We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

switch vlan mismatch

Dan
Dan asked
on
High Priority
1,005 Views
Last Modified: 2018-01-04
I'm getting these errors, and I kind of understand why, but  I guess I might need some help in knowing how to configure the ports so they go away.
vlanmismatch
here's a small portion of my current network setup
current setup
here's how the network should be, as I have to install more cameras and use a POE switch.
proposed setup
I'm guessing I'll still continue to get those errors even with the new setup?
How do I need to configure those few switches so I don't get those errors?
The two switches with vlan 800, I only need to connect to them for management, and monitoring. I don't need and don't want any of that traffic to traverse my vlan1 network.

Any thoughts of what I'm doing wrong?
Comment
Watch Question

Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Hi pal, here is what you need to do

Let say you have the following

Switch 1 (vlan 10,20,30) native vlan 50
Switch 2 (vlan 10,20,30) native vlan 50
Switch 3 (vlan 10,20,30) native vlan 50

In each trunk you need to set the command native vlan to avoid this error.
It will be something like this:

NYC-FW conf t
NYC-FW(config)# Int fa0/48   **(guessing that could be the interface sending all the vlan traffic to the second switch)**
NYC-FW(config-if)#switchport trunk native vlan 50

Do this command in every switch that has trunk link interface and the error will be gone away.
DanNetwork Engineer

Author

Commented:
Hi Hemil, so on each port, that is a trunk that is on my native vlan I need to run this command.  So I don't run this command on any of the links that is NOT on my native vlan, in my case, it would be vlan 800.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Yes, If you are going to change the default native vlan which is 1. Then use the command stating the vlan 800 as default
You need to apply the command to each trunk link.

In your log the problem seems coming from the cameras switch, you maybe have the vlan 1 as default native vlan.

Remember:
The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged. Per default the native VLAN is VLAN 1 but you can change that:
DanNetwork Engineer

Author

Commented:
My native vlan is vlan1.   I do not want to change that, on all the swithces, I'm just using the default vlan1.

On these two switches though, I have POE cameras and they need to connect to the NVR, and I want all of that traffic on vlan 800.
I only want to connect to these switches for monitoring using vlan1 on those certain ports listed in the diagram.

So from your above example, I first need to be in the interface of each switch that is on vlan 1 that connects to the other switch that is also on vlan1 and run that command, right?
switchport trunk native vlan1

So I'm not running that command for any of the vlan 800 traffic ports, right?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Correct, use that option but for the number 1. I think at one point those switch has been configured with a diff native vlan.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Did it work?
DanNetwork Engineer

Author

Commented:
I haven't tried it, will do as soon as I get off a conference call.
AkinsdNetwork Administrator

Commented:
From the error shown. There is a trunk negotiation between your camera and the switchport. The native vlan on the camera is 800, while the native vlan on the switch is one. The only way to make the problem go away is to change the native vlan on the switch or on the camera. I will assume it's easier to change the switch

Native VLAN mismatch discovered on Gig2/0/1(800) [This is the local port on the switch] with o_server_.33 gi1/0/48 (1) [neighbor switch]
The number in parenthesis after the switchport is the native vlan .
Here, the local switchport has native vlan 800 while the neigbhor is on 1

Native VLAN mismatch discovered on Gig1/0/48 (1) [This is the local port on the switch] with w_camera_37 gi2/0/1(800) [neighbor switch]
Here, the switch has native vlan 1, while the camera has native vlan 800

This means your cameras have native vlans 800
You probably configured mixed native vlan configurations on the switch

Go on the switch and configure appropriate native vlans on the proper trunk ports,
Also, find out if the cameras should communicate on a trunk port, if not, just keep your native vlans on your switches as VLAN 1, and hard code the ports the cameras connect to as access port

Here are the codes you will need
Camera Ports
int gi1/0/xx
switchport mode access
switchport access vlan 800
switchport trunk native vlan 1

Uplink to other switches
ing gi2/0/xx
switchport trunk native vlan 1
switchport mode trunk

i hope this helps
DanNetwork Engineer

Author

Commented:
When trying to configure port 28 on switch .37, the link to my LAN, i get this error:  
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
DanNetwork Engineer

