[PLUG] OT VLAN Setup between 2 Cisco switches
Chuck Hast
wchast at gmail.com
Fri Sep 11 14:58:11 UTC 2020
Here is a scrape from the Port VLAN Membership screen. I sure wish
I could get into the CLI for sure on this one, but it shows these ports
as being members of VLAN 20.
Interface Mode Administrative Operational
VLANS VLANS
GE25 Access 20UP 20UP
GE26 Access 20UP 20UP
GE27 Access 20UP 20UP
GE28 Access 20UP 20UP
GE29 Access 20UP 20UP
GE30 Access 20UP 20UP
GE31 Access 20UP 20UP
GE32 Access 20UP 20UP
GE33 Access 20UP 20UP
GE34 Access 20UP 20UP
GE35 Access 20UP 20UP
GE36 Access 20UP 20UP
GE50 Trunk 1UP, 20T 1UP, 20T
Here is a scrape from the Port to VLAN screen
Interface VLAN Mode Membership PVID
Name Type
GE25 Access Untagged [x]
GE26 Access Untagged [x]
GE27 Access Untagged [x]
GE28 Access Untagged [x]
GE29 Access Untagged [x]
GE30 Access Untagged [x]
GE31 Access Untagged [x]
GE32 Access Untagged [x]
GE33 Access Untagged [x]
GE34 Access Untagged [x]
GE35 Access Untagged [x]
GE36 Access Untagged [x]
GE50 Trunk Tagged
That is how it is shown on the GUI.
I looked at the config file and see what you mean, I will
make changes then dump the file and see what it does.
On Fri, Sep 11, 2020 at 12:13 AM Mike C. <mconnors1 at gmail.com> wrote:
> The config looks more like I'd expect to see it with the exception of these
> omissions:
>
> 1. The camera ports don't have a vlan id set. I'd expect to see a config
> statement like this for the camera ports:
>
> switchport access vlan 20
>
> 2. No trunk switchport mode config statement. I'd expect to see a config
> statement for port 50 that sets the port mode to trunk. This is the
> equivalent to all the other ports set to access mode. "switchport mode
> access"
>
> switchport mode trunk
>
>
>
> On Thu, Sep 10, 2020 at 5:32 PM Chuck Hast <wchast at gmail.com> wrote:
>
> > Mike,
> > I did all of the upgrades, there were some totally different
> > screens after the final upgrade, I have uploaded a test
> > config file for you to look at.
> > *
> >
> http://www.fileconvoy.com/dfl.php?id=ga1a6f14cc72ae98a100028043901eb98b17d036d59
> > <
> >
> http://www.fileconvoy.com/dfl.php?id=ga1a6f14cc72ae98a100028043901eb98b17d036d59
> > >*
> >
> >
> > On Wed, Sep 9, 2020 at 11:28 PM Chuck Hast <wchast at gmail.com> wrote:
> >
> > > Found the guide for the GUI. Now to see if it can show me how to
> > > get SSH working so I can get to the CLI.
> > >
> > >
> >
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf20x_sg20x/administration_guide/Cisco_200Sx_v1_4_AG.pdf
> > >
> > > On Wed, Sep 9, 2020 at 10:48 PM Chuck Hast <wchast at gmail.com> wrote:
> > >
> > >> Well the switches in question are at a remote site but
> > >> I have another one of those switches here at home so
> > >> I am getting it brought up to date and then will go after
> > >> it. It is presently at factory so there is nothing that I have
> > >> added to it but to upgrade the boot/firmware. At this
> > >> moment I am stuffing the latest and greatest into it,
> > >> then I am going to see if I can conquer the SSH thing.
> > >> It is SUPPOSED to have a SSH server on board but
> > >> so far I have not seen it. I see the client side but not
> > >> the server side. But yet there is the CLI command list
> > >> and I see comments about a box to be checked to
> > >> enable the SSH server, (have yet to see said box).
