Clicky

Dear Experts,

I'm connecting two building with Cisco 1300 bridge as secondary (backup link). My primary link is fiber.

I manage to configure the root bridge and non root bridge successfully and the traffic is flowing. However only the Native vlan (127) is flowing between the two bridges whereas I have other 5 extra VLANs. I tried a lot to make the traffic for these VLANs to pass through the bridge but useless.

Here my configuration:

 SW_ROOT  interface GigabitEthernet0/24  description ***Connected to Root Bridge***  switchport trunk encapsulation dot1q  switchport trunk native vlan 127  switchport trunk allowed vlan 50,60,70,127,184,185  switchport mode trunk  ip arp inspection trust  storm-control broadcast level 10.00  storm-control multicast level 10.00  storm-control action trap  spanning-tree port-priority 0 ----------------------------------------- SW_NONROOT  interface GigabitEthernet0/24  description **Connected to NON ROOT BRIDGE**  switchport trunk encapsulation dot1q  switchport trunk native vlan 127  switchport trunk allowed vlan 50,60,70,127,184,185  switchport mode trunk  ip arp inspection trust  storm-control broadcast level 1.00  storm-control multicast level 1.00  storm-control action trap ---------------------------------------------------- ROOT_BRIDGE   ! hostname Root_Bridge ! dot11 vlan-name ELC1 vlan 185 dot11 vlan-name ELC2 vlan 184 dot11 vlan-name management vlan 127 dot11 vlan-name student vlan 50 dot11 vlan-name teacher vlan 60 dot11 vlan-name wirent vlan 70 ! dot11 ssid WiFi-Admin    vlan 127    authentication open    guest-mode    infrastructure-ssid ! ! bridge irb ! ! interface Dot11Radio0  no ip address  no ip route-cache  !  ssid WiFi-Admin  !  station-role root bridge  distance 1  world-mode dot11d country x both  infrastructure-client ! interface Dot11Radio0.50  encapsulation dot1Q 50  no ip route-cache  bridge-group 50  bridge-group 50 port-protected  bridge-group 50 spanning-disabled ! interface Dot11Radio0.60  encapsulation dot1Q 60  no ip route-cache  bridge-group 60  bridge-group 60 port-protected  bridge-group 60 spanning-disabled ! interface Dot11Radio0.70  encapsulation dot1Q 70  no ip route-cache  bridge-group 70  bridge-group 70 port-protected  bridge-group 70 spanning-disabled ! interface Dot11Radio0.127  encapsulation dot1Q 127 native  no ip route-cache  bridge-group 1  bridge-group 1 port-protected  bridge-group 1 spanning-disabled ! interface Dot11Radio0.184  encapsulation dot1Q 184  no ip route-cache  bridge-group 184  bridge-group 184 port-protected  bridge-group 184 spanning-disabled ! interface Dot11Radio0.185  encapsulation dot1Q 185  no ip route-cache  bridge-group 185  bridge-group 185 port-protected  bridge-group 185 spanning-disabled ! interface FastEthernet0  no ip address  no ip route-cache ! interface FastEthernet0.50  encapsulation dot1Q 50  no ip route-cache  bridge-group 50  bridge-group 50 spanning-disabled ! interface FastEthernet0.60  encapsulation dot1Q 60  no ip route-cache  bridge-group 60  bridge-group 60 spanning-disabled ! interface FastEthernet0.70  encapsulation dot1Q 70  no ip route-cache  bridge-group 70  bridge-group 70 spanning-disabled ! interface FastEthernet0.127  encapsulation dot1Q 127 native  no ip route-cache  bridge-group 1 ! interface FastEthernet0.184  encapsulation dot1Q 184  no ip route-cache  bridge-group 184  bridge-group 184 spanning-disabled ! interface FastEthernet0.185  encapsulation dot1Q 185  no ip route-cache  bridge-group 185  bridge-group 185 spanning-disabled ! interface BVI1  ip address 192.168.x.x 255.255.255.0  no ip route-cache ! ip default-gateway 192.168.x.x ip http server  bridge 1 priority 65535 bridge 1 protocol ieee bridge 1 route ip bridge 50 priority 65535 bridge 50 protocol ieee bridge 60 priority 65535 bridge 60 protocol ieee bridge 70 priority 65535 bridge 70 protocol ieee bridge 184 priority 65535 bridge 184 protocol ieee bridge 185 priority 65535 bridge 185 protocol ieee ! ! ! line con 0 line vty 0 4 ! end  ------------------------------------------------- NON_ROOTBRIDGE   hostname NON_ROOT_BRIDGE !  ! dot11 vlan-name ELC1 vlan 185 dot11 vlan-name ELC2 vlan 184 dot11 vlan-name management vlan 127 dot11 vlan-name student vlan 50 dot11 vlan-name teacher vlan 60 dot11 vlan-name wirent vlan 70 ! dot11 ssid WiFi-Admin    vlan 127    authentication open    guest-mode    infrastructure-ssid ! bridge irb ! ! interface Dot11Radio0  no ip address  no ip route-cache  !  ssid WiFi-Admin  !  station-role non-root bridge  world-mode dot11d country X both ! interface Dot11Radio0.50  encapsulation dot1Q 50  no ip route-cache  bridge-group 50  bridge-group 50 port-protected  bridge-group 50 spanning-disabled ! interface Dot11Radio0.60  encapsulation dot1Q 60  no ip route-cache  bridge-group 60  bridge-group 60 port-protected  bridge-group 60 spanning-disabled ! interface Dot11Radio0.70  encapsulation dot1Q 70  no ip route-cache  bridge-group 70  bridge-group 70 port-protected  bridge-group 70 spanning-disabled ! interface Dot11Radio0.127  encapsulation dot1Q 127 native  no ip route-cache  bridge-group 1  bridge-group 1 port-protected  bridge-group 1 spanning-disabled ! interface Dot11Radio0.184  encapsulation dot1Q 184  no ip route-cache  bridge-group 184  bridge-group 184 port-protected  bridge-group 184 spanning-disabled ! interface Dot11Radio0.185  encapsulation dot1Q 185  no ip route-cache  bridge-group 185  bridge-group 185 port-protected  bridge-group 185 spanning-disabled ! interface FastEthernet0  no ip address  no ip route-cache ! interface FastEthernet0.50  encapsulation dot1Q 50  no ip route-cache  bridge-group 50  bridge-group 50 spanning-disabled ! interface FastEthernet0.60  encapsulation dot1Q 60  no ip route-cache  bridge-group 60  bridge-group 60 spanning-disabled ! interface FastEthernet0.70  encapsulation dot1Q 70  no ip route-cache  bridge-group 70  bridge-group 70 spanning-disabled ! interface FastEthernet0.127  encapsulation dot1Q 127 native  no ip route-cache  bridge-group 1  bridge-group 1 spanning-disabled ! interface FastEthernet0.184  encapsulation dot1Q 184  no ip route-cache  bridge-group 184  bridge-group 184 spanning-disabled ! interface FastEthernet0.185  encapsulation dot1Q 185  no ip route-cache  bridge-group 185  bridge-group 185 spanning-disabled ! interface BVI1  ip address 192.168.x.x 255.255.255.0  no ip route-cache ! ip default-gateway 192.168.x.x ip http server no ip http secure-server   bridge 1 priority 65535 bridge 1 protocol ieee bridge 1 route ip bridge 50 priority 65535 bridge 50 protocol ieee bridge 60 priority 65535 bridge 60 protocol ieee bridge 70 priority 65535 bridge 70 protocol ieee bridge 184 priority 65535 bridge 184 protocol ieee bridge 185 priority 65535 bridge 185 protocol ieee ! ! ! line con 0 line vty 0 4  login local ! end  -----------------------------                             
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 

Select allOpen in new window



Appreciate your support.

asked 10/24/2011 08:33

sadiqallawati's gravatar image

sadiqallawati ♦♦


18 Answers:
You should not include any of the VLANs on the Aironet bridges.

What your config is doing at the moment is expecting traffic to be tagged on a specific VLAN from the Wireless interface before it is being passed to the wire.

Your switch configuration is correct, so if you delete all VLAN information from the bridges and just let them think they are on VLAN 1 they should pass all of your VLAN traffic between the two switches.

The storm-control commands are not needed on the ports where the bridges connect, and also I would remove the ip arp inspection trust command from these interfaces as the bridges might stop passing traffic properly.
link

answered

craigbeck's gravatar image

craigbeck

Hi craigbeck,

Do you mean that I don't have to create multiple interfaces on bridge for every and each VLAN ?

I found some cisco documentation
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

It seems there is something I'm missing, I will try to remove the ip arp inspection trust.

Any other suggestions ?
link

answered 2011-10-26 at 13:21:05

sadiqallawati's gravatar image

sadiqallawati

The bridge will pass any traffic it receives on any interface if VLANs aren't configured.  If you configure VLANs it will ONLY pass those VLANs.

Did you do the configuration in the Web GUI or did you do it via Console/Telnet?
link

answered 2011-10-26 at 22:06:33

craigbeck's gravatar image

craigbeck

I did it through console.

So you suggest to keep only my native VLAN (VLAN 127) and remove everything else ?
link

answered 2011-10-27 at 13:40:39

sadiqallawati's gravatar image

sadiqallawati

No, if you keep the native VLAN you will still have VLANs configured.  You need to completely remove ALL VLANs from each bridge.

