[PLUG] OT VLAN Setup between 2 Cisco switches

Chuck Hast wchast at gmail.com
Thu Sep 10 01:30:11 UTC 2020 

Mike,
I have done all of the upgrades to those switches in order to
obtain the coveted CLI access (there is no console port, but
according to the docs there should now be a SSH server on
the device with the upgrades to the latest code but so far no
joy. I will go over all of that and figure out how to translate it
to the GUI, and do it that way. Or figure out what is missing
to SSH into the box. According to some of the documentation
after I did the upgrade to 14.x there should be a ssh server
box to tick in order to activate it but so far no joy.

See my comments below regarding your observations:

On Tue, Sep 8, 2020 at 7:54 PM Mike C. <mconnors1 at gmail.com> wrote:

> Thanks Chuck,
>
> I did quite a bit of reading and although this configuration should work,
> it's outside of norms / best practices.
>
> The way I was taught and always configured vlans is that by default all
> ports and packets are untagged and are in the default vlan. Which is vlan 1
> for Cisco.Then tag ports with the vlan you want them to be a part of.
>
> Your configuration is the exact opposite. You've tagged the default vlan 1
> on the trunk and left vlan 20 untagged
>
> Wow, I thought I was tagging the ports for VLAN 20 based on what I see
on the GUI. I will go back into it and see what I have screwed up.


> switchport trunk native vlan 20
> switchport default-vlan tagged .
>

This should be reversed. I was of the idea (based on what I see on the
GUI) that VLAN 1 was the default  and administrative and it was not
tagged...

>
> The  switchport default-vlan tagged command is to provide backward
> compatibility support for devices that don't support 802.1 Q vlan tags. In
> effect, the port functions in both access & trunk mode at the same time.
>
> But your switches are vlan aware, so this config is unnecessary and I think
> the cause of your problems.
>

I shall look into it and figure out how to get rid of it from the GUI if I
cannot
figure out why it does not allow a SSH server to run.

>
> What I recommend trying is disabling the  switchport default-vlan tagged
> .w. "no  switchport default-vlan tagged" command or GUI.
>
> And the removing the native vlan 20 on the trunk with the  "no switchport
> trunk native vlan 20" comand.
>
> This will set the default and the native vlan that was set to vlan 20 both
> to vlan 1.
>

I wonder if I would not be faster to just set the switch to factory and then
go in and and set up the VLAN 20 ports.

After reset all of the ports of course are on VLAN 1. I was thinking that I
was moving the camera ports to VLAN 20.

>
> Then run the command "switchport mode trunk allow vlan 20" which will make
> the trunk port also a member of vlan 20 and will pass tagged packets from
> the camera ports that are only members of vlan 20.
>

I have got to figure out how to get to a CLI...

>
> Then change the camera ports from general to access. Those ports will only
> be a member of 1 vlan and that is the pvid vlan 20. The port will accept
> both untagged and tagged packets from the cameras and only send untagged
> packets to the cameras.
>
> I will get those ports changed and see how that goes. Thank you again for
the guidance.


