Question

VLAN problem with remote site on Metro Ethernet

Asked by: CityofKerrville

Hello EE,

Many of you have been following my posts pertaining to a major upgrade to Metro Ethernet.  Last Thursday evening, we moved forward with 4 of our sites.  Everything went very smoothly until we got to SITE D.  This is when we ran across what we believe to be a VLAN tag related issue.  Here is the rundown of what we did.

SITE A:
We installed a Cisco 2821 router in our main data center.  This new router is touching the metro cloud and we assigned the metro port the address 10.10.10.1.  Another port on this device is connected back to our existing network infrastructure.  Remote sites are to be migrated from the existing network to the fiber one at a time.  All routes are good and tested.  The Router is up and routing traffic right now.

SITE B:
We installed a Cisco 2811 router in the data center at our Police Station.  This router is touching the metro cloud and has an address of 10.10.10.2.  The other port on this device is connected to the switches that contain all the users and server on the 192.168.111.0 subnet.  Addresses are statically assigned.  All routes are good and tested.  The Router is up and routing traffic right now.

SITE C:
We installed a Cisco 3560 switch on this site.  L2 routing capabilities are enabled.  The switch is touching the metro cloud and has an address of 10.10.10.3.  There is a VLAN20 interface with the address 192.168.109.1.  All the users connected to this switch are assigned to VLAN20, and address are assigned through DHCP.  All routes are good and tested.

SITE D:
We installed a Cisco 3560 switch on this site.  The switch and the configuration is identical to the switch at SITE C, with the exception of the hostname and the IP addresses.  The switch is touching the metro cloud and has an address of 10.10.10.4.

Here is where the problem begins.   When I plugged it in and did a few housekeeping procedures (i.e. removed erroneous routes) interface VLAN20 would not come up no matter what I tried.  From the switch console i could ping everything on the network, but nobody else could see past the metro port at site D.  Here is some of the the step I took to resolve the issue.

blew away the vlan20 interface and started over - NO CHANGE
created a new vlan interface (VLAN220) and assigned the network ip address to that - NO CHANGE
reloaded the config from our TFTP server - NO CHANGE
reloaded the config from the switch at SITE C and changed hostname, ip's, etc - NO CHANGE
replaced with a whole different switch - NO CHANGE

Nothing I did would bring that vlan interface up.  Finally our desperation and pure exhaustion, at 11:45, I decided to assigned the network ip to the vlan1 interface and what do you know, all the ports on the switch that were lit up amber all turned green and all the pc's at SITE D started grabbing DHCP.  We desided to leave it alone for now and research what went wrong.  so my question is this.

Why would the VLAN20 interface not come online?  
Did it have something to do with an active VLAN20 running at site C?  

An earlier post here suggests that the switches are oblivious to the VLANS on other switches in a setup like this.  

What more should I be looking at?  
What are the dangers of running traffic on VLAN1?  

The hard part is done.  Now we need to work out the kinks before we move the other 7 sites over.  I have attached a diagram and the configs I want to use for reference.  

~~~~~~~~~~~~~~~~~~~~~SITE A~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHR1
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-20.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 *****
enable password 1*****
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
username netmaster privilege 15 secret 5 *****
archive
 log config
  hidekeys
!
!
interface GigabitEthernet0/0
 description VLAN30 SERVERS
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description METRO ETHERNET
 ip address 10.10.10.1 255.255.255.240
 ip helper-address 192.168.101.215
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description VLAN10 MGMT-IT
 switchport access vlan 10
!
interface FastEthernet0/0/1
 description ASA 5510 FIREWALL
!
interface FastEthernet0/0/2
 description VLAN20 CITY HALL
 switchport access vlan 20
!
interface Serial0/1/0
 description T1 DIRECT LINK AIRPORT
 ip address 192.168.1.25 255.255.255.248
!
interface FastEthernet0/2/0
 description LINK TO OLD NETWORK
 ip address 192.168.101.5 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan10
 description MGMT DEVICES CONNECTED TO FE0/0/0
 ip address 192.168.96.1 255.255.255.0
!
interface Vlan20
 description CITY HALL DEVICES CONNECTED TO FE0/0/2
 ip address 192.168.100.1 255.255.255.0
!
router eigrp 1
 network 192.168.96.0
 network 192.168.100.0
 network 192.168.101.0
 network 192.168.1.0
 network 10.10.10.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/2/0
ip route 192.168.96.0 255.255.255.0 FastEthernet0/0/0
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/2
ip route 192.168.101.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.102.0 255.255.255.0 192.168.101.9
ip route 192.168.103.0 255.255.255.0 192.168.101.9
ip route 192.168.114.0 255.255.255.0 192.168.101.9
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 Serial0/1/0
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.8
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password *****
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password *****
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
 
