Cisco help

[Canadian.Goose]

Curious if anyone around here is good with the Cisco command line?

 

I have a Giant switch for the work lab. (catalyst 6509)

I would like to have it link to another switch.  a top of rack switch for my vmotion and Dracs.

 

curious what port setting to use on the catalyst?  I was going to do the default of Dynamic auto as safe but i can't get to the multiple IP's that way. only one.

if i plug directly into my top of rack switch. it works fine. any ideas? or does this not make sense?

[leadeater]

Curious if anyone around here is good with the Cisco command line?

 

I have a Giant switch for the work lab. (catalyst 6509)

I would like to have it link to another switch.  a top of rack switch for my vmotion and Dracs.

 

curious what port setting to use on the catalyst?  I was going to do the default of Dynamic auto as safe but i can't get to the multiple IP's that way. only one.

if i plug directly into my top of rack switch. it works fine. any ideas? or does this not make sense?

 

You'll need to configure it as a trunk port and make sure all the vlan information is correct etc. Realise this is a rather quick response with little detail but can give more details if required.

 

Don't want to jump too far in without knowing your network setup. Also is this a production system or just a test lab?

[Wombo]

Curious if anyone around here is good with the Cisco command line?

 

I have a Giant switch for the work lab. (catalyst 6509)

I would like to have it link to another switch.  a top of rack switch for my vmotion and Dracs.

 

curious what port setting to use on the catalyst?  I was going to do the default of Dynamic auto as safe but i can't get to the multiple IP's that way. only one.

if i plug directly into my top of rack switch. it works fine. any ideas? or does this not make sense?

If one end is dynamic auto the other needs to be dynamic desirable or a static trunk port. Auto-auto will not form a trunk.

 

Auto = I'll be a trunk but only if you ask, I'm not going to ask.

Desirable = I want to be a trunk and I will ask

Static Trunk(on) = I am only a trunk and will be a trunk no matter what the other port says, I will ask it to be a trunk.

 

These statements are true under the assumption that the "switchport nonegotiate" command has no been issued. Ports configured as static ports (trunk or access) will still negotiation trunking with DTP, you can use the above listed command to disable VTP on any port.

 

Realistically this is only really necessary if you are doing VLANs. If you are not doing VLANs you should just be able to plug it into another switch and you should be good to go. There are some possible other issues here however;

 

ensure the port is not in the shutdown state

rootguard, bpdu guard or other features may disable (loop-inconsistent, err-disable) the port if these options are enable on either switch

mac filters or port-security features

 

There's also some other possibilities but these would be the more common issues. However perhaps I just don't fully grasp what your question is here, can you clarify what you mean by "but i can't get to the multiple IP's that way. only one."? Is the port in the "no switchport" or routed port state?

[leadeater]

-snip-

 

I've always explicitly configured ports to trunk or access and disabled DTP. Is this still considered good practice or is my training just old and outdated?

[Wombo]

I've always explicitly configured ports to trunk or access and disabled DTP. Is this still considered good practice or is my training just old and outdated?

Same here. When I hop on a switch for the first time I configure every port as an access port (in a vlan other than 1), limit the max macs to 10 (just to prevent flooding), and disable DTP. I also globally set every access port to port-fast and enable bpdu guard. I also put every port in the shutdown state.

 

I do a few other things as well, but this is where I like all my ports to start. I configure any other ports as needed from there and apply any other features as needed.

 

Edit: I also turn VTP off if the device supports it.

[Canadian.Goose]

changing it to trunk and disabling some of the item mentioned above seems to work for some.

the rest is down to adding all my vlans (26) of them, is there a single command to allow all possible vlans? or do i need to specifically state them?

[Canadian.Goose]

If one end is dynamic auto the other needs to be dynamic desirable or a static trunk port. Auto-auto will not form a trunk.

 

Auto = I'll be a trunk but only if you ask, I'm not going to ask.

Desirable = I want to be a trunk and I will ask

Static Trunk(on) = I am only a trunk and will be a trunk no matter what the other port says, I will ask it to be a trunk.

 

These statements are true under the assumption that the "switchport nonegotiate" command has no been issued. Ports configured as static ports (trunk or access) will still negotiation trunking with DTP, you can use the above listed command to disable VTP on any port.