> > >> So I shall start with this one and get it going then I
> > >> will use it as my reference with the other two.
> > >>
> > >>
> > >> On Wed, Sep 9, 2020 at 10:25 PM Mike C. <mconnors1 at gmail.com> wrote:
> > >>
> > >>> At this point, it prolly makes more sense to just factory reset the
> > >>> switch
> > >>> and then just put all the camera ports in vlan 20 and then tag port
> 50
> > >>> as a
> > >>> member of vlan 20.
> > >>>
> > >>> I'm not sure how old this OS is but when Cisco and other vendors
> first
> > >>> started rolling out their GUIs, it wasn't uncommon for folks to get
> > >>> confused while provisioning, troubleshooting and even for config
> files
> > >>> being corrupted.
> > >>>
> > >>> So, it's just force of habit for me to look at the actual running
> > config.
> > >>>
> > >>> I hope this helps you get this all sorted out soon.
> > >>>
> > >>> On Wed, Sep 9, 2020 at 6:30 PM Chuck Hast <wchast at gmail.com> wrote:
> > >>>
> > >>> > Mike,
> > >>> > I have done all of the upgrades to those switches in order to
> > >>> > obtain the coveted CLI access (there is no console port, but
> > >>> > according to the docs there should now be a SSH server on
> > >>> > the device with the upgrades to the latest code but so far no
> > >>> > joy. I will go over all of that and figure out how to translate it
> > >>> > to the GUI, and do it that way. Or figure out what is missing
> > >>> > to SSH into the box. According to some of the documentation
> > >>> > after I did the upgrade to 14.x there should be a ssh server
> > >>> > box to tick in order to activate it but so far no joy.
> > >>> >
> > >>> > See my comments below regarding your observations:
> > >>> >
> > >>> > On Tue, Sep 8, 2020 at 7:54 PM Mike C. <mconnors1 at gmail.com>
> wrote:
> > >>> >
> > >>> > > Thanks Chuck,
> > >>> > >
> > >>> > > I did quite a bit of reading and although this configuration
> should
> > >>> work,
> > >>> > > it's outside of norms / best practices.
> > >>> > >
> > >>> > > The way I was taught and always configured vlans is that by
> default
> > >>> all
> > >>> > > ports and packets are untagged and are in the default vlan. Which
> > is
> > >>> > vlan 1
> > >>> > > for Cisco.Then tag ports with the vlan you want them to be a part
> > of.
> > >>> > >
> > >>> > > Your configuration is the exact opposite. You've tagged the
> default
> > >>> vlan
> > >>> > 1
> > >>> > > on the trunk and left vlan 20 untagged
> > >>> > >
> > >>> > > Wow, I thought I was tagging the ports for VLAN 20 based on what
> I
> > >>> see
> > >>> > on the GUI. I will go back into it and see what I have screwed up.
> > >>> >
> > >>> >
> > >>> > > switchport trunk native vlan 20
> > >>> > > switchport default-vlan tagged .
> > >>> > >
> > >>> >
> > >>> > This should be reversed. I was of the idea (based on what I see on
> > the
> > >>> > GUI) that VLAN 1 was the default and administrative and it was not
> > >>> > tagged...
> > >>> >
> > >>> > >
> > >>> > > The switchport default-vlan tagged command is to provide
> backward
> > >>> > > compatibility support for devices that don't support 802.1 Q vlan
> > >>> tags.
> > >>> > In
> > >>> > > effect, the port functions in both access & trunk mode at the
> same
> > >>> time.
> > >>> > >
> > >>> > > But your switches are vlan aware, so this config is unnecessary
> > and I
> > >>> > think
> > >>> > > the cause of your problems.
> > >>> > >
> > >>> >
> > >>> > I shall look into it and figure out how to get rid of it from the
> GUI
> > >>> if I
> > >>> > cannot
> > >>> > figure out why it does not allow a SSH server to run.
