[PLUG] OT VLAN Setup between 2 Cisco switches

Chuck Hast wchast at gmail.com
Thu Sep 10 03:48:05 UTC 2020


Well the switches in question are at a remote site but
I have another one of those switches here at home so
I am getting it brought up to date and then will go after
it. It is presently at factory so there is nothing that I have
added to it but to upgrade the boot/firmware. At this
moment I am stuffing the latest and greatest into it,
then I am going to see if I can conquer the SSH thing.
It is SUPPOSED to have a SSH server on board but
so far I have not seen it. I see the client side but not
the server side. But yet there is the CLI command list
and I see comments about a box to be checked to
enable the SSH server, (have yet to see said box).
So I shall start with this one and get it going then I
will use it as my reference with the other two.


On Wed, Sep 9, 2020 at 10:25 PM Mike C. <mconnors1 at gmail.com> wrote:

> At this point, it prolly makes more sense to just factory reset the switch
> and then just put all the camera ports in vlan 20 and then tag port 50 as a
> member of vlan 20.
>
>  I'm not sure how old this OS is but when Cisco and other vendors first
> started rolling out their GUIs, it wasn't uncommon for folks to get
> confused while provisioning, troubleshooting and even for config files
> being corrupted.
>
> So, it's just force of habit for me to look at the actual running config.
>
> I hope this helps you get this all sorted out soon.
>
> On Wed, Sep 9, 2020 at 6:30 PM Chuck Hast <wchast at gmail.com> wrote:
>
> > Mike,
> > I have done all of the upgrades to those switches in order to
> > obtain the coveted CLI access (there is no console port, but
> > according to the docs there should now be a SSH server on
> > the device with the upgrades to the latest code but so far no
> > joy. I will go over all of that and figure out how to translate it
> > to the GUI, and do it that way. Or figure out what is missing
> > to SSH into the box. According to some of the documentation
> > after I did the upgrade to 14.x there should be a ssh server
> > box to tick in order to activate it but so far no joy.
> >
> > See my comments below regarding your observations:
> >
> > On Tue, Sep 8, 2020 at 7:54 PM Mike C. <mconnors1 at gmail.com> wrote:
> >
> > > Thanks Chuck,
> > >
> > > I did quite a bit of reading and although this configuration should
> work,
> > > it's outside of norms / best practices.
> > >
> > > The way I was taught and always configured vlans is that by default all
> > > ports and packets are untagged and are in the default vlan. Which is
> > vlan 1
> > > for Cisco.Then tag ports with the vlan you want them to be a part of.
> > >
> > > Your configuration is the exact opposite. You've tagged the default
> vlan
> > 1
> > > on the trunk and left vlan 20 untagged
> > >
> > > Wow, I thought I was tagging the ports for VLAN 20 based on what I see
> > on the GUI. I will go back into it and see what I have screwed up.
> >
> >
> > > switchport trunk native vlan 20
> > > switchport default-vlan tagged .
> > >
> >
> > This should be reversed. I was of the idea (based on what I see on the
> > GUI) that VLAN 1 was the default  and administrative and it was not
> > tagged...
> >
> > >
> > > The  switchport default-vlan tagged command is to provide backward
> > > compatibility support for devices that don't support 802.1 Q vlan tags.
> > In
> > > effect, the port functions in both access & trunk mode at the same
> time.
> > >
> > > But your switches are vlan aware, so this config is unnecessary and I
> > think
> > > the cause of your problems.
> > >
> >
> > I shall look into it and figure out how to get rid of it from the GUI if
> I
> > cannot
> > figure out why it does not allow a SSH server to run.
> >
> > >
> > > What I recommend trying is disabling the  switchport default-vlan
> tagged
> > > .w. "no  switchport default-vlan tagged" command or GUI.
> > >
> > > And the removing the native vlan 20 on the trunk with the  "no
> switchport
> > > trunk native vlan 20" comand.
> > >
> > > This will set the default and the native vlan that was set to vlan 20
> > both
> > > to vlan 1.
> > >
> >
> > I wonder if I would not be faster to just set the switch to factory and
> > then
> > go in and and set up the VLAN 20 ports.
> >
> > After reset all of the ports of course are on VLAN 1. I was thinking
> that I
> > was moving the camera ports to VLAN 20.
> >
> > >
> > > Then run the command "switchport mode trunk allow vlan 20" which will
> > make
> > > the trunk port also a member of vlan 20 and will pass tagged packets
> from
> > > the camera ports that are only members of vlan 20.