~~~~~~~~~~~~~~~~~~~~~SITE B~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PDR1
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****
enable password *****
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip cef
!
!
!
!
!
interface FastEthernet0/0
 description VLAN100 traffic from CHR1
 ip address 10.10.10.2 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description KPD SWITCH
 ip address 192.168.111.1 255.255.255.0
 duplex half
 speed auto
 no mop enabled
!
router eigrp 1
 network 10.10.10.0
 network 192.168.111.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.96.0 255.255.255.0 10.10.10.1
ip route 192.168.100.0 255.255.255.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.1
ip route 192.168.103.0 255.255.255.0 10.10.10.1
ip route 192.168.114.0 255.255.255.0 10.10.10.1
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 10.10.10.1
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 FastEthernet0/1
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.8
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password *****
 login
!
scheduler allocate 20000 1000
!
end
 
~~~~~~~~~~~~~~~~~~~~~SITE C~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname COURT
!
enable secret 5 *****
enable password *****
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing 
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
!
~~~~~~~~INTERFACES TRUNCATED
!
interface FastEthernet0/24
 description VLAN20 traffic from CHR1
 no switchport
 ip address 10.10.10.3 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description MGMT ACCESS
 ip address 192.168.96.51 255.255.255.0
!
interface Vlan20
 description COURT
 ip address 192.168.109.1 255.255.255.224
 ip helper-address 192.168.101.215
!
router eigrp 1
 network 10.10.10.0
 network 192.168.96.0
 network 192.168.109.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.96.0 255.255.255.0 10.10.10.1
ip route 192.168.100.0 255.255.255.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.1
ip route 192.168.103.0 255.255.255.0 10.10.10.1
ip route 192.168.114.0 255.255.255.0 10.10.10.1
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 10.10.10.1
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.8
no ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password *****
 login
line vty 5 15
 password *****
 login
!
end
 
~~~~~~~~~~~~~~~~~~~~~SITE D~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname KSP
!
enable secret 5 *****
enable password *****
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
!
~~~~~~~~~~~~~INTERFACES TRUNCATED
!
interface FastEthernet0/24
 description METRO ETHERNET PORT
 no switchport
 ip address 10.10.10.4 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description MGMT ACCESS
 ip address 192.168.96.54 255.255.255.0
!
!
interface Vlan20
 description KSP
 ip address 192.168.110.1 255.255.255.224
 ip helper-address 192.168.101.215
!
router eigrp 1
 network 10.10.10.0
 network 192.168.96.0
 network 192.168.110.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.96.0 255.255.255.0 10.10.10.1
ip route 192.168.100.0 255.255.255.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.1
ip route 192.168.103.0 255.255.255.0 10.10.10.1
ip route 192.168.114.0 255.255.255.0 10.10.10.1
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 10.10.10.1
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.8
no ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password *****
 login
line vty 5 15
 password *****
 login
!
end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-11-10 at 10:22:14ID23891845
Tags

VLAN

,

Cisco

,

Metro Ethernet

Topics

Network Design & Methodology

,

Network Routers

Participating Experts
1
Points
0
Comments
18

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VLAN
    Dear Sirs, Kindly explain me the following In 2 VLANs,how do i make one host as a member of both VLAN? what are the commands? In 2MB pipe,how to allocate 512kb only for FTP application?Is it possible? If IOS is corrupted in router,how to reterive the router to be...
  2. vlan
    I got a catalyst 2970 and 2 2621 routers. I'm attempting to create a vlan but don't know how. Can someone assist me how to start it from scratch?
  3. Help with VLan
    My company has a satellite office of about 10 people. They just sublet some of the space there and included in the arrangement was internet access to the other company from behind our PIX by running a line from one of our switch ports to their switch. Also at the satellite lo...
  4. VLAN
    Dear experts , kindly i want to know about VLAN , 1) what is vlan ,how many types of vlan are there ? 2) how we connect vlan? 3) kindly show me with a digramatical example . regards
  5. Need help deploying metro ethernet VLANs
    What I am trying to achieve is bring Metro Ethernet with VLANs into an existing setup that has no VLANs. I will be deploying some number of Cisco 3550-12Ts to accomplish this (open to other suggestions, but the price point is pretty nice). Here's what I have... Site A: 7507 ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: giltjrPosted on 2008-11-10 at 10:38:54ID: 22924176

What do you get if you issue show vtp status?