> > >>> >
> > >>> > >
> > >>> > > What I recommend trying is disabling the switchport default-vlan
> > >>> tagged
> > >>> > > .w. "no switchport default-vlan tagged" command or GUI.
> > >>> > >
> > >>> > > And the removing the native vlan 20 on the trunk with the "no
> > >>> switchport
> > >>> > > trunk native vlan 20" comand.
> > >>> > >
> > >>> > > This will set the default and the native vlan that was set to
> vlan
> > 20
> > >>> > both
> > >>> > > to vlan 1.
> > >>> > >
> > >>> >
> > >>> > I wonder if I would not be faster to just set the switch to factory
> > and
> > >>> > then
> > >>> > go in and and set up the VLAN 20 ports.
> > >>> >
> > >>> > After reset all of the ports of course are on VLAN 1. I was
> thinking
> > >>> that I
> > >>> > was moving the camera ports to VLAN 20.
> > >>> >
> > >>> > >
> > >>> > > Then run the command "switchport mode trunk allow vlan 20" which
> > will
> > >>> > make
> > >>> > > the trunk port also a member of vlan 20 and will pass tagged
> > packets
> > >>> from
> > >>> > > the camera ports that are only members of vlan 20.
> > >>> > >
> > >>> >
> > >>> > I have got to figure out how to get to a CLI...
> > >>> >
> > >>> > >
> > >>> > > Then change the camera ports from general to access. Those ports
> > will
> > >>> > only
> > >>> > > be a member of 1 vlan and that is the pvid vlan 20. The port will
> > >>> accept
> > >>> > > both untagged and tagged packets from the cameras and only send
> > >>> untagged
> > >>> > > packets to the cameras.
> > >>> > >
> > >>> > > I will get those ports changed and see how that goes. Thank you
> > >>> again for
> > >>> > the guidance.
> > >>> >
> > >>> >
> > >>> > > That should do the trick for you.
> > >>> > >
> > >>> > > Here's a link to the CLI reference for your switch,
> > >>> > >
> > >>> > >
> > >>> >
> > >>>
> >
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf200e/command_line_reference/OL-22850.pdf
> > >>> > >
> > >>> > > As this is a more standard way of configuring vlans, this is the
> > best
> > >>> > > config to start with. Let's see what this gets you.
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > > On Sun, Sep 6, 2020 at 9:39 AM Chuck Hast <wchast at gmail.com>
> > wrote:
> > >>> > >
> > >>> > > > Mike,
> > >>> > > > I finally got the switches to give up the config files. Getting
> > >>> these
> > >>> > > > things from firmware 1.2 to 1.4.11 took 4 firmware upgrades
> and
> > >>> > > > 1 boot upgrade. Below is the url to the switch config files
> > >>> > > > *
> > >>> > > >
> > >>> > >
> > >>> >
> > >>>
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > >>> > > > <
> > >>> > > >
> > >>> > >
> > >>> >
> > >>>
> >
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> > >>> > > > >*
> > >>> > > >
> > >>> > > >
> > >>> > > > On Sun, Aug 30, 2020 at 10:16 AM Chuck Hast <wchast at gmail.com>
> > >>> wrote:
> > >>> > > >
> > >>> > > > > Well, I have been trying to get a backup file out of this so
> I
> > >>> can
> > >>> > > > > send it to you, but so far when I try to do http/https backup
> > it
> > >>> > > > > fails the only thing is I get a network error, and if I look
> in
> > >>> the
> > >>> > > > > switch logs, it says it cannot find the file.
> > >>> > > > >
> > >>> > > > > I have a SG300-28 at home, it was never this cantankerous,
> > >>> > > > > I can do file backups and uploads to it with no issues
> > >>> whatsoever.
> > >>> > > > >
> > >>> > > > > They must have cut some major corners somewhere with these
> > >>> > > > > switches.