> > >
> >
> > I have got to figure out how to get to a CLI...
> >
> > >
> > > Then change the camera ports from general to access. Those ports will
> > only
> > > be a member of 1 vlan and that is the pvid vlan 20. The port will
> accept
> > > both untagged and tagged packets from the cameras and only send
> untagged
> > > packets to the cameras.
> > >
> > > I will get those ports changed and see how that goes. Thank you again
> for
> > the guidance.
> >
> >
> > > That should do the trick for you.
> > >
> > > Here's a link to the CLI reference for your switch,
> > >
> > >
> >
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf200e/command_line_reference/OL-22850.pdf
> > >
> > > As this is a more standard way of configuring vlans, this is the best
> > > config to start with. Let's see what this gets you.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Sun, Sep 6, 2020 at 9:39 AM Chuck Hast <wchast at gmail.com> wrote:
> > >
> > > > Mike,
> > > > I finally got the switches to give up the config files. Getting these
> > > > things from firmware 1.2 to 1.4.11 took 4 firmware  upgrades and
> > > > 1 boot upgrade. Below is the url to the switch config files
> > > > *
> > > >
> > >
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > > > <
> > > >
> > >
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > > > >*
> > > >
> > > >
> > > > On Sun, Aug 30, 2020 at 10:16 AM Chuck Hast <wchast at gmail.com>
> wrote:
> > > >
> > > > > Well, I have been trying to get a backup file out of this so I can
> > > > > send it to you, but so far when I try to do http/https backup it
> > > > > fails the only thing is I get a network error, and if I look in the
> > > > > switch logs, it says it cannot find the file.
> > > > >
> > > > > I have a SG300-28 at home, it was never this cantankerous,
> > > > > I can do file backups and uploads to it with no issues whatsoever.
> > > > >
> > > > > They must have cut some major corners somewhere with these
> > > > > switches.
> > > > >
> > > > >
> > > > > On Sun, Aug 23, 2020 at 11:30 AM Chuck Hast <wchast at gmail.com>
> > wrote:
> > > > >
> > > > >> Well, I went to pull the backed up config files out of both
> switches
> > > > >> and got a "network failure." I setup a tftp server on my
> > > > >> laptop and tried to go that way and got a "file not found" error.
> > > > >>
> > > > >> Appears that I have to upgrade to a later rev of the firmware/boot
> > > > >> file. Both switches are presently at Rev 1.2.9.44, which has no
> > > > >> ssh, and appears that it "likes" some old version of i.e. So
> perhaps
> > > > >> doing that upgrade will take care of these issues. Who knows.
> > > > >> Once I do the upgrades I will let you know what happens, if it
> still
> > > > >> does not want to pass the vlan 20 to switch 02 I will pull the
> > > > >> config file and send it. This rev level has NO CLI whatsoever,
> > > > >> but it is installed in one of the later revs, got to get to that.
> > > > >>
> > > > >>
> > > > >> On Mon, Aug 17, 2020 at 11:38 PM Chuck Hast <wchast at gmail.com>
> > wrote:
> > > > >>
> > > > >>> Let me get you the config files, let us not break our heads on it
> > > > >>> until you can look at them. I know on the web screens I set up
> > > > >>> port 50 to have vlan 20 tagged on both ends. In my megre work
> > > > >>> in this area, it seems that I always did the same thing, the link
> > > > >>> carrying the camera VLAN went on a separate path to keep
> > > > >>> possible latence down due to competition for the link path.
> > > > >>>
> > > > >>> This is the same case the cameras are on VLAN 20, it is a
> > > > >>> total network island because the stinking cameras call home,
> > > > >>> and the best way to avoid it is just to put them on and island
> > > > >>> network. This is the first time I can recall having this issue.
> in
> > > > >>> the past I just tagged the two ends of the link and my video
> > > > >>> data went that direction. All the rest went with VLAN 1 on
> > > > >>> the other link.
> > > > >>>
> > > > >>> On Mon, Aug 17, 2020 at 4:15 AM Mike C. <mconnors1 at gmail.com>
> > wrote:
> > > > >>>
> > > > >>>> >
> > > > >>>> > That is what I was thinking based on the other Cisco doc I
> read
> > > all
> > > > I
> > > > >>>> need
> > > > >>>> > to do is set both of the two fibre links up as trunks and it
> > > should
> > > > >>>> work,
> > > > >>>> > but there is another one that also said the part about
> tagging.
> > I
> > > > >>>> have VLAN
> > > > >>>> > 20 (the VLANS are 1, 10 and 20) on port 50 on both ends, I
> have
> > > also
> > > > >>>> removed
> > > > >>>> > it but still no joy.\