 

by: CityofKerrvillePosted on 2008-11-10 at 11:19:46ID: 22924544

"What do you get if you issue show vtp status?"

KSP#sh vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.110.1 on interface Vl1 (lowest numbered VLAN interface found)
KSP#

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:

Select allOpen in new window

 

by: CityofKerrvillePosted on 2008-11-10 at 11:21:55ID: 22924562

Above was SITE D.

Below is SITE C

COURT#sh vtp stat
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 9
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x50 0x19 0x94 0x2C 0x0A 0x69 0x61 0x74
Configuration last modified by 0.0.0.0 at 3-1-93 00:12:32
Local updater ID is 192.168.109.1 on interface Vl20 (lowest numbered VLAN interface found)
COURT#
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:

Select allOpen in new window

 

by: giltjrPosted on 2008-11-10 at 11:51:47ID: 22924881

try issuing:

 set vlan 20 state active

Now, I have to think about it, but since the 3560's are L2/L3 devices if VLAN20 on both switches are not part of the same VLAN, then you should either have each of them have different VLAN's, or have them be part of two different VTP Domains.

I will need to look at your configs some more as something does not seem right about this.

 

by: CityofKerrvillePosted on 2008-11-10 at 12:03:31ID: 22925029

try issuing:

set vlan 20 state active

On which device should I do this.

SITE C is running on VLAN20 without fault

SITE D would not come up on VLAN20 or even on VLAN40 and is now running on VLAN1.

 

by: giltjrPosted on 2008-11-10 at 12:28:09ID: 22925236

Let me look at your configs some more.

Do you want Site C and Site D to be on the same VLAN and have traffic "switched" between the two?  Or do you want them to be seperate VLAN's and have all traffic routed between the two?

 

by: CityofKerrvillePosted on 2008-11-10 at 12:31:00ID: 22925254

I would like them to be on the same VLAN and will want to add additional sites to the same VLAN in the future.

 

by: giltjrPosted on 2008-11-10 at 13:03:40ID: 22925510

What is the bandwidth on the Metro networks?

You do realize that  means that all broadcast traffic will be sent across the metro network to all sites?

I would suggest that you keep each site as its own VLAN (meaning each site will be its own IP subnet) so that you don't eat up the WAN traffic with broadcasts.

Unless there is some reason you want to do that.  It will be a 4-5 hours before I can respond again.

 

by: CityofKerrvillePosted on 2008-11-10 at 13:08:08ID: 22925545

Each site is on its own ip subnet.  The purpose of the VLAN is to limit access to sensitive area's such as Police Department and Water Treatment Plants.

 

by: giltjrPosted on 2008-11-10 at 19:46:33ID: 22927664

I agree that each site needs to be on its own subnet.  However, they also need to be on different VLAN's.

Even with each site having their own VLAN's I would also suggest that each site be part of its own VTP domain.  This way VLAN information is not exchanged between the switches at different sites.

The problem you are most likely having is that the 3560 are L2 and L3 devices and so they are exchanging L2 VTP information.  Where as it looks like the other sites have L3 only devices, so no VTP information is exchanged.

 

by: CityofKerrvillePosted on 2008-11-11 at 06:28:21ID: 22930713

Ok, lets say for the sake of argument that we want to put everything on the same VTP domain?  Am I correct in assuming that we need to have only one VTP server?  How would we go about implemeting this.  Does our router at SITE A house the VLAN database?

Our ultimate goal is to secure the sensitve areas without locking us (meaning IT) out of anything.  here is a diagram that best illustrates our end goal.

 

by: CityofKerrvillePosted on 2008-11-11 at 06:30:03ID: 22930739

Right now were are only dealing with SITE A, B, C, and D.  My assumption is that once we have the configuration right.  We should just be able to plug in each site with out issue.