Author

Commented:
I read online that I have to issue: switchport encapsulation dot1q
But when I do that, it's not taking the command, it throws the up arrow at "encapsulation"
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
you need to type this command first

switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport mode trunk
DanNetwork Engineer

Author

Commented:
but I don't want any of the vlan 800 traffic to go on port 28 on switch .37
I only want to use this port for managing the switch, no vlan 800 traffic to traverse it,
and I thought by making a port a trunk port, that passes all vlans on the port, is that not the case?
DanNetwork Engineer

Author

Commented:
so I'm still getting the errors, I ran the commands, but same errors still
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Did you do it in both switches?
DanNetwork Engineer

Author

Commented:
only on 1, on the .37.  On switch .33, I don't have vlan 800 on there and I don't need it there.
So do need to do anything on that switch?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Yes,
Native vlan it's different from the rest of the vlan, this particular vlan sends untagged traffic to the network. It's only used for multicast.

You have to apply the same configuration on both.
DanNetwork Engineer

Author

Commented:
there's no camera ports on the .33 switch, so do I only issue these commands on the .33 switch?
Uplink to other switches
ing gi2/0/xx
switchport trunk native vlan 1
switchport mode trunk
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
You have to issue the command in all the trunk link of the switches. The reason why is because STP. If you dont do that the message will still showing up. Let me give you this example

Sw1 int fa0/48----------T--------Sw2 int fa0/48 (trunk link btw interface) Vlan 1
Sw1 int fa0/48----------T--------Sw2 int fa0/48 (trunk link btw interface) Vlan 1

And so forth. I'm sure you get my point.
DanNetwork Engineer

Author

Commented:
this doesn't mean I have to issue those commands on all my 19 switches that have trunk ports, right?
You're only talking about the switches directly connected to each other that communicate between vlan1 and vlan 800?

I guess I'm still lost, can you use my example, with the diagram I uploaded above?
I'm not sure why I'm not getting it, maybe I'm having an ahah moment.

here's how my current ports are configured, maybe this will help you to figure out what I'm doing wrong?

switch .33

!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate


switch .37

interface GigabitEthernet2/0/1
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/2
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/3
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/4
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/5
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/6
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/7
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/8
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/9
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/10
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/11
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/12
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/13
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/14
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/15
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/16
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/17
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/18
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/19
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/20
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/21
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/22
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/23
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/24
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
 switchport trunk encapsulation dot1q
 switchport mode trunk
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Did you add the command switchport trunk native vlan 1 in both switches? if you did, you should be ok.
DanNetwork Engineer

Author

Commented:
I did, but I'm still getting those errors. So on switch .33, it still doesn't list the command under the port.
shouldn't I see the switchport trunk native vlan 1 under the port?

switch .37
interface GigabitEthernet2/0/28
 switchport trunk encapsulation dot1q
 switchport mode trunk

switch .33
interface GigabitEthernet1/0/48
DanNetwork Engineer

Author

Commented:
maybe I just need to remove the trunking on those ports, as I don't need them to be trunk ports, I just need to access the switch on vlan1.
I'll try that.
DanNetwork Engineer

Author

Commented:
changing the ports to access ports still throws that error.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Im going to draw this for you you so can get it beter
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Just follow the image, changing the interface port.
Hope it helps..
Dot1Q.png
DanNetwork Engineer

Author

Commented:
that helps, but I can't do that yet, because switch2 is not in production yet, I'm having a problem with the vlan being down, the protocol is down, and I can't connect to it via SSH. Currently, I'm using a PNP switch, but I'm removing it, and need to install a manged switch, the last portion is to get vlan1 up and up, but currently the protocol is down.  Then I can follow your instructions.

Any ideas why vlan1 under protocol is down, everything I tried does not make it come up.
DanNetwork Engineer

Author

Commented:
I have to leave for the day, but i'll be back at 8 am tomorrow morning.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Maybe you shutdown that interface.
You need to enable that interface by saying Int vlan 1 no shutdown.
DanNetwork Engineer

Author

Commented:
i did that already, didn't work
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Vlan 1 it's ok to be down because you are not using that for traffic but instead for untagged traffic.
If you are going to use that vlan then you need to give an interface to it no enable the vlan. Otherwise I'll be off.

