Link to home
Create AccountLog in
Avatar of e2346437
e2346437

asked on

CATOS Switch not passing VLAN 1 traffic

Hello,
I have an IBM Bladecenter with integrated Cisco IOS switches.  I ran out of ports on them so I added a Cisco 2960 CATOS gigabit switch, and created a trunk from the IOS Switch to the CATOS switch.  It's configured to trunk VLAN 1-4094.  Currently, VLAN 2, 3, and 4 are passing from the IOS Switch to the CATOS switch, then out another trunk port to a SonicWALL NSA firewall.

VLAN 1 however will not pass.  It's the default management VLAN for the Bladecenter and for the CATOS switch.  The management module from the bladecenter is connected to port 2/48 on the CATOS switch, but cannot pass traffic on VLAN 1 to the SonicWALL.  I've tried 2/48 in trunk mode and in access mode, but no go.  I can configure another port on the CATOS switch and specify access VLAN 1 and it will ping the management module with no problems, but not the sub-interface on the SonicWALL.

Is there something magical about VLAN 1 that won't trunk out of the switch by default?
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Is there something magical about VLAN 1 that won't trunk out of the switch by default?
Nope. Unless it's removed from the trunk, VLAN 1 traffic is carried.
It has been a few years since I dealt with a IBM Bladecenter, but at one time they had an internal VLAN for management and the VLAN was 2.  The only path to VLAN 2 was through the Bladecenter Management module.

Since it seems you are using VLAN2, is it possible that you have changed the internal VLAN to VLAN1?

What ever the internal VLAN tag is, the integrated switch will NOT pass on any external ports.  Only on the internal management LAN ports. That would cause the behavior you are seeing.
Avatar of e2346437
e2346437

ASKER

I'll have to check but I'm quite sure the management VLAN is 1 and the operational VLAN is 2.  I'm beginning to think VLAN 1 is ignored by the SonicWALL.
If the internal Bladecenter VLAN is 1, it will not pass though any of the external ports on in the Integrated switch.  

This is done so that spanning-tree will not block traffic on the management port in the Bladecenter.
The CATOS switch port 2/48 is connected directly to the MM external ethernet port.  It's not going through the internal switch.
O.K., didn't read the whole thing.   You have:


2960 <---C1------> MM
   /\                    /\
    |                    |
    |             BC Internal connection
    |                    |
    |                    \/
    |--C2-------->BC Switch

C1 is VLAN1 and you are trying to do C2 as a trunk with VLAN1-4096?

If so and VLAN1 the management VLAN for the BC, then the BC will not allow VLAN 1 out of C2 (the trunk).
SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
This is how the network is laid out.  The laptop can ping the management module and through the ethernet port on the MM, the Bladecenter switch management IP's.  Can't ping the SonicWALL though.
Bladecenter-Network.pdf
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Oh, although it will work you typically don't want VLAN 1 on the integrated switch and the management module.  Actually is not VLAN 1, you don't want the same VLAN on both.  



The problem comes into play when somebody "accidentally" configured the internal switch connections between the integrated switch and the management module to be trunk ports.  Nasty things start to happen because of loops in the network.
"Oh, although it will work you typically don't want VLAN 1 on the integrated switch and the management module.  Actually is not VLAN 1, you don't want the same VLAN on both. "

Having reset both the MM and the Bladecenter switches to factory defaults upon arrival, that is how they are configured.  The MM is at 192.168.70.125 on VLAN 1, the switches are at 192.168.70.127 and 128.  The MM even has a Java app that will open a console connection to either switch.

I'm just trying to extend the management network out to my SonicWALL so that I can access the management network from my office over the VPN.
Which Bladecenter is this?

Let me look at Sonicwall doc and how to configure VLAN's on it.

Now, on the Sonicwall you did allow ICMP and any other protocol you need to be allowed to its VLAN1 IP address, right?
Bladecenter 8677-3RU with management module 39M4945.  The Bladecenter switches are Cisco.

The SonicWALL does allow ICMP and the other VLANs (2, 3, 4) can ping.
In your diagram you have a computer on VLAN1.

From that computer can you ping/access anything on VLAN1 that is in the BC?
From that computer can you access the BC management module?

IF the answer is yet, then the 2960 is passing VLAN 1 traffic.

Can you setup another port on the 2960 as a mirror (session) port and do a packet capture for all traffic going to the port that the SonicWall is on?
Oh, what level is the software you are running in the SonicWall?
SonicWALL is on SonicOS Enhanced 5.0.2.0-17o.  The laptop on VLAN1 can ping everything inside the BladeCenter (MM, both switches) but cannot ping SonicWALL or outside.
O.K., that rules out anything within the BC and the 2960, unless the port the SonicWall is connected to is not right.

The port the SonicWall is connected to should look something like:

     interface "portname"  
       switchport
       switchport mode trunk
       switchport trunk allowed vlan 2,3,4
       switchport trunk encapsulation dot1q


You might have, but it should not be necessary

       switchport trunk allowed vlan 1,2,3,4
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The SonicWALL does not interpret packets tagged with VLAN 1 as different than packets that are not tagged at all.

Actually it does and your description supports it.

When you had interface X0:1 assigned to VLAN1 that is setup to process tagged frames and in this case tagged as VLAN 1.

On the Cisco side all VLAN 1 frames come across as untagged, so they were processed on interface "X0".  You did not have an IP address assigned to X0.

Your change was to move the IP address from the X0:1 tagged interface to the X0 untagged interface, which allowed the traffic to be processed.
I was able to find the answer myself.