> > >>> > > > >
> > >>> > > > >
> > >>> > > > > On Sun, Aug 23, 2020 at 11:30 AM Chuck Hast <
> wchast at gmail.com>
> > >>> > wrote:
> > >>> > > > >
> > >>> > > > >> Well, I went to pull the backed up config files out of both
> > >>> switches
> > >>> > > > >> and got a "network failure." I setup a tftp server on my
> > >>> > > > >> laptop and tried to go that way and got a "file not found"
> > >>> error.
> > >>> > > > >>
> > >>> > > > >> Appears that I have to upgrade to a later rev of the
> > >>> firmware/boot
> > >>> > > > >> file. Both switches are presently at Rev 1.2.9.44, which has
> > no
> > >>> > > > >> ssh, and appears that it "likes" some old version of i.e. So
> > >>> perhaps
> > >>> > > > >> doing that upgrade will take care of these issues. Who
> knows.
> > >>> > > > >> Once I do the upgrades I will let you know what happens, if
> it
> > >>> still
> > >>> > > > >> does not want to pass the vlan 20 to switch 02 I will pull
> the
> > >>> > > > >> config file and send it. This rev level has NO CLI
> whatsoever,
> > >>> > > > >> but it is installed in one of the later revs, got to get to
> > >>> that.
> > >>> > > > >>
> > >>> > > > >>
> > >>> > > > >> On Mon, Aug 17, 2020 at 11:38 PM Chuck Hast <
> wchast at gmail.com
> > >
> > >>> > wrote:
> > >>> > > > >>
> > >>> > > > >>> Let me get you the config files, let us not break our heads
> > on
> > >>> it
> > >>> > > > >>> until you can look at them. I know on the web screens I set
> > up
> > >>> > > > >>> port 50 to have vlan 20 tagged on both ends. In my megre
> work
> > >>> > > > >>> in this area, it seems that I always did the same thing,
> the
> > >>> link
> > >>> > > > >>> carrying the camera VLAN went on a separate path to keep
> > >>> > > > >>> possible latence down due to competition for the link path.
> > >>> > > > >>>
> > >>> > > > >>> This is the same case the cameras are on VLAN 20, it is a
> > >>> > > > >>> total network island because the stinking cameras call
> home,
> > >>> > > > >>> and the best way to avoid it is just to put them on and
> > island
> > >>> > > > >>> network. This is the first time I can recall having this
> > >>> issue. in
> > >>> > > > >>> the past I just tagged the two ends of the link and my
> video
> > >>> > > > >>> data went that direction. All the rest went with VLAN 1 on
> > >>> > > > >>> the other link.
> > >>> > > > >>>
> > >>> > > > >>> On Mon, Aug 17, 2020 at 4:15 AM Mike C. <
> mconnors1 at gmail.com
> > >
> > >>> > wrote:
> > >>> > > > >>>
> > >>> > > > >>>> >
> > >>> > > > >>>> > That is what I was thinking based on the other Cisco
> doc I
> > >>> read
> > >>> > > all
> > >>> > > > I
> > >>> > > > >>>> need
> > >>> > > > >>>> > to do is set both of the two fibre links up as trunks
> and
> > it
> > >>> > > should
> > >>> > > > >>>> work,
> > >>> > > > >>>> > but there is another one that also said the part about
> > >>> tagging.
> > >>> > I
> > >>> > > > >>>> have VLAN
> > >>> > > > >>>> > 20 (the VLANS are 1, 10 and 20) on port 50 on both
> ends, I
> > >>> have
> > >>> > > also
> > >>> > > > >>>> removed
> > >>> > > > >>>> > it but still no joy.\
> > >>> > > > >>>>
> > >>> > > > >>>>
> > >>> > > > >>>> Just to be clear, with port based vlans, which is what you
> > >>> have, a
> > >>> > > > port
> > >>> > > > >>>> can
> > >>> > > > >>>> only belong to 1 untagged vlan. So when you have a port
> set
> > to
> > >>> > > > untagged
> > >>> > > > >>>> w.