But I thought you are not using it, therefore for native vlan purpose its good. It doesnt have to be up.
DanNetwork Engineer

Author

Commented:
I don't understand, because on all my other switches the vlan protocol is up and I can ssh into them.

On this particular switch, the vlan protocol is down, and I can't ssh into it, even ping does not work.

I have an IP address/mask assigned and the default gateway as well.

Not sure why it's that hard to get the vlan up?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
The only thing I can think off maybe your switch went into errordisable state.
Try to shutdown the interface and turn it back on.
DanNetwork Engineer

Author

Commented:
I checked that, and it's not errdisable, it's just down.
I also checked port 1, which is on vlan 1, all other ports are vlan 800.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
I need to see your configuration dude,

do a sh run
also, sh int trunk
show vlan-switch
DanNetwork Engineer

Author

Commented:
I'll reply tomorrow, I'm out of the office now
DanNetwork Engineer

Author

Commented:
Here you go, all the commands you asked for:

o_cameras_.40#show run
Building configuration...

Current configuration : 7017 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname o_cameras_.40
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$R52o$xB5/PcFdemCaPmyhl
!
username admin privilege 15 secret 5 $1$BQT9$QmARi7pEfV46kjnWH
!
!
no aaa new-model
clock timezone pst -7
switch 3 provision ws-c3750-48p
system mtu routing 1500
no ip domain-lookup
ip domain-name o_cameras_.40.com
!
!
!
!
crypto pki trustpoint TP-self-signed-1253877376
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1253877376
 revocation-check none
 rsakeypair TP-self-signed-1253877376
!
!
crypto pki certificate chain TP-self-signed-1253877376
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323533 38373733 3736301E 170D3933 30333031 30303031
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32353338
  37373337 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C067 5CD0B773 6AC82C5C 523FFECD 9A76F6FF 8AB4066A 44261B25 57E74E86
  A7EFAF40 69A4713E 5EDE9680 5E93780F 9D1DBA2E 7E6EDFF6 9A50EFE9 5C6A06C6
  347EE163 D411115B BEBF9411 CCA2CD89 38E16462 45D1736E B8EA7096 AE8CDC24
  5A410A63 A689227C 99386653 31BBF483 D47CEDE9 31A09F80 AA4EC4D5 553BEF13
  67F10203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
  551D1104 23302182 1F6F5F63 616D6572 61735F2E 34302E6F 5F63616D 65726173
  5F2E3430 2E636F6D 301F0603 551D2304 18301680 14C1F0F6 2D46FEB2 DF19DDC6
  4BA5345A 91AEA996 81301D06 03551D0E 04160414 C1F0F62D 46FEB2DF 19DDC64B
  A5345A91 AEA99681 300D0609 2A864886 F70D0101 04050003 8181000F 775DED62
  F3603B08 4EF68FA7 D461D0FE 1B346A21 BE4192BB E6E38FAD 1B80A3A3 9D394A85
  BAF81AEC 07143033 30569451 D42FB5BB 2B72A22C 1109C0F8 4E59F2A5 500E3075
  BC59F8BF D5965B3B 8EDA1501 365F045E 7F45EA80 5E50D5F6 67E42748 3291216F
  5A20562A 174DC8E3 F4794921 8C313135 2EDC6871 C28E9A49 D0ED91
  quit
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
interface FastEthernet3/0/1
 switchport mode access
!
interface FastEthernet3/0/2
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/3
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/4
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/5
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/6
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/7
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/8
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/9
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/10
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/11
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/12
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/13
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/14
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/15
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/16
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/17
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/18
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/19
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/20
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/21
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/22
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/23
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/24
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/25
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/26
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/27
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/28
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/29
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/30
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/31
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/32
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/33
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/34
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/35
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/36
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/37
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/38
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/39
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/40
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/41
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/42
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/43
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/44
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/45
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/46
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/47
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/48
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet3/0/1
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
!
interface GigabitEthernet3/0/4
!
interface Vlan1
 ip address 192.168.100.40 255.255.252.0
!
ip default-gateway 192.168.100.1
ip classless
ip http server
ip http secure-server
!
!
logging 192.168.100.135
!
snmp-server community hardened7! RO
!
!
line con 0
 password 7 02350158
 logging synchronous
 login
line vty 0 4
 exec-timeout 30 0
 password 7 023501581E1
 login local
 transport preferred ssh
 transport input ssh
line vty 5 15
 exec-timeout 30 0
 password 7 023501581E
 login local
 transport preferred ssh
 transport input ssh
!
ntp clock-period 36028843
ntp server 192.5.41.40
end

o_cameras_.40#show int trunk

o_cameras_.40#show vlan-switch
                       ^
% Invalid input detected at '^' marker.

o_cameras_.40#show vlan switch
                         ^
% Invalid input detected at '^' marker.

o_cameras_.40#show vlan-switch
                       ^
% Invalid input detected at '^' marker.

o_cameras_.40#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa3/0/1, Gi3/0/1, Gi3/0/2
                                                Gi3/0/3, Gi3/0/4
800  cameras                          active    Fa3/0/2, Fa3/0/3, Fa3/0/4
                                                Fa3/0/5, Fa3/0/6, Fa3/0/7
                                                Fa3/0/8, Fa3/0/9, Fa3/0/10
                                                Fa3/0/11, Fa3/0/12, Fa3/0/13
                                                Fa3/0/14, Fa3/0/15, Fa3/0/16
                                                Fa3/0/17, Fa3/0/18, Fa3/0/19
                                                Fa3/0/20, Fa3/0/21, Fa3/0/22
                                                Fa3/0/23, Fa3/0/24, Fa3/0/25
                                                Fa3/0/26, Fa3/0/27, Fa3/0/28
                                                Fa3/0/29, Fa3/0/30, Fa3/0/31
                                                Fa3/0/32, Fa3/0/33, Fa3/0/34
                                                Fa3/0/35, Fa3/0/36, Fa3/0/37
                                                Fa3/0/38, Fa3/0/39, Fa3/0/40
                                                Fa3/0/41, Fa3/0/42, Fa3/0/43
                                                Fa3/0/44, Fa3/0/45, Fa3/0/46
                                                Fa3/0/47, Fa3/0/48
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
800  enet  100800     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
DanNetwork Engineer

Author

Commented:
I changed the port as a trunk port, and now it's up.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Sorry for my delay, it's been crazy today.

But that's what I have been telling you in my comment above to all the switches;

you need to type this command first

switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport mode trunk
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
But, glad you have it working..
DanNetwork Engineer

Author

Commented:
my bad, I was worried that if I do that, then all the traffic would pass through that port, but I guess with the native vlan 1, that won't let other traffic pass, right?

Can I also use this command?
switch trunk allowed vlan exclude 800
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Let me explain you how trunk and vlans works with few words.

Trunk= Connectivity btw switches via encapsulation protocol 802.1Q
Vlans= Subnet, this is the boundary of each network.

If you have two Switches you need to create trunk links to pass your vlan subnet to the other link using a vlan tagging protocol called 802.1Q.
When you create vlans, only traffic from certain vlan will pass through the trunk link.

Example:

Sw1 - vlan 1, 800, 99 -- Interface Fa0/48 has been configured as a trunk port to pass vlan information to the next trunk.
Sw2 - vlan 1, 800, 99 -- Interface Fa0/48 has been configured as a trunk port to pass and receive vlans as well.

By defaul trunks allow all the vlans, but you can exclude vlans as you stated or only allow vlans to go out of your trunk.

You can use the command the command
NYC-FW(config-if)#switchport trunk allowed vlan " only the vlans you want to allow traffic"  
NYC-FW(config-if)#switchport trunk allowed vlan Except " Only the vlans you disallow traffic"

Get it?
DanNetwork Engineer

Author

Commented:
I'm getting further, I'm almost there, but I still have a problem.

Here's how my 2 switches are configured.  I only have 2 switches and I have a problem with, and I can't believe I can't figure this out.
setup
So I'm able from my desktop to access my NVR now, which is great, it's an IP address on my LAN (192.168.101.255), so that works.
The problem is, none of the cameras are passing any information to the NVR.  So for strange reason, it seems like the traffic on Vlan 800 is not passing through.

here's some screenshots, let me know if you need any other show commands?  any idea what's wrong?