 

by: CityofKerrvillePosted on 2008-11-11 at 06:45:20ID: 22930902

Here is the show vtp status for our main router at SITE A.  I believe this on should be our VTP server.

CHR1#en
CHR1#sh vtp stat
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 52
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.96.1 on interface Vl10 (lowest numbered VLAN interface found)
CHR1#

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:

Select allOpen in new window

 

by: giltjrPosted on 2008-11-11 at 07:39:01ID: 22931464

If you wanted to have a single VTP domain, then yes, you would want to have only one VTP server.

However, you stated you wanted to route between sites across the metro network.  So VLAN20 at "SITE1" will NOT be the same VLAN20 at "SITE2".  This could be very confusing if you were to do this.  The connections to the metro network are not trunks, but are just "normal" single VLAN connections, except possibility in the sites where you have L3 switches.

From your diagram it looks like you wannt have VLAN20 at 10 or so sites.  However this will not be a single VLAN20, but 10 independent VLAN20's.  That would be very confusing, since normally VLAN's are a single broadcast domain and traffic within a VLAN is switched, not routed.

You should also have problems with your management VLAN10.  Since all of the switches/routers management IP address are within the same subnet, they will assume they can communicate directly with each other, no routing involved.  However, since the connections to the metro network are access mode ports, there is no switching only routing.  So you will have problems getting to the management IP addresses.

 

by: CityofKerrvillePosted on 2008-11-11 at 09:27:16ID: 22932554

More confusion is certainly not needed.  Assuming we put each site on separate VLANS can you offer up a suggested solution that meets some the following criteria.

All sites able to talk to data center
All sites accessible to IT
Secure segregation of specific site (still keeping management access)

That would make 13 VLANS,
1 - Management (IT Workstations)
1 - Servers or Data Center (or should these be kept on the native?)
3 - Secure (only accessible to the user assigned to that VLAN, Servers, and Management)
8 - Regular users (workstations and printers)

I have a tenancy to over complicate things, so if there is an easier way to do what we want done please help me out.

Speaking of over complicating, I have attached new diagram.

 

by: giltjrPosted on 2008-11-13 at 06:39:17ID: 22949986

I have not forgotten about this.  I'm just thinking things through to make sure that I'm not overlooking things.  One suggestion is that you do NOT put your servers on the native VLAN.  Nothing should be put on native VLAN if at all possible.

Part of what makes this a bit complicated is that when typically when you have a WAN each site is considered a totally separate site and you can use the same VLAN number at each site.  VLAN information is not transmitted at all when using only routers.  

However, when using Metro Ethernet its not really a WAN, it is more like a LAN.  So instead of considering each site as a standalone network, you have to treat it as if it were one building and segmenting the whole building into smaller LAN's and that the "back bone" connection (the Metro Ethernet) is 'slow' and has high latency so you don't want to do L2 functions across the "back bone".

If you look at Cisco's 3 layer network architecture you will notice that they have access layer, distribution layer, and the core layer.  At the core they strongly suggest that you route (L3) between cores and to/from the distribution layer.  At the distribution layer you switch between to any distribution layers that are directly connected to each other and switch between the access layer.

In your setup you really don't have a core layer.  You are interconnecting the distribution layer (the switches/routers at each site) with each other.  So you want to route there to reduce traffic that is crossing over the Metro network.  You also are mixing switches and routers at the distribution layer which gives you a mixture of capabilities (L2/L3 switching vs. L3 routing only) which means you need to account for VTP on the devices that support it.

 

by: CityofKerrvillePosted on 2008-11-13 at 12:17:41ID: 22954019

What would be the outcome if I turned VTP off all together.  I understand that it I do shut down VTP, VLAN20 at SITE C will never know that SITE also has a VLAN20.  I'm ok with that as long as everyone can talk to the servers and to the internet.  For the sake of argument, let say I turn off VTP on all devises.  Will this fix the current problem?

 

by: CityofKerrvillePosted on 2008-11-18 at 10:56:29ID: 22987603

Resolved on my own by doing the following

1.     Set VTP mode to Transparent at each site
2.     Assigned a Unique  VTP Domain Name to each site
3.     Assigned each site to their own VLAN and Subnet

Put SITE E in server today with no problems.  will be making the change to the exiting site after hours.

Thanks for the help.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...