 

Realistically this is only really necessary if you are doing VLANs. If you are not doing VLANs you should just be able to plug it into another switch and you should be good to go. There are some possible other issues here however;

 

ensure the port is not in the shutdown state

rootguard, bpdu guard or other features may disable (loop-inconsistent, err-disable) the port if these options are enable on either switch

mac filters or port-security features

 

There's also some other possibilities but these would be the more common issues. However perhaps I just don't fully grasp what your question is here, can you clarify what you mean by "but i can't get to the multiple IP's that way. only one."? Is the port in the "no switchport" or routed port state?

 

Wombo.

thanks for the help. i have set the configuration and just had a chance to check in on it today with a no go. 

What i have is the cisco as our core switch. then i have one single line running to a top of rack switch. plugged into this switch is the mgmt line for esxi on 15 hosts. plus Remote access cards for 15 hosts.  so 30+ different IP's.

Also on this switch i have its own vmotion setup though that's separate from the main network.

 

I have the port configured as a trunk but i am no where near adept at working with Cisco CLI. this has been passed off to me as the previous guy to set it up has retired.

with it as a trunk connecting into the power connect switch. I would assume from my core switch i can access the IP's of a drac or mgmt. though i can not.

 

If i plug into the power connect (top of rack switch) Using the same static ip. it works fine. 

 

how do i disable mac security or any port security on this one specific port? wondering if that may limit me from what  have been researching.

here is the current config

 

interface GigabitEthernet6/13

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 10-21,110-304

 switchport mode trunk

 spanning-tree portfast edge

end

 

with this ran previously

******(config-if)#No switchport port-security

******(config-if)#No switchport port-security violation protect

******(config-if)#No switchport port-security mac-address sticky

 

[Wombo]

changing it to trunk and disabling some of the item mentioned above seems to work for some.

the rest is down to adding all my vlans (26) of them, is there a single command to allow all possible vlans? or do i need to specifically state them?

If you are not concerned with security you can use the command

 

switchport trunk allowed vlan all

 

 

Wombo.

thanks for the help. i have set the configuration and just had a chance to check in on it today with a no go. 

What i have is the cisco as our core switch. then i have one single line running to a top of rack switch. plugged into this switch is the mgmt line for esxi on 15 hosts. plus Remote access cards for 15 hosts.  so 30+ different IP's.

Also on this switch i have its own vmotion setup though that's separate from the main network.

 

I have the port configured as a trunk but i am no where near adept at working with Cisco CLI. this has been passed off to me as the previous guy to set it up has retired.

with it as a trunk connecting into the power connect switch. I would assume from my core switch i can access the IP's of a drac or mgmt. though i can not.

 

If i plug into the power connect (top of rack switch) Using the same static ip. it works fine. 

 

how do i disable mac security or any port security on this one specific port? wondering if that may limit me from what  have been researching.

here is the current config

 

interface GigabitEthernet6/13

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 10-21,110-304

 switchport mode trunk

 spanning-tree portfast edge

end

 

with this ran previously

******(config-if)#No switchport port-security

******(config-if)#No switchport port-security violation protect

******(config-if)#No switchport port-security mac-address sticky

 

 

Verify that all the VLANs have been created on both devices, they are allowed across the trunk, and that each end of the trunk is up and operating as a trunk.

 

Verify VLANs:

show vlan brief

 

Verify Trunks & Interfaces:

show interface trunk

and;

show interface <interface> switchport  (add " | exclude private" to the end if you are not using private vlans, it will clean up the output)

 

Also from the wording above I am assuming you are trying to access IP's across a subnet boundary. This will require some form of routing, either a layer 3 switch or a router will be able to this. If you are trying to access IP's local to the subnet, then we will need to look into the trunk and vlan configurations still.

 

What are you currently using for inter-vlan routing?

 

It doesn't look like you have any port security features enabled, so we are good there.

 

Edit: I notice you have the pot configured as a portfast edge port. This leads me to believe you are also running spanning-tree, just make sure spanning-tree isn't blocking the port.

 

show spanning-tree

 

If no instance of spanning-tree is running you're probably fine, if there is an instance check and see if the ports are forwarding traffic.

Ensure the port is in either the designated (desg) or root (root) port role with the state being forward (fwd)

[leadeater]

Also make sure the port on the 6509 your plugging in to for testing is on the correct access vlan, the same as on the top of rack switch. If the access port your using is different configuration then it will fail, basic but something to check just in case.