.37 int status.37 int trunk.37 vlan brief.40 int status.40 int trunk.40 vlan brief
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Does the NVR is the name of the switch or the camera box?
is that a dumb switch? in case it's a switch?
DanNetwork Engineer

Author

Commented:
the NVR is actually an NVR that controlls my IP cameras.  there are no more dumb switches, I removed the dumb switch.
I guess you can say the NVR is the name of the actual camera box.
DanNetwork Engineer

Author

Commented:
not sure if this helps, but here's my show run for the ports in question:
Switch .40
!
interface FastEthernet3/0/1
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/2
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/46
 switchport access vlan 800
 switchport mode access
!
interface FastEthernet3/0/47
 switchport access vlan 800
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet3/0/48
 switchport access vlan 800
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet3/0/1
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet3/0/2
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet3/0/3
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet3/0/4
 switchport access vlan 800
 switchport mode access
!
interface Vlan1
 ip address 192.168.100.40 255.255.252.0
!
interface Vlan800
 no ip address
!
ip default-gateway 192.168.100.1
ip classless

switch .37

!
interface GigabitEthernet2/0/1
 switchport access vlan 800
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/2
 switchport access vlan 800
 switchport mode access
!
!
interface GigabitEthernet2/0/22
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/23
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/24
 switchport access vlan 800
 switchport mode access
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
 switchport trunk encapsulation dot1q
 switchport mode access
!
interface Vlan1
 ip address 192.168.100.37 255.255.252.0
!
ip default-gateway 192.168.100.1
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Is that the case then follow this

Switch .40 (Port 48 is a trunk, it can't be) you are sending tagged traffic to a non-switch.

This is what you need to do

no switchport trunk encapsulation
no switchpot mode trunk
Switchport mode access
switchport access vlan 800 ( I believe that's the subnet for the camera right?

try it, that should work
DanNetwork Engineer

Author

Commented:
here's the thing, both the cameras and my desktop and the NVR are all technically on the same network, 192.168.100.0/22, the issue is, I just don't want the camera traffic traversing all of my network, to not cause any bottlenecks, I just want that traffic to stay between those two switches, .37 and .40 and the NVR.
I hope that make sense.
DanNetwork Engineer

Author

Commented:
so with switch .40 port 48, how do I get it to send both vlan 1 and vlan 800 traffic, as that's what I need.
DanNetwork Engineer

Author

Commented:
The NVR needs to accept all the traffic, from the cameras and the rest of my network, I was just trying to setup a vlan, so I can keep the cameras only on those two switches, so it doesn't hog the rest of my network.  Does that make sense?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Alright dude let me draw this so you can get the pict of what you need.

For what I can see you only have one subnet connected to PC, NVR and cameras
DanNetwork Engineer

Author

Commented:
yes, so technically, I can remove vlan 800 and everything will work just fine, but I wanted to keep the camera traffic only on those two swithces, so it doesn't come back on my LAN.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Question, did you give and ip address to the vlan 800? something like 192.168.1.254?
DanNetwork Engineer

Author

Commented:
no i did not, I only assigned IPs to the vlan 1 on all the switches, I know that's not best practice, but what's what I did
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Oh, I now I see your problem clearly, let me ask you another question what type of router do you have?
DanNetwork Engineer

Author

Commented:
I have to leave for the day, I'll respond tomorrow if I can, but I'm off on Fridays, I'll be back in the office on Monday, so for sure I'll be able to implement or do what you suggest on Monday
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
You need router on stick to implement what you want, I will do something with diagram and configuration.
But tell me what kind of router you have first
DanNetwork Engineer

Author

Commented:
I don't have a router, I have a L3 switch that does my routing, it's static routing. It's a cisco 4948 10GE switch.
I have a flat network, everything internally is 192.168.100.1/22
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
how do you do the translation to the internet? NAT, or you dont need internet?
DanNetwork Engineer

Author

Commented:
this is from my core switch, that does my routing:


interface Vlan1
 ip address 192.168.100.1 255.255.252.0
!
ip default-gateway 192.168.100.1
ip route 0.0.0.0 0.0.0.0 192.168.100.3
ip route 10.0.1.0 255.255.255.0 10.0.3.5
ip route 192.168.250.0 255.255.255.0 192.168.100.3
no ip http server
no ip http secure-server
!

the 250 network is seperate, I probably don't even need it, but it was in my previous switch, so I thought I use it.
HTe 10.0.1 network was for my lab, which is not setup yet, but I will in a few months.
DanNetwork Engineer

Author

Commented:
sorry, my firewall does all that, my firewall acts as a router as well, it does my NAT, etc...

