Tag Archives: Trunking

Cisco to HP Switch Trunks

My place of work is essentially a Cisco shop, but we do have occasional pieces from other manufacturers that we need to deal with.

My latest challenge was to run a trunk between a Cisco 2960 and an HP5412LZ modular switch. The HP switch is a big beast, with 12 bays; each bay capable of accepting various modules, giving a lot of flexibility. Additionally it is a layer three switch although we are only using it as an access switch with POE modules, so we are not doing any routing on the switch.

The picture below shows the switch chassis, with 4 modules inserted, 8 blank slots. In my case I have 9 x 24 port POE switch modules and 3 blank slots giving me 224 POE ports.

J8700A

So why am I trunking between these two switches? We have migrated our office network from a number of ISPs connections to one MPLS connection. As such we have a standard template for this network configuration that uses a Cisco 2960 as the core switch, handles DHCP and 4 VLANs.

Cisco-HP

The VLAN scheme we have is as follows:

  • VLAN501 – Production VLAN allows connection to company internal services at our data center.
  • VLAN502 – Guest VLAN allows guests to use our network for raw internet but blocks traffic to the data center.
  • VLAN504 – VOIP VLAN provides connection for our phones and our UCaaS provider.

vlans

The issue with doing this sort of trunk is that the HP and Cisco switches handle trunks in very different ways. The Cisco config is simple; define your port channel and create your trunk and you are done. In this case we have 4 x 1Gb ports configured as a port channel, and running LACP.

!
interface Port-channel3
 description Port Channel to HP switch
 switchport trunk native vlan 501
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/2
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/3
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/4
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!

The important statement in this configuration is the Native VLAN statement for the trunk. This strips away the VLAN tag, essentially making traffic for that tag, the default VLAN.

The HP is a little more complicated, and the key to understanding the HP way of working is to remember one key fact; Dot1Q leaves the native VLAN untagged. So when we create our trunk on the HP, we can get layer two connectivity (CDP etc) but layer three will not work.

What we have to do is make sure that the native VLAN (if it is other than VLAN 1) is untagged on the trunk, and the other VLANs are tagged. Once we do that, we should be able to ping across the VLANs.

!
trunk B17,B19,B21,B23 Trk1 LACP
!
vlan 501
 name "Data"
 untagged Trk1,
!

B17, B19, B21 and B23 are the ports we are using for the other end of the trunk and Trk1 is the trunk group.

Of course all other VLANs must still be tagged in order to pass traffic correctly.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

A side note about VLANs

I was going over a tricky configuration with a co-worker today concerning VLANs and IP addressing.

We have a switch (Cisco 2960) connected to a router. The router is providing 4 VLANs via a single port, and we want to have all 4 VLANs present, regardless of what is plugged into the switch.

Now we know from our studies, that we can create all the VLANs we want in global configuration mode, BUT those VLANs are not visible until they are active, and to be active, they must have an active port in the VLAN.

VLANsSo here is where it gets to be fun. I decided to recreate the problem in my home lab. I don’t have a 2960 lying around but I do have a 2950 and a 3550, so I patched them together as shown. The trunk connecting the two switches is a 3 port trunk.

With an IP address set on each VLAN I can ping from the 3550 to the router and vice versa, but I cannot ping the 2950 except VLAN 501 (designated the native VLAN)

So why is this … I can ping everything except VLAN502,3 & 4 on the 2950.

Well, the answer is simple – the 2950 is  simple layer two switch and can only have one IP address for management purposes. The 3550 is a much more sophisticated layer three switch and can have one IP address per VLAN.

The 2950 will close down the VLANs with IP addresses except for the native vlan, and they are administratively down too.

s2950#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down 
Vlan501 172.17.35.51 YES manual up up 
Vlan502 10.100.35.51 YES manual administratively down down 
Vlan503 172.18.35.51 YES manual administratively down down 
Vlan504 172.30.35.51 YES manual administratively down down 
FastEthernet0/1 unassigned YES unset down down 
FastEthernet0/2 unassigned YES unset down down 
FastEthernet0/3 unassigned YES unset down down

Guess I need to buy another 3550!

BTW – just for fun, here is the router Fast Ethernet port configuration , and this is a great example of why Router on a Stick is so useful!

