Solved

Cisco vlan question

Posted on 2016-11-08
12
34 Views
Last Modified: 2016-11-13
I have a Cisco 4507 with multiple vLans and I am trying to configure the ports for my ESX Server.
What I did was:
Enable
Conf T
Int gi6/19
switchport mode access
switchport access vlan 2
End

Open in new window

I know for a fact that there is a DHCP scope for this , but it is not getting an ip.
The Status = Up and the Protocol = Down

This is what shows in the running config
interface GigabitEthernet6/19
 description ESXLAB01-01
 switchport access vlan 2
 switchport trunk native vlan 86
 switchport trunk allowed vlan 86,87

can anyone assist?
0
Comment
Question by:yo_bee
  • 7
  • 3
  • 2
12 Comments
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
Comment Utility
What you did, obviously, is added access configuration to already existing trunk configuration without removing trunk configuration first.
Not sure what you are trying to achieve. If you need to have configuration on port that you did above than just default interface first and than configure it again.
enable
conf t
default interface gi6/19
int gi6/19
switchport mode access
switchport access vlan 2

Open in new window

Also it would be recommended to add:
spanning-tree portfast bpduguard
for all end host ports (not for ports that are connecting switches).

Originally port was configured as trunk port and allowed vlans are 86 & 87.

If the above does not solve problem - interface in up down state means that cable is connected (Layer 1 is working), but protocol is not (data layer problem). It could be miswired cable (try to replace it), you can try to configure speed manually speed 10 (or speed 100, speed 1000).
0
 
LVL 21

Author Comment

by:yo_bee
Comment Utility
thanks.  This was previously configured for a Lab and I want to provision it for production.  I am not a network guy by any means.  That is why I was asking.

I will try what you recommended.
0
 
LVL 21

Author Comment

by:yo_bee
Comment Utility
I just tried  your recommendation, but it does not look like default is a recognized command.
If I remove the Switchport Truck setting will that open this port up to any vlan I configure it for?

Here is the entire configure for the port:

!
interface GigabitEthernet6/19
 description ESXLAB01-01
 switchport access vlan 2
 switchport trunk native vlan 2
 switchport trunk allowed vlan 2
 switchport mode access
 speed 1000
 duplex full
 channel-protocol lacp
 channel-group 51 mode active
 spanning-tree portfast trunk
 spanning-tree bpduguard disable
end

this is another part to the config.

interface Port-channel51
 description LBXEN01-Bond1
 switchport
 switchport trunk native vlan 86
 switchport trunk allowed vlan 86,87
 switchport mode trunk
 spanning-tree portfast trunk
 spanning-tree bpduguard disable
0
 
LVL 21

Author Comment

by:yo_bee
Comment Utility
Here is my new config that is working.

Current configuration : 263 bytes
!
interface GigabitEthernet6/19
 description ESXLAB01-01
 switchport access vlan 2
 switchport trunk native vlan 2
 switchport trunk allowed vlan 2
 switchport mode access
 channel-protocol lacp
 spanning-tree portfast trunk
 spanning-tree bpduguard disable
end

Open in new window


You do recommend enabling bpduguard.  What does this do exactly
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 250 total points
Comment Utility
'bpduguard enable' will protect the port from having another switch/bridge connect to it. This helps to prevent loops as well as unauthorized equipment from being connected to your environment. I would enable this on any port that is not supposed to be connected to another switch which is essentially every port except uplinks.

When it comes to configuring for a VMWare host, I wouldn't use 'switchport mode access'. Putting the port in access mode only allows for a single untagged vlan (and technically one tagged vlan if you configure it as 'switchport voice vlan X'). For a VMWare host, I would normally assume that you will have multiple port groups, and that each port group could need a different vlan. Now there is nothing wrong with using access mode, but it limits you to the single vlan.

I configure my host ports as follows:

interface GigabitEthernetX/Y
 description ESXLAB01-01
 switchport trunk native vlan 2  <-- this is optional and defines which vlan is untagged, but without this line, vlan 1 will be untagged and every other vlan will need to be specified in VMWare including the management interface if it isn't vlan 1
 switchport trunk allowed vlan x, y, z, <-- this is also optional. This would specify the only vlans that are allowed (you must include the native vlan in this command). Without this command, all vlans configured on the switch would be allowed
 switchport mode trunk
 switchport trunk nonegotiate
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
 ip dhcp snooping trust
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
Comment Utility
Default command should be performed in global configuration mode (not under interface) and last time I checked was supported on 4507. :)
Resetting the Interface to the Default Configuration
Switch(config)# default interface fastEthernet 3/5
Interface FastEthernet3/5 set to default configuration

Your config is not good.
Problematic is, al least, that you have different configurations on Po51 an Gig6/19. That could be one of causes of your problem, however I see that you removed speed command, that is most likely cause for previous problem. Gig6/19 is in port channel and all ports that belong to port channel should have the same configuration. So, it is a pretty messy if you ask me. :)

What should be actual configuration depends also on configuration of host and what VLANs will be used by host that is attached to that port. But right now, does not good (at least to me).

