan in few minutes
I understand your question and the vlan 289 exists in the vlan.dat as active also on the 2960 and 4507
01-05-2012 10:11 AM
2960 configuration : VLAN + TRUNK PORT + SVI
!
vlan 289
!
!
interface GigabitEthernet1/0/52
description SW_ETAGE1_Gig1/1
switchport trunk native vlan 289
switchport trunk allowed vlan 200-230,289
switchport mode trunk
switchport nonegotiate
speed nonegotiate
udld port aggressive
storm-control broadcast level 3.00
spanning-tree guard root
channel-protocol lacp
!
interface Vlan1
no ip address
shutdown
!
interface Vlan289
ip address 10.32.126.193 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
!
ip default-gateway 10.32.126.250
4500 CONFIGURAITON :
!
vlan 289
name ADM-NE-LPE
!
interface GigabitEthernet1/1
description SW_ETAGE1_Gig1/52
switchport trunk native vlan 289
switchport trunk allowed vlan 200-230,289
switchport mode trunk
switchport nonegotiate
speed nonegotiate
storm-control broadcast level 3.00
spanning-tree guard root
interface Vlan289
description ADM-LE-LPE
ip vrf forwarding ADMIN-LPE
ip address 10.32.126.250 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
01-05-2012 10:20 AM
Can you perform a sh spanning-tree vlan 289 on all related switches?
01-05-2012 02:43 PM
great it was an STP issue on the 4500 the port was "BKN", I decided to remove STP for vlan 289.
thank you very much
just for my information we planned to install all the 2960 with flexstack so I will have at least 2 way on 2 physical switchs to join the 4500. and I would like to use 802.3ad instead of STP, what do you think about this ? is there a risk to remove STP ?
thanks to everybody
01-05-2012 03:18 PM
In a properly designed network, STP is quite useful. That is at least my opinion.
Removing STP is always a risk; it was not designed to make LANs more interesting, it rather has a function.
A loopfree network is not the same as a network without STP, only without blocking ports.
Also please note that 802.3ad is not a repacement for STP, it merely changes the STP behavior for the ports in the channel.
regards,
Leo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: