• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 653
  • Last Modified:

Mutli VLAN on Cisco Arionet 1300 Bridge

Dear Experts,

I'm connecting two building with Cisco 1300 bridge as secondary (backup link). My primary link is fiber.

I manage to configure the root bridge and non root bridge successfully and the traffic is flowing. However only the Native vlan (127) is flowing between the two bridges whereas I have other 5 extra VLANs. I tried a lot to make the traffic for these VLANs to pass through the bridge but useless.

Here my configuration:

SW_ROOT

interface GigabitEthernet0/24
 description ***Connected to Root Bridge***
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk
 ip arp inspection trust
 storm-control broadcast level 10.00
 storm-control multicast level 10.00
 storm-control action trap
 spanning-tree port-priority 0
-----------------------------------------
SW_NONROOT

interface GigabitEthernet0/24
 description **Connected to NON ROOT BRIDGE**
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk
 ip arp inspection trust
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 storm-control action trap
----------------------------------------------------
ROOT_BRIDGE


!
hostname Root_Bridge
!
dot11 vlan-name ELC1 vlan 185
dot11 vlan-name ELC2 vlan 184
dot11 vlan-name management vlan 127
dot11 vlan-name student vlan 50
dot11 vlan-name teacher vlan 60
dot11 vlan-name wirent vlan 70
!
dot11 ssid WiFi-Admin
   vlan 127
   authentication open
   guest-mode
   infrastructure-ssid
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid WiFi-Admin
 !
 station-role root bridge
 distance 1
 world-mode dot11d country x both
 infrastructure-client
!
interface Dot11Radio0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 port-protected
 bridge-group 50 spanning-disabled
!
interface Dot11Radio0.60
 encapsulation dot1Q 60
 no ip route-cache
 bridge-group 60
 bridge-group 60 port-protected
 bridge-group 60 spanning-disabled
!
interface Dot11Radio0.70
 encapsulation dot1Q 70
 no ip route-cache
 bridge-group 70
 bridge-group 70 port-protected
 bridge-group 70 spanning-disabled
!
interface Dot11Radio0.127
 encapsulation dot1Q 127 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 port-protected
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.184
 encapsulation dot1Q 184
 no ip route-cache
 bridge-group 184
 bridge-group 184 port-protected
 bridge-group 184 spanning-disabled
!
interface Dot11Radio0.185
 encapsulation dot1Q 185
 no ip route-cache
 bridge-group 185
 bridge-group 185 port-protected
 bridge-group 185 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface FastEthernet0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface FastEthernet0.60
 encapsulation dot1Q 60
 no ip route-cache
 bridge-group 60
 bridge-group 60 spanning-disabled
!
interface FastEthernet0.70
 encapsulation dot1Q 70
 no ip route-cache
 bridge-group 70
 bridge-group 70 spanning-disabled
!
interface FastEthernet0.127
 encapsulation dot1Q 127 native
 no ip route-cache
 bridge-group 1
!
interface FastEthernet0.184
 encapsulation dot1Q 184
 no ip route-cache
 bridge-group 184
 bridge-group 184 spanning-disabled
!
interface FastEthernet0.185
 encapsulation dot1Q 185
 no ip route-cache
 bridge-group 185
 bridge-group 185 spanning-disabled
!
interface BVI1
 ip address 192.168.x.x 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.x.x
ip http server

bridge 1 priority 65535
bridge 1 protocol ieee
bridge 1 route ip
bridge 50 priority 65535
bridge 50 protocol ieee
bridge 60 priority 65535
bridge 60 protocol ieee
bridge 70 priority 65535
bridge 70 protocol ieee
bridge 184 priority 65535
bridge 184 protocol ieee
bridge 185 priority 65535
bridge 185 protocol ieee
!
!
!
line con 0
line vty 0 4
!
end

-------------------------------------------------
NON_ROOTBRIDGE


hostname NON_ROOT_BRIDGE
!

!
dot11 vlan-name ELC1 vlan 185
dot11 vlan-name ELC2 vlan 184
dot11 vlan-name management vlan 127
dot11 vlan-name student vlan 50
dot11 vlan-name teacher vlan 60
dot11 vlan-name wirent vlan 70
!
dot11 ssid WiFi-Admin
   vlan 127
   authentication open
   guest-mode
   infrastructure-ssid
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid WiFi-Admin
 !
 station-role non-root bridge
 world-mode dot11d country X both
!
interface Dot11Radio0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 port-protected
 bridge-group 50 spanning-disabled
!
interface Dot11Radio0.60
 encapsulation dot1Q 60
 no ip route-cache
 bridge-group 60
 bridge-group 60 port-protected
 bridge-group 60 spanning-disabled
!
interface Dot11Radio0.70
 encapsulation dot1Q 70
 no ip route-cache
 bridge-group 70
 bridge-group 70 port-protected
 bridge-group 70 spanning-disabled
!
interface Dot11Radio0.127
 encapsulation dot1Q 127 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 port-protected
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.184
 encapsulation dot1Q 184
 no ip route-cache
 bridge-group 184
 bridge-group 184 port-protected
 bridge-group 184 spanning-disabled
!
interface Dot11Radio0.185
 encapsulation dot1Q 185
 no ip route-cache
 bridge-group 185
 bridge-group 185 port-protected
 bridge-group 185 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface FastEthernet0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface FastEthernet0.60
 encapsulation dot1Q 60
 no ip route-cache
 bridge-group 60
 bridge-group 60 spanning-disabled
!
interface FastEthernet0.70
 encapsulation dot1Q 70
 no ip route-cache
 bridge-group 70
 bridge-group 70 spanning-disabled
!
interface FastEthernet0.127
 encapsulation dot1Q 127 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.184
 encapsulation dot1Q 184
 no ip route-cache
 bridge-group 184
 bridge-group 184 spanning-disabled
!
interface FastEthernet0.185
 encapsulation dot1Q 185
 no ip route-cache
 bridge-group 185
 bridge-group 185 spanning-disabled
!
interface BVI1
 ip address 192.168.x.x 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.x.x
ip http server
no ip http secure-server


bridge 1 priority 65535
bridge 1 protocol ieee
bridge 1 route ip
bridge 50 priority 65535
bridge 50 protocol ieee
bridge 60 priority 65535
bridge 60 protocol ieee
bridge 70 priority 65535
bridge 70 protocol ieee
bridge 184 priority 65535
bridge 184 protocol ieee
bridge 185 priority 65535
bridge 185 protocol ieee
!
!
!
line con 0
line vty 0 4
 login local
!
end 
-----------------------------

Open in new window


Appreciate your support.
0
sadiqallawati
Asked:
sadiqallawati
  • 10
  • 8
1 Solution
 
Craig BeckCommented:
You should not include any of the VLANs on the Aironet bridges.

What your config is doing at the moment is expecting traffic to be tagged on a specific VLAN from the Wireless interface before it is being passed to the wire.

Your switch configuration is correct, so if you delete all VLAN information from the bridges and just let them think they are on VLAN 1 they should pass all of your VLAN traffic between the two switches.

The storm-control commands are not needed on the ports where the bridges connect, and also I would remove the ip arp inspection trust command from these interfaces as the bridges might stop passing traffic properly.
0
 
sadiqallawatiAuthor Commented:
Hi craigbeck,

Do you mean that I don't have to create multiple interfaces on bridge for every and each VLAN ?

I found some cisco documentation
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

It seems there is something I'm missing, I will try to remove the ip arp inspection trust.

Any other suggestions ?
0
 
Craig BeckCommented:
The bridge will pass any traffic it receives on any interface if VLANs aren't configured.  If you configure VLANs it will ONLY pass those VLANs.

Did you do the configuration in the Web GUI or did you do it via Console/Telnet?
0
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

 
sadiqallawatiAuthor Commented:
I did it through console.

So you suggest to keep only my native VLAN (VLAN 127) and remove everything else ?
0
 
Craig BeckCommented:
No, if you keep the native VLAN you will still have VLANs configured.  You need to completely remove ALL VLANs from each bridge.

However, if you want to use the VLAN configuration on the bridges I'd suggest doing it through the Web GUI instead of the Console/Telnet as there seems to be config (in the OP) which isn't required or usually created when a VLAN is configured.
0
 
sadiqallawatiAuthor Commented:
Do you have a sample configuration of a bridge without any VLAN ?
0
 
Craig BeckCommented:
I have configs but only from a 1400 bridge and the config is slightly different.

I've just had a thought though... You've named your VLANs on the bridges.  Remove that.  You don't need to name the VLANs (apart for remembering what they are) and if the names don't match what's on the switch it won't work.  Also your native VLAN isn't VLAN1 so VTP won't work (and therefore bridge VLAN names will never match).
0
 
sadiqallawatiAuthor Commented:
I will try to remove the VLAN names, lets give a try.