> > > > >>>>
> > > > >>>>
> > > > >>>> Just to be clear, with port based vlans, which is what you
> have, a
> > > > port
> > > > >>>> can
> > > > >>>> only belong to 1 untagged vlan. So when you have a port set to
> > > > untagged
> > > > >>>> w.
> > > > >>>> the pvid set, then that port will only be in the default /
> native
> > > > vlan,
> > > > >>>> which is VLAN 1 on most network equipment vendors. This is often
> > > used
> > > > as
> > > > >>>> the management vlan.
> > > > >>>>
> > > > >>>> However, you can only have 1 untagged vlan per port. Any other
> > vlans
> > > > you
> > > > >>>> want that port to handle must be tagged. Otherwise, all those
> > > packets
> > > > >>>> will
> > > > >>>> be treated as they're part of the default / native vlan.
> > > > >>>>
> > > > >>>> Which seems to be what you have configured. VLAN 1 untagged pvid
> > on
> > > > P49
> > > > >>>> and
> > > > >>>> VLAN 20 untagged pvid on P50 on both switches.
> > > > >>>>
> > > > >>>> And that makes me reconsider my earlier statement:
> > > > >>>>
> > > > >>>> Switch B
> > > > >>>> >
> > > > >>>> > 49 GE49 Enabled Disabled STP Root 20000 128 Forwarding
> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-97 0 1
> > > > >>>> > 50 GE50 Enabled Disabled STP Alternate 20000 128 Discarding
> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-98 0 0
> > > > >>>> > This one says discarding for port 50, so suspect that is the
> > > issue.
> > > > >>>> >
> > > > >>>>
> > > > >>>> Normally, the way this is designed and configured when there's
> > > > multiple
> > > > >>>> uplinks is to create a LAG or MLT, a trunk group that carries
> all
> > > > VLANs.
> > > > >>>> This provides more bandwidth and failover redundancy.
> > > > >>>>
> > > > >>>> But you haven't said anything about a LAG configuration and if
> you
> > > > don't
> > > > >>>> have any traffic traversing P50, if memory serves until you take
> > the
> > > > >>>> fibre
> > > > >>>> link down on P49. Is that correct?
> > > > >>>>
> > > > >>>> Therefore, if you want this to work you will have to tag vlan
> 10,
> > 20
> > > > on
> > > > >>>> port 49 and port 50 and you will have only 1 active uplink over
> > > which
> > > > >>>> all
> > > > >>>> VLANs traverse.
> > > > >>>>
> > > > >>>> Then in the event of a failure of the active uplink, Spanning
> Tree
> > > > will
> > > > >>>> reconfigure and use P50.
> > > > >>>>
> > > > >>>> Does that make sense at all? This is difficult to troubleshoot
> and
> > > > >>>> explain
> > > > >>>> over email without the configs.
> > > > >>>> _______________________________________________
> > > > >>>> PLUG: https://pdxlinux.org
> > > > >>>> PLUG mailing list
> > > > >>>> PLUG at pdxlinux.org
> > > > >>>> http://lists.pdxlinux.org/mailman/listinfo/plug
> > > > >>>>
> > > > >>>
> > > > >>>
> > > > >>> --
> > > > >>>
> > > > >>> Chuck Hast  -- KP4DJT --
> > > > >>> I can do all things through Christ which strengtheneth me.
> > > > >>> Ph 4:13 KJV
> > > > >>> Todo lo puedo en Cristo que me fortalece.
> > > > >>> Fil 4:13 RVR1960
> > > > >>>
> > > > >>>
> > > > >>
> > > > >> --
> > > > >>
> > > > >> Chuck Hast  -- KP4DJT --
> > > > >> I can do all things through Christ which strengtheneth me.
> > > > >> Ph 4:13 KJV
> > > > >> Todo lo puedo en Cristo que me fortalece.
> > > > >> Fil 4:13 RVR1960
> > > > >>
> > > > >>
> > > > >
> > > > > --
> > > > >
> > > > > Chuck Hast  -- KP4DJT --
> > > > > I can do all things through Christ which strengtheneth me.
> > > > > Ph 4:13 KJV
> > > > > Todo lo puedo en Cristo que me fortalece.
> > > > > Fil 4:13 RVR1960
> > > > >
> > > > >
> > > >
> > > > --
> > > >
> > > > Chuck Hast  -- KP4DJT --
> > > > I can do all things through Christ which strengtheneth me.
> > > > Ph 4:13 KJV
> > > > Todo lo puedo en Cristo que me fortalece.
> > > > Fil 4:13 RVR1960
> > > > _______________________________________________
> > > > PLUG: https://pdxlinux.org
> > > > PLUG mailing list
> > > > PLUG at pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > >
> > > _______________________________________________
> > > PLUG: https://pdxlinux.org
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> >
> >
> > --
> >
> > Chuck Hast  -- KP4DJT --
> > I can do all things through Christ which strengtheneth me.
> > Ph 4:13 KJV
> > Todo lo puedo en Cristo que me fortalece.
> > Fil 4:13 RVR1960
> > _______________________________________________
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


-- 

Chuck Hast  -- KP4DJT --
I can do all things through Christ which strengtheneth me.
Ph 4:13 KJV
Todo lo puedo en Cristo que me fortalece.
Fil 4:13 RVR1960



More information about the PLUG mailing list