My firewall Ip is 192.168.100.3
So my L3 switch passes all traffic to the firewall, that is destined for the internet
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Ok, go home I will send you a complete document with all the configuration.
DanNetwork Engineer

Author

Commented:
I hope that helps
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Oh ok, that's what I needed to know
DanNetwork Engineer

Author

Commented:
I have a total of 19 switches, I only showed you 3, as that's my focus right now, all other switches are all using vlan 1.
Each switch is a trunk that connects to my core, and every port on my core switch is a trunk as well, but I don't have multiple vlans.
Everything seems to work fine, just this camera switches.
DanNetwork Engineer

Author

Commented:
great, thanks, leaving now
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
You need an ip address for the vlan 800 something like 192.168.101.254 for your switch.
Also you need to add a second network in your firewall for the translation of it, In case you want to see the camera from the internet.
DanNetwork Engineer

Author

Commented:
So I just need to add an ip on the vlan 800?

Why would I do that, as all the ips are on my network.  So my network incorporates the following, since I'm using a mask 255.255.252.0

192.168.100.1/24
192.168.101.1/24
192.168.102.1/24
192.168.103.1/24

So even the ip cameras are on my network, the cameras ips are 192.168.101.245, etc...

So do I still need to assign an ip to vlan 800?

I guess the easiest thing is to remove all vlans, and trunks, and keep it on the default vlan 1, and everything will work, but I just didn't want the camera bandwidth to affect the rest of the network.  
I don't understand why it's this difficult, when I did all my training for my ccna, everything worked and was straight forward when I used packet tracer.  Oh well.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Hi dude, I apology for the delay, I'v been really busy at work.

Here is what you need.

Firewall: You need an static route to send the vlan traffic from you L3 switch to the next hop destination 192.168.1.1 which is the firewall gateway. If I was you I would summarize the subnet.

Switch 1: Your main switch is going to have the Gateways. Eg:

Vlan 1, Description LAN, IP 192.168.10.1 255.255.255.0
Vlan 800 Description, Cameras, IP 192.168.11.1 255.255.255.0
Vlan 99 Description Management IP 192.168.12.1 255.255.255.0 --This is extra so you can access to the switches via ssh or telnet.

You need to add those vlans to all the switches.
Below it's my configuration.





This is a diagram of how everything needs to be set up.
SWITCH 1

Current configuration : 1566 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
 switchport access vlan 10
 switchport nonegotiate
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 no switchport
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
description LAN
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan20
 description CAMERA
 ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!

SWITCH 2

Current configuration : 1384 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
DanNetwork Engineer

Author

Commented:
hemil, I tried what you suggested, but it didn't work.

i just created a small packet tracer network, with the  3 switches, a few cameras, the NVR and a few computers, and I'm going to experiment with that.  Would it help you if I send you the packet tracer network file, and see if you can get it working there?
Because I just exported my config to the packet tracer and same issue, I can't ping or reach the cameras.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018
Commented:
Attached the file.
Change the extension
Cameras.txt

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
DanNetwork Engineer

Author

Commented:
I think I know what he issue is, all my devices are on the same network, 192.168.100.1/24
on your map, you have the cameras on a different network, but that's not the case for me.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Of course that's why I've been saying you need two different subnets.

Check my packet tracer, everything will look as you want it.
DanNetwork Engineer

Author

Commented:
so there's no way to do it using just one subnet?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
No dude, the whole point of the vlans it's to divide traffic from one another.
and what you are trying to dont mix the camera with the LAN traffic is that correct?
DanNetwork Engineer

Author

Commented:
correct, but I wanted to be able to access the network from vlan 1
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
you can, actually your switch it's layer 3 right? so it will do routing.
In case it doesnt all we can do it's creating an access list permiting your ip address to connect to your camera.
DanNetwork Engineer

Author

Commented:
I do have a layer 3 switch, it's a cisco 4948 10Ge switch
so what kind of route would I even write, since the traffic never leaves my network, it's all internal
so I would would create a route for the new network, but where do I point it, since it's all internal, and I don't have another L3 switch as another network or anything.

I guess I would route the traffic to the physical switch that is connected to the camera switches, is that the case?
Perhaps it's easier with ACLs?

what would the ACL look like to just allow all traffic from network 192.168.100.1/24, as that's probably the easiest.
I'm guessing I need to add this ACL on each trunk port, right?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Did you check my packet tracer example, all the configuration is there. Take  a look and tell me what you dont understand.
DanNetwork Engineer

Author

Commented:
ok, will look at it now
DanNetwork Engineer

Author

Commented:
its just that it doesn't match my network exactly, but I think it's close enough, let me look at it
DanNetwork Engineer

Author

Commented:
I don't see any ACLs in your config
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
There's not access list.

Both switches has both vlans, each vlans will have his own subnet, one for the camera and another one for the LAN.
And from the switch you will have an IP route to the firewall
DanNetwork Engineer

Author

Commented:
I think I'm complicating things, as from vlan1, my lan, I still need to access all the cameras and the NRV, I just didn't want the video traffic to pass through my core switch, but I guess that doesn't matter at this point.
AkinsdNetwork Administrator

Commented:
There's been a lot of comments since my last post, so my apologies if I'm repeating what have been said

With what I read so far, vlan 800 has IP address within vlan 1 range., meaning vlan 800 currently does not exist on your switches, even though you think you configured it.

If you're keen on having a separate vlan for your cameras, you will need to create an Switched Virtual Interface (SVI) on your distribution switch.
The IP you give that interface becomes the Default Gateway for the cameras.

I saw above that you created an SVI for the cameras on VLAN 20, with Gateway, 192.168.3.1 /24.
This should be vlan 800 if you plan to use 800. You won't need to configure any routes since the VIs are connected. This means your cameras will have IPs within 192.168.3.2 - 254 and a gateway of 192.168.3.1; subnet mask 255.255.255.0

show ip route
will list the routes

The problem is the consistency of your network and there is no firewall or route issue that I can see.
Use this link to calculate your IP range and ensure there's no overlapping
http://www.subnet-calculator.com
DanNetwork Engineer

Author

Commented:
so you're saying the only reason why this wasn't working is because I needed to create vlan3 on my core switch, my L3 switch?

Just a few minutes ago, I started changing the config, and I'm just going to put all the cameras on the existing network, in vlan1.

I guess I can seperate it later if I really need to, as in thinking about it, since the switches know where the NVR is at, on what port/switch, the traffic will not traverse my entire network, as it will take the shortest path to the NVR, so I should be fine anyways.  Isn't that true?
DanNetwork Engineer

Author

Commented:
Akinsd,  I tried what you suggested, but it's still not working.

I'm just going to remove all the vlans, and make sure the cameras are on the lan network, as I've spent to much time already.
DanNetwork Engineer

Author

Commented:
I've bee trying using packet tracer, and its still not working.
AkinsdNetwork Administrator

Commented:
Attach your packet tracer file
DanNetwork Engineer

Author

Commented:
here it is, but I now just made everything flat, all on the native vlan1.

It only includes the switches that deal with my cameras, and 1 other, it's not my entire network, I will add the rest when I need that.

So what I was trying to do is put my cameras on swithces .37 and .40 in s eperate vlan that sends the data to the NVR, but I also need to access the camera's and NVR from my native vlan 1, for management purposes.

I had to change the extension from pkt to text, so after you download the file, change it back to pkt.
Anetwork.txt
Network Administrator
Commented:
I just looked at your file.

Based on what you sent, to separate the vlans, I had to do the following
- Topology change (i,e, fix a layer 2 issue). This is just 1 simple way
- modified spanning tree to ensure both .37 and .40 connect directly to the core. This also means traffic from the NVR to camera .251 and 252 would have to pass through the core unless one or both links to the core breaks.
- created a separate SVI for vlan 800 (L3 and L2 on core / then L2 on .37 and .40)

To really benefit from separating the vlans, you will need to create access list that restricts traffic, otherwise, there is no point creating adoor between 2 rooms and leave it wide open.
I will recommend that you identify your goals and map out an appropriate strategy to implement whatever you decide.
See attached file
Anetwork.txt
DanNetwork Engineer

Author

Commented:
thanks guys for your help.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.