> > >>> > > > >>>> the pvid set, then that port will only be in the default /
> > >>> native
> > >>> > > > vlan,
> > >>> > > > >>>> which is VLAN 1 on most network equipment vendors. This is
> > >>> often
> > >>> > > used
> > >>> > > > as
> > >>> > > > >>>> the management vlan.
> > >>> > > > >>>>
> > >>> > > > >>>> However, you can only have 1 untagged vlan per port. Any
> > other
> > >>> > vlans
> > >>> > > > you
> > >>> > > > >>>> want that port to handle must be tagged. Otherwise, all
> > those
> > >>> > > packets
> > >>> > > > >>>> will
> > >>> > > > >>>> be treated as they're part of the default / native vlan.
> > >>> > > > >>>>
> > >>> > > > >>>> Which seems to be what you have configured. VLAN 1
> untagged
> > >>> pvid
> > >>> > on
> > >>> > > > P49
> > >>> > > > >>>> and
> > >>> > > > >>>> VLAN 20 untagged pvid on P50 on both switches.
> > >>> > > > >>>>
> > >>> > > > >>>> And that makes me reconsider my earlier statement:
> > >>> > > > >>>>
> > >>> > > > >>>> Switch B
> > >>> > > > >>>> >
> > >>> > > > >>>> > 49 GE49 Enabled Disabled STP Root 20000 128 Forwarding
> > >>> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-97 0 1
> > >>> > > > >>>> > 50 GE50 Enabled Disabled STP Alternate 20000 128
> > Discarding
> > >>> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-98 0 0
> > >>> > > > >>>> > This one says discarding for port 50, so suspect that is
> > the
> > >>> > > issue.
> > >>> > > > >>>> >
> > >>> > > > >>>>
> > >>> > > > >>>> Normally, the way this is designed and configured when
> > there's
> > >>> > > > multiple
> > >>> > > > >>>> uplinks is to create a LAG or MLT, a trunk group that
> > carries
> > >>> all
> > >>> > > > VLANs.
> > >>> > > > >>>> This provides more bandwidth and failover redundancy.
> > >>> > > > >>>>
> > >>> > > > >>>> But you haven't said anything about a LAG configuration
> and
> > >>> if you
> > >>> > > > don't
> > >>> > > > >>>> have any traffic traversing P50, if memory serves until
> you
> > >>> take
> > >>> > the
> > >>> > > > >>>> fibre
> > >>> > > > >>>> link down on P49. Is that correct?
> > >>> > > > >>>>
> > >>> > > > >>>> Therefore, if you want this to work you will have to tag
> > vlan
> > >>> 10,
> > >>> > 20
> > >>> > > > on
> > >>> > > > >>>> port 49 and port 50 and you will have only 1 active uplink
> > >>> over
> > >>> > > which
> > >>> > > > >>>> all
> > >>> > > > >>>> VLANs traverse.
> > >>> > > > >>>>
> > >>> > > > >>>> Then in the event of a failure of the active uplink,
> > Spanning
> > >>> Tree
> > >>> > > > will
> > >>> > > > >>>> reconfigure and use P50.
> > >>> > > > >>>>
> > >>> > > > >>>> Does that make sense at all? This is difficult to
> > >>> troubleshoot and
> > >>> > > > >>>> explain
> > >>> > > > >>>> over email without the configs.
> > >>> > > > >>>> _______________________________________________
> > >>> > > > >>>> PLUG: https://pdxlinux.org
> > >>> > > > >>>> PLUG mailing list
> > >>> > > > >>>> PLUG at pdxlinux.org
> > >>> > > > >>>> http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>> > > > >>>>
> > >>> > > > >>>
> > >>> > > > >>>
> > >>> > > > >>> --
> > >>> > > > >>>
> > >>> > > > >>> Chuck Hast -- KP4DJT --
> > >>> > > > >>> I can do all things through Christ which strengtheneth me.