VLANs2

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

VTP Pruning

So what is VTP pruning and what do we do with it?

Remember VTP is VLAN Trunk Protocol and it allows the forwarding of frames from all VLANs to routers and other switches. In the last post we went into some detail about Trunks and how they work and how we configure them.

There is a gotcha though and here is where VTP Pruning comes in.

The reason we have VLANs to start with is to limit the scope of broadcasts and multi-casts, thus reducing the loads on switches, routers and hosts alike. BUT, if we then aggregate everything at the trunk, all those broadcasts and multi-casts get funneled through the trunk, making it a potential source of congestion.

VTP pruning_2

But what if we filter the VLAN traffic based on whether the device at the other end of the trunk NEEDs the broadcast info?

VTP pruning_1

With VLAN pruning on, we get a loss less traffic on the trunk, and this is good.
VTP pruning is off by default and to turn it on all we need do is go into config mode, and issue the command vtp pruning.

Note: We can’t prune the default vlan, VLAN1 or the VLANs 1002-1005.

Also we cannot enable pruning on a VTP client

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Trunks

In the last post we looked at VLANs and switch ports, One of the details we learned is that switch ports can only exist in one VLAN and if we want to connect multiple VLANs from one or more switches, to a router, we have to use trunks. Trunks can forward all VLAN traffic.
trunk
You can see in the image above, if the connection to the router was an access port, it could only be in one VLAN. If we make it a trunk, all three VLANs can access the router from the switch. So switch ports can either be an access port or a trunk port.

We have looked at how to configure access ports but lets take a look at configuring trunk ports.

Note: you can’t actually turn off trunk mode, but if you change the mode to access, it is no longer trunking.

show interface trunk – show the ports used for trunking and gives details about trunk mode.

To configure trunk on a per port basis, we use switchport mode :

  • access – turn off trunk mode, puts the port into access mode
  • dynamic auto – Will trunk but must be initiated by remote port
  • dynamic desirable – will try to trunk if the remote port is ok.
  • trunk – forces the port to trunk mode
  • Switchport no negotiate – turn off DTP (Dynamic Trunk Protocol) to reduce overhead and prevent dynamic trunk changes

So now that we have trunks connecting our switches and routers, we have to have the switches understand each other’s VLANs. Also, some VLANs may span two or more switches, and we don’t need to be configuring all that manually. There is a mechanism for the switches to communicate all of this automatically, and it is called VTP (VLAN Trunking Protocol)

VLAN Trunking Protocol (VTP)

The first thing we should note about VTP is it is Cisco proprietary.

VTP Domains – A named area encompassing a number of switches. We can configure domains on a per switch basis. If VTP is running, there must be a domain name set. Domain names are case sensitive – beware.

Within a VTP domain the switches can be configured in one of 3 VTP modes:

  • Server – Can create, modify or delete VLANs.
  • Client – can receive VLAN info but cannot change VLANs
  • Transparent – can forward VTP ads, but will not process the info. This mode has locally significant VLANs only; the VLAN info is not passed to other servers or clients

Note: in all cases ports can be added or removed from the VLAN.

Communication from server to client and server to server is achieved through the use of the Summary Advertisement. This is a data packet, sent every 5 minutes or immediately upon a change.

A VTP server stores the VLAN config in NVRAM, so on reload, the info is immediately available. A client however does not and must get its VLAN config from a summary advertisement.

VTP Revision Numbers

Every time a VTP server sends out a summary advertisement, it attaches a configuration revision number. This is to ensure that the information received by the other servers in our switch network is the latest and greatest. When a summary is received by another server, the server compares the incoming revision number with its own and if the incoming is greater, it uses that info. If it is not, it drops the packet, and does not forward it.

VTP Password

We can authenticate our  VTP info using the command vtp password. As always the password is case sensitive. Check to make sure you have service-password encryption on so that the clear text password is not clear text, however, this is the one password that does not get encrypted. Yeah – maybe in the next version of VTP.

Also be aware that if we set a password, we have to configure that password on all the switches in the VTP domain.

VTP Pruning

One of the problems with trunks is that they forward broadcast and multicast packets from all VLANs on that switch, regardless of weather the destination switch even has those VLANs. This of course is a big waste of bandwidth and resource so how do we limit this? We have a whole post about that…

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone