4

This one's got me banging my head against a wall... likely a simple answer, but I've tried everything I know. I heard the internet's a smart place. :)

Have an SG300-28MPP connected to a clients' Catalyst (unsure of model, but it's recent). Have LAG1 (ports 11-12) set up to pass VLAN 75; works great. Port 25 on the SG300 is configured as a trunk, with VLANs 72 and 73 tagged.

Client's switch is configured with 75 tagged on the LAG, 72 and 73 tagged on the single-link trunk. No LACP on the LAG.

Something has changed on my end that causes port 25 to pass no traffic on either VLAN. (Within the last 24 hours I've been resolving a multicast issue... can't figure out what I may have done there that would affect this.)

Config appears below, with unrelated ports and security stuff removed.

Many thanks for any wisdom you can lend!

config-file-header switch0001 v1.4.1.3 / R800_NIK_1_4_194_194 CLI v1.0 set system mode router file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! bridge multicast filtering vlan database default-vlan vlan 71 exit vlan database vlan 1,61,72-75 exit voice vlan state disabled voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ bonjour interface range vlan 1 mac access-list extended "Excess Traffic Filter" exit hostname OR-AV-SW-1-2 no passwords complexity enable username cisco password encrypted 3c0af1ccfaed6250e3fd6106e00561467fb746f3 privilege 15 ip telnet server ! interface vlan 1 no ip address dhcp ! interface vlan 61 name BGM ! interface vlan 71 ip address 192.168.1.3 255.255.255.0 ! interface vlan 72 name Control ip address 192.168.10.3 255.255.255.0 ! interface vlan 73 name Audio ip address 192.168.20.3 255.255.255.0 bridge multicast mode ipv4-group bridge multicast ipv6 mode ip-group bridge multicast forward-all add gi27-28 ip igmp query-interval 30 ! interface vlan 74 name Video ip address 192.168.30.3 255.255.255.0 ip igmp query-interval 30 ! interface vlan 75 name Presenter ip address 192.168.40.3 255.255.255.0 ! // ports 1-10 omitted ! interface gigabitethernet11 description “WLAN A-1“ spanning-tree disable channel-group 1 mode on switchport mode general switchport general pvid 4095 ! interface gigabitethernet12 description “WLAN A-2“ spanning-tree disable channel-group 1 mode on switchport mode general switchport general pvid 4095 ! // ports 13-24 omitted ! interface gigabitethernet25 description “WLAN B-C” spanning-tree disable switchport trunk allowed vlan add 72-73 ! //ports 26-28 omitted ! interface Port-channel1 description “WLAN A Uplink" spanning-tree disable switchport mode general switchport general allowed vlan add 75 tagged switchport general pvid 4095 ! exit ip igmp snooping ip igmp snooping vlan 73 ip igmp snooping vlan 73 immediate-leave ip igmp snooping vlan 74 ip igmp snooping vlan 74 immediate-leave ip igmp snooping vlan 73 static 224.0.0.251 interface gi1,gi3,gi5,gi9,gi25,gi27-28 ip igmp snooping vlan 73 static 224.0.1.129 interface gi1,gi3,gi5,gi9,gi25,gi27-28 ip igmp snooping vlan 73 static 239.255.255.250 interface gi1,gi3,gi5,gi9,gi25,gi27-28 ip igmp snooping vlan 73 static 239.255.255.255 interface gi1,gi3,gi5,gi9,gi25,gi27-28 no ip igmp snooping querier ip igmp snooping vlan 73 querier version 3 ip igmp snooping vlan 73 querier ip igmp snooping vlan 74 querier version 3 ip igmp snooping vlan 74 querier ip default-gateway 192.168.10.1 encrypted ip ssh-client key rsa key-pair ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: RSA Private Key *** ---- END SSH2 PRIVATE KEY ---- ---- BEGIN SSH2 PUBLIC KEY ---- Comment: RSA Public Key *** ---- END SSH2 PUBLIC KEY ---- . encrypted ip ssh-client key dsa key-pair ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: DSA Private Key *** ---- END SSH2 PRIVATE KEY ---- ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key *** ---- END SSH2 PUBLIC KEY ---- . encrypted crypto key import rsa ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: RSA Private Key *** ---- END SSH2 PRIVATE KEY ---- ---- BEGIN SSH2 PUBLIC KEY ---- Comment: RSA Public Key *** ---- END SSH2 PUBLIC KEY ---- . encrypted crypto key import dsa ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: DSA Private Key *** ---- END SSH2 PRIVATE KEY ---- ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key *** ---- END SSH2 PUBLIC KEY ---- . encrypted crypto certificate 1 import -----BEGIN RSA ENCRYPTED PRIVATE KEY----- *** -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- *** -----END RSA PUBLIC KEY----- -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- . encrypted crypto certificate 2 import -----BEGIN RSA ENCRYPTED PRIVATE KEY----- *** -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- *** -----END RSA PUBLIC KEY----- -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- .
Improve this question
5
  • First, you should never, ever disable spanning tree on a switch-to-switch connection, especially if you have multiple connections between the switches. You are setting yourself up for a very big problem. Next, you should edit the question to include the configuration for the other switch. Determining what this configuration should look like depends on what is configured on the other switch. Commented Jul 20, 2016 at 19:16
  • As described below, far side config is available - I don't own that device; client is unavailable to ask. Will update as I have a chance. Commented Jul 21, 2016 at 20:58
  • Fairly sure the issue is mismatched native VLAN on the respective ports. And yes, I know full well STP needs to be on - it was off here for troubleshooting (theory being if I see a storm develop I know the links are working. :) ) I once brought a convention hotel to its knees by missing an STP config. Commented Jul 21, 2016 at 21:00
  • Without know how the other switch is configured, you can't be sure you configuration is correct. Even if you have what should be a correct configuration, it may not work because the other side is configured incorrectly. Commented Jul 21, 2016 at 21:06
  • Even with mismatched native VLAN numbers, traffic will pass on the native VLAN, but CDP will periodically give you a native vlan mismatch error. This is really cosmetic, and it is a pain because it keeps popping up, but it doesn't actually interfere with the traffic. Commented Jul 21, 2016 at 21:12

2 Answers 2

Reset to default
2

"Port 25 on the SG300 is configured as a trunk, with VLANs 72 and 73 tagged."

This does not make sense to me. Frames are tagged based on the access port they came from, not by a trunk port.

default-vlan vlan 71 why? Why did you change this from default of vlan 1? Put that back / undo that (say default-vlan default).

All the physical interfaces that you show us are described as WLAN. We need to see the trunk physical interfaces.

Improve this answer
4
  • To clarify... the port is configured as a trunk, and accepts frames on 72 and 73 tagged. 71 is there 'cause the switch won't let me configure the trunk without being a member of a VLAN with untagged frames. VLAN 71 is the default in this setup; everything's worked fine with 71 in place. The interfaces are described as WLAN because they connect, via my client's infrastructure, to access points throughout the building. Commented Jul 20, 2016 at 19:38
  • post/add show interface for each trunk interface in to your question. Also the configs of those interfaces. Commented Jul 20, 2016 at 19:41
  • If by "we need to see the trunk physical interfaces" you mean you need to see the far side configuration, that's not available at the moment - client is out of touch for a couple of days. As described, far side ports are members of 72 and 73, both tagged. Commented Jul 20, 2016 at 19:42
  • I'll work on a show int for everything shortly... Commented Jul 20, 2016 at 19:42
-1

Make sure native VLANs match, or else the links won't form, even though lights are blinking...

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.