> > >>> > > > >>> Ph 4:13 KJV
> > >>> > > > >>> Todo lo puedo en Cristo que me fortalece.
> > >>> > > > >>> Fil 4:13 RVR1960
> > >>> > > > >>>
> > >>> > > > >>>
> > >>> > > > >>
> > >>> > > > >> --
> > >>> > > > >>
> > >>> > > > >> Chuck Hast -- KP4DJT --
> > >>> > > > >> I can do all things through Christ which strengtheneth me.
> > >>> > > > >> Ph 4:13 KJV
> > >>> > > > >> Todo lo puedo en Cristo que me fortalece.
> > >>> > > > >> Fil 4:13 RVR1960
> > >>> > > > >>
> > >>> > > > >>
> > >>> > > > >
> > >>> > > > > --
> > >>> > > > >
> > >>> > > > > Chuck Hast -- KP4DJT --
> > >>> > > > > I can do all things through Christ which strengtheneth me.
> > >>> > > > > Ph 4:13 KJV
> > >>> > > > > Todo lo puedo en Cristo que me fortalece.
> > >>> > > > > Fil 4:13 RVR1960
> > >>> > > > >
> > >>> > > > >
> > >>> > > >
> > >>> > > > --
> > >>> > > >
> > >>> > > > Chuck Hast -- KP4DJT --
> > >>> > > > I can do all things through Christ which strengtheneth me.
> > >>> > > > Ph 4:13 KJV
> > >>> > > > Todo lo puedo en Cristo que me fortalece.
> > >>> > > > Fil 4:13 RVR1960
> > >>> > > > _______________________________________________
> > >>> > > > PLUG: https://pdxlinux.org
> > >>> > > > PLUG mailing list
> > >>> > > > PLUG at pdxlinux.org
> > >>> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>> > > >
> > >>> > > _______________________________________________
> > >>> > > PLUG: https://pdxlinux.org
> > >>> > > PLUG mailing list
> > >>> > > PLUG at pdxlinux.org
> > >>> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>> > >
> > >>> >
> > >>> >
> > >>> > --
> > >>> >
> > >>> > Chuck Hast -- KP4DJT --
> > >>> > I can do all things through Christ which strengtheneth me.
> > >>> > Ph 4:13 KJV
> > >>> > Todo lo puedo en Cristo que me fortalece.
> > >>> > Fil 4:13 RVR1960
> > >>> > _______________________________________________
> > >>> > PLUG: https://pdxlinux.org
> > >>> > PLUG mailing list
> > >>> > PLUG at pdxlinux.org
> > >>> > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>> >
> > >>> _______________________________________________
> > >>> PLUG: https://pdxlinux.org
> > >>> PLUG mailing list
> > >>> PLUG at pdxlinux.org
> > >>> http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>>
> > >>
> > >>
> > >> --
> > >>
> > >> Chuck Hast -- KP4DJT --
> > >> I can do all things through Christ which strengtheneth me.
> > >> Ph 4:13 KJV
> > >> Todo lo puedo en Cristo que me fortalece.
> > >> Fil 4:13 RVR1960
> > >>
> > >>
> > >
> > > --
> > >
> > > Chuck Hast -- KP4DJT --
> > > I can do all things through Christ which strengtheneth me.
> > > Ph 4:13 KJV
> > > Todo lo puedo en Cristo que me fortalece.
> > > Fil 4:13 RVR1960
> > >
> > >
> >
> > --
> >
> > Chuck Hast -- KP4DJT --
> > I can do all things through Christ which strengtheneth me.
> > Ph 4:13 KJV
> > Todo lo puedo en Cristo que me fortalece.
> > Fil 4:13 RVR1960
> > _______________________________________________
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
--
Chuck Hast -- KP4DJT --
I can do all things through Christ which strengtheneth me.
Ph 4:13 KJV
Todo lo puedo en Cristo que me fortalece.
Fil 4:13 RVR1960
More information about the PLUG
mailing list