Suggested command
   ip dhcp snooping trust
should be applied only in the case that attached host is DHCP server and DHCP snooping is enabled on switch...
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Author Comment

by:yo_bee
Comment Utility
thanks all for your help.
So let me get this straight.
I should configure a Port-Channel to associated with a group of VLAN's and assign the Port-Channel to the interface.
Is that correct?
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
This expert suggested creating a Gigs project.
A bigger question is whether or not you should be configuring a port-channel at all. Most of the installs I've done don't use port channels as it doesn't provide any real benefit, but this lack of benefit is based on the environment and not because port-channels themselves have no benefit.
Your configuration earlier makes it appear that you were configuring a port-channel with LACP. This can only be done if you are using vCenter/VMWare 5.1 or higher, and using a distributed switch (which requires the right licensing).
Without that licensing, you can only do a static port-channel.
Regardless of which port-channel method you go with (assuming you stick to a port-channel), there is also some configuration on the ESXi host that must be done for this to work properly.

Now I'm not saying we can't or won't help you, because we certainly will, but I get the feeling that you would greatly benefit from pulling in an outside consultant who knows both VMWare and Cisco networking to sit down with you and spend a few hours looking over your environment, determining the best configuration that would suit your needs, and implementing the configuration. This would end up being a one-time cost, and once it's done you would have a template (essentially) to work off of for any future vmware hosts that are added/changed/moved in your environment. I don't know how much time you've spent on this, but at some point you time will outweigh the cost of a consultant. You could look for this consulting either local to your area, or even as a "Gig" in Experts Exchange. This is just my opinion - I don't mean any insult towards your skills/abilities.
0
 
LVL 21

Author Comment

by:yo_bee
Comment Utility
You are not insulting me at all.  My knowledge is very minimal when it comes to Cisco and configuring the ports.
Your advice will dually noted.  

I will muck around a little more and at that point hire someone, maybe even you ;).
0
 
LVL 21

Author Comment

by:yo_bee
Comment Utility
It has been a week that I was tinkering with the 4 ports connected to by ESXLAB server
Here is what I have so far.
I have a 1 to 1 port to vLan access for this setup.



Gi6/13                         up             up       ESXLAB01-2-iSCSI
Gi6/16                         up             up       ESXLAB01-3-VM
Gi6/19                         up             up       ESXLAB01-1-MGT
Gi7/16                         up             up       ESXLAB01-4-iSCSI
Gi7/21                         up             down     ESXLAB01-6
Gi7/23                         up             down     ESXLAB01-7
Gi7/25                         up             down     ESXLAB01-8


!
interface GigabitEthernet6/19
 description ESXLAB01-1-MGT
 switchport access vlan 88
 switchport mode access
end


!
interface GigabitEthernet6/16
 description ESXLAB01-3-VM
 switchport access vlan 94
 switchport mode access
end

!
interface GigabitEthernet6/13
 description ESXLAB01-2-iSCSI
 switchport access vlan 93
 switchport mode access
end


!
interface GigabitEthernet7/16
 description ESXLAB01-4-iSCSI
 switchport access vlan 81
 switchport mode access
end
Here is my ESX server.  I am having an issue when trying to mount an NFS vol to the datastore on ESX.
img1
Not sure why I am not able to mount the NFS.
Here is the error I am getting
Call "HostDatastoreSystem.CreateNasDatastore" for object "ha-datastoresystem" on ESXi "192.168.88.24" failed.
NFS mount 192.168.81.11:/vol/VM_ISO failed: Unable to connect to NFS server.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 250 total points
Comment Utility
Since all your switchports are access mode, you will not need to tag any traffic. Remove the vlan id number from the iscsi vmk1.
0
 
LVL 21

Author Closing Comment

by:yo_bee
Comment Utility
Thanks all for your help.
I got the LAB up and NFS is now connected
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now