But I found this on cisco

http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37vlan.html

Guide lines for Using VLAN Names

Keep these guidelines in mind when using VLAN names:

The mapping of a VLAN name to a VLAN ID is local to each access point/bridge, so across your network, you can assign the same VLAN name to a different VLAN ID.

Note:If clients on your wireless LAN require seamless roaming, Cisco recommends that you assign the same VLAN name to the same VLAN ID across all access point/bridges, or that you use only VLAN IDs without names.

Every VLAN configured on your access point/bridge must have an ID, but VLAN names are optional.

VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number between 1 and 4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point/bridge reserves the numbers 1 through 4095 for VLAN IDs.

What do you think ?
0
 
sadiqallawatiAuthor Commented:
Hi craigbeck,

I tried what you suggested but did not work. Actually I facing a new issue now. My setup is as following:

SW1 --> Root Bridge --> NON Root Bridge -- SW2

I cannot ping Root Bridge and NON Root Bridge from SW1, however I can reach both of them from SW2. I checked the spanning tree from SW1 and all ports are in FWD state.
0
 
Craig BeckCommented:
Can you post the new config from each device?
0
 
sadiqallawatiAuthor Commented:
Its the same except I removed the vlan names
0
 
Craig BeckCommented:
And for the switches?
0
 
sadiqallawatiAuthor Commented:
I removed the ip arp inspect trust.

0
 
Craig BeckCommented:
Ok, so you've removed the VLAN names from the bridges and turned off IP ARP Inspection and now you can't ping them from SW1?
Can you post the complete config from the switches?
0
 
sadiqallawatiAuthor Commented:
Here we are, I'm pasting the relevant information on each switch.
Main Office - SW1


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname corerack_switch_1
!

ip routing
no ip domain-lookup
!
ip dhcp pool WiFi-Admin
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
!
ip dhcp snooping vlan 50,60,70,127
ip arp inspection vlan 50,60,70,127
ip arp inspection log-buffer entries 10
ip arp inspection log-buffer logs 1 interval 86400
!
!

spanning-tree mode mst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
 name COLLEGEIBRA
 revision 1
 instance 1 vlan 50
 instance 2 vlan 60
 instance 3 vlan 70
 instance 4 vlan 127
!
spanning-tree mst 0-15 priority 0
spanning-tree vlan 1-4094 priority 24576
!
vlan internal allocation policy ascending
!
vlan 50
 name VLAN_50<student>
 --More--         !
vlan 51
!
vlan 60
 name VLAN_60<teacher>
!
vlan 61
!
vlan 70
 name VLAN_70<wirent>
!
vlan 127
 name VLAN_127<Management>
!
vlan 178
!
vlan 188
 name WIRELESS
!
vlan 190
!

!
interface GigabitEthernet0/24
 description ***RootBridge***
 --More--          switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk
 spanning-tree port-priority 0

interface Vlan1
 no ip address
 shutdown
!
interface Vlan127
 description *** Management Vlan ***
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan177
 no ip address
!
interface Vlan178
 no ip address
!
interface Vlan188
ip address 10.153.x.x 255.255.254.0
!
interface Vlan190
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.1
ip http server
!

--------------------------------------------
Remote Office - SW2


Current configuration : 17722 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip dhcp snooping vlan 50,60,70,127
ip arp inspection vlan 50,60,70,127
ip arp inspection log-buffer entries 10
ip arp inspection log-buffer logs 1 interval 86400
!
!
!

spanning-tree mode mst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
 name COLLEGEIBRA
 revision 1
 instance 1 vlan 50
 instance 2 vlan 60
 instance 3 vlan 70
 instance 4 vlan 127
!
spanning-tree mst 0-15 priority 0
spanning-tree vlan 1-4094 priority 24576
 --More--         !
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 11
 name DMZ
!
vlan 12-18
!
vlan 50
 name VLAN_50<student>
!
vlan 60
 name VLAN_60<teacher>
!
vlan 70
 name VLAN_70<wirent>
!
vlan 127
 name VLAN_127<Management>
!
vlan 177-178,180,182,184,188,190,255
!

interface GigabitEthernet0/24
 description **Connected to EL303AP(BRIDGE)**
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk


interface Vlan1
 no ip address
 shutdown
!
interface Vlan127
 description *** Management Vlan ***
 ip address 192.168.x.27 255.255.255.0
!

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.1
ip http server
!

0
 
Craig BeckCommented:
Ok, apologies - you're running ARP inspection globally so you must re-enable it on the interfaces.
0
 
sadiqallawatiAuthor Commented:
Non of these worked out
0
 
sadiqallawatiAuthor Commented:
Solution did not work
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now