> That should do the trick for you.
>
> Here's a link to the CLI reference for your switch,
>
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf200e/command_line_reference/OL-22850.pdf
>
> As this is a more standard way of configuring vlans, this is the best
> config to start with. Let's see what this gets you.
>
>
>
>
>
>
>
>
> On Sun, Sep 6, 2020 at 9:39 AM Chuck Hast <wchast at gmail.com> wrote:
>
> > Mike,
> > I finally got the switches to give up the config files. Getting these
> > things from firmware 1.2 to 1.4.11 took 4 firmware  upgrades and
> > 1 boot upgrade. Below is the url to the switch config files
> > *
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > <
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > >*
> >
> >
> > On Sun, Aug 30, 2020 at 10:16 AM Chuck Hast <wchast at gmail.com> wrote:
> >
> > > Well, I have been trying to get a backup file out of this so I can
> > > send it to you, but so far when I try to do http/https backup it
> > > fails the only thing is I get a network error, and if I look in the
> > > switch logs, it says it cannot find the file.
> > >
> > > I have a SG300-28 at home, it was never this cantankerous,
> > > I can do file backups and uploads to it with no issues whatsoever.
> > >
> > > They must have cut some major corners somewhere with these
> > > switches.
> > >
> > >
> > > On Sun, Aug 23, 2020 at 11:30 AM Chuck Hast <wchast at gmail.com> wrote:
> > >
> > >> Well, I went to pull the backed up config files out of both switches
> > >> and got a "network failure." I setup a tftp server on my
> > >> laptop and tried to go that way and got a "file not found" error.
> > >>
> > >> Appears that I have to upgrade to a later rev of the firmware/boot
> > >> file. Both switches are presently at Rev 1.2.9.44, which has no
> > >> ssh, and appears that it "likes" some old version of i.e. So perhaps
> > >> doing that upgrade will take care of these issues. Who knows.
> > >> Once I do the upgrades I will let you know what happens, if it still
> > >> does not want to pass the vlan 20 to switch 02 I will pull the
> > >> config file and send it. This rev level has NO CLI whatsoever,
> > >> but it is installed in one of the later revs, got to get to that.
> > >>
> > >>
> > >> On Mon, Aug 17, 2020 at 11:38 PM Chuck Hast <wchast at gmail.com> wrote:
> > >>
> > >>> Let me get you the config files, let us not break our heads on it
> > >>> until you can look at them. I know on the web screens I set up
> > >>> port 50 to have vlan 20 tagged on both ends. In my megre work
> > >>> in this area, it seems that I always did the same thing, the link
> > >>> carrying the camera VLAN went on a separate path to keep
> > >>> possible latence down due to competition for the link path.
> > >>>
> > >>> This is the same case the cameras are on VLAN 20, it is a
> > >>> total network island because the stinking cameras call home,
> > >>> and the best way to avoid it is just to put them on and island
> > >>> network. This is the first time I can recall having this issue. in
> > >>> the past I just tagged the two ends of the link and my video
> > >>> data went that direction. All the rest went with VLAN 1 on
> > >>> the other link.
> > >>>
> > >>> On Mon, Aug 17, 2020 at 4:15 AM Mike C. <mconnors1 at gmail.com> wrote:
> > >>>
> > >>>> >
> > >>>> > That is what I was thinking based on the other Cisco doc I read
> all
> > I
> > >>>> need
> > >>>> > to do is set both of the two fibre links up as trunks and it
> should
> > >>>> work,
> > >>>> > but there is another one that also said the part about tagging. I
> > >>>> have VLAN
> > >>>> > 20 (the VLANS are 1, 10 and 20) on port 50 on both ends, I have
> also
> > >>>> removed
> > >>>> > it but still no joy.\
> > >>>>
> > >>>>
> > >>>> Just to be clear, with port based vlans, which is what you have, a
> > port
> > >>>> can
> > >>>> only belong to 1 untagged vlan. So when you have a port set to
> > untagged
> > >>>> w.
> > >>>> the pvid set, then that port will only be in the default / native
> > vlan,
> > >>>> which is VLAN 1 on most network equipment vendors. This is often
> used
> > as
> > >>>> the management vlan.
> > >>>>
> > >>>> However, you can only have 1 untagged vlan per port. Any other vlans
> > you
> > >>>> want that port to handle must be tagged. Otherwise, all those
> packets
> > >>>> will
> > >>>> be treated as they're part of the default / native vlan.
> > >>>>
> > >>>> Which seems to be what you have configured. VLAN 1 untagged pvid on
> > P49
> > >>>> and
> > >>>> VLAN 20 untagged pvid on P50 on both switches.
> > >>>>
> > >>>> And that makes me reconsider my earlier statement:
> > >>>>
> > >>>> Switch B
> > >>>> >
> > >>>> > 49 GE49 Enabled Disabled STP Root 20000 128 Forwarding
> > >>>> > 32768-f0:29:29:f5:43:bd 128-97 0 1
> > >>>> > 50 GE50 Enabled Disabled STP Alternate 20000 128 Discarding
> > >>>> > 32768-f0:29:29:f5:43:bd 128-98 0 0
> > >>>> > This one says discarding for port 50, so suspect that is the
> issue.
> > >>>> >
> > >>>>
> > >>>> Normally, the way this is designed and configured when there's
> > multiple
> > >>>> uplinks is to create a LAG or MLT, a trunk group that carries all
> > VLANs.
> > >>>> This provides more bandwidth and failover redundancy.
> > >>>>
> > >>>> But you haven't said anything about a LAG configuration and if you
> > don't
> > >>>> have any traffic traversing P50, if memory serves until you take the
> > >>>> fibre
> > >>>> link down on P49. Is that correct?
> > >>>>
> > >>>> Therefore, if you want this to work you will have to tag vlan 10, 20
> > on
> > >>>> port 49 and port 50 and you will have only 1 active uplink over
> which
> > >>>> all
> > >>>> VLANs traverse.
> > >>>>
> > >>>> Then in the event of a failure of the active uplink, Spanning Tree
> > will
> > >>>> reconfigure and use P50.
> > >>>>
> > >>>> Does that make sense at all? This is difficult to troubleshoot and
> > >>>> explain
> > >>>> over email without the configs.
> > >>>> _______________________________________________
> > >>>> PLUG: https://pdxlinux.org
> > >>>> PLUG mailing list
> > >>>> PLUG at pdxlinux.org
> > >>>> http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>>
> > >>> Chuck Hast  -- KP4DJT --
> > >>> I can do all things through Christ which strengtheneth me.
> > >>> Ph 4:13 KJV
> > >>> Todo lo puedo en Cristo que me fortalece.
> > >>> Fil 4:13 RVR1960
> > >>>
> > >>>
> > >>
> > >> --
> > >>
> > >> Chuck Hast  -- KP4DJT --
> > >> I can do all things through Christ which strengtheneth me.
> > >> Ph 4:13 KJV
> > >> Todo lo puedo en Cristo que me fortalece.
> > >> Fil 4:13 RVR1960
> > >>
> > >>
> > >
> > > --
> > >
> > > Chuck Hast  -- KP4DJT --
> > > I can do all things through Christ which strengtheneth me.
> > > Ph 4:13 KJV
> > > Todo lo puedo en Cristo que me fortalece.
> > > Fil 4:13 RVR1960
> > >
> > >
> >
> > --
> >
> > Chuck Hast  -- KP4DJT --
> > I can do all things through Christ which strengtheneth me.
> > Ph 4:13 KJV
> > Todo lo puedo en Cristo que me fortalece.
> > Fil 4:13 RVR1960
> > _______________________________________________
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


-- 

Chuck Hast  -- KP4DJT --
I can do all things through Christ which strengtheneth me.
Ph 4:13 KJV
Todo lo puedo en Cristo que me fortalece.
Fil 4:13 RVR1960

More information about the PLUG mailing list