However, if you want to use the VLAN configuration on the bridges I'd suggest doing it through the Web GUI instead of the Console/Telnet as there seems to be config (in the OP) which isn't required or usually created when a VLAN is configured.
link

answered 2011-10-27 at 13:45:36

craigbeck's gravatar image

craigbeck

Do you have a sample configuration of a bridge without any VLAN ?
link

answered 2011-10-27 at 13:52:28

sadiqallawati's gravatar image

sadiqallawati

I have configs but only from a 1400 bridge and the config is slightly different.

I've just had a thought though... You've named your VLANs on the bridges.  Remove that.  You don't need to name the VLANs (apart for remembering what they are) and if the names don't match what's on the switch it won't work.  Also your native VLAN isn't VLAN1 so VTP won't work (and therefore bridge VLAN names will never match).
link

answered 2011-10-27 at 13:58:21

craigbeck's gravatar image

craigbeck

I will try to remove the VLAN names, lets give a try.

But I found this on cisco

http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37vlan.html

Guide lines for Using VLAN Names

Keep these guidelines in mind when using VLAN names:

  • The mapping of a VLAN name to a VLAN ID is local to each access point/bridge, so across your network, you can assign the same VLAN name to a different VLAN ID.


Note:If clients on your wireless LAN require seamless roaming, Cisco recommends that you assign the same VLAN name to the same VLAN ID across all access point/bridges, or that you use only VLAN IDs without names.

  • Every VLAN configured on your access point/bridge must have an ID, but VLAN names are optional.


  • VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number between 1 and 4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point/bridge reserves the numbers 1 through 4095 for VLAN IDs.


What do you think ?
link

answered 2011-10-27 at 14:24:08

sadiqallawati's gravatar image

sadiqallawati

Hi craigbeck,

I tried what you suggested but did not work. Actually I facing a new issue now. My setup is as following:

SW1 --> Root Bridge --> NON Root Bridge -- SW2

I cannot ping Root Bridge and NON Root Bridge from SW1, however I can reach both of them from SW2. I checked the spanning tree from SW1 and all ports are in FWD state.
link

answered 2011-10-28 at 00:08:40

sadiqallawati's gravatar image

sadiqallawati

Can you post the new config from each device?
link

answered 2011-10-29 at 22:40:33

craigbeck's gravatar image

craigbeck

Its the same except I removed the vlan names
link

answered 2011-10-30 at 07:04:58

sadiqallawati's gravatar image

sadiqallawati

And for the switches?
link

answered 2011-10-30 at 08:18:18

craigbeck's gravatar image

craigbeck

I removed the ip arp inspect trust.

link

answered 2011-10-30 at 09:24:09

sadiqallawati's gravatar image

sadiqallawati

Ok, so you've removed the VLAN names from the bridges and turned off IP ARP Inspection and now you can't ping them from SW1?
Can you post the complete config from the switches?
link

answered 2011-10-30 at 09:27:28

craigbeck's gravatar image

craigbeck

Here we are, I'm pasting the relevant information on each switch.
Main Office - SW1


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname corerack_switch_1
!

ip routing
no ip domain-lookup
!
ip dhcp pool WiFi-Admin
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
!
ip dhcp snooping vlan 50,60,70,127
ip arp inspection vlan 50,60,70,127
ip arp inspection log-buffer entries 10
ip arp inspection log-buffer logs 1 interval 86400
!
!

spanning-tree mode mst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
 name COLLEGEIBRA
 revision 1
 instance 1 vlan 50
 instance 2 vlan 60
 instance 3 vlan 70
 instance 4 vlan 127
!
spanning-tree mst 0-15 priority 0
spanning-tree vlan 1-4094 priority 24576
!
vlan internal allocation policy ascending
!
vlan 50
 name VLAN_50<student>
 --More--         !
vlan 51
!
vlan 60
 name VLAN_60<teacher>
!
vlan 61
!
vlan 70
 name VLAN_70<wirent>
!
vlan 127
 name VLAN_127<Management>
!
vlan 178
!
vlan 188
 name WIRELESS
!
vlan 190
!

!
interface GigabitEthernet0/24
 description ***RootBridge***
 --More--          switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk
 spanning-tree port-priority 0

interface Vlan1
 no ip address
 shutdown
!
interface Vlan127
 description *** Management Vlan ***
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan177
 no ip address
!
interface Vlan178
 no ip address
!
interface Vlan188
ip address 10.153.x.x 255.255.254.0
!
interface Vlan190
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.1
ip http server
!

--------------------------------------------
Remote Office - SW2


Current configuration : 17722 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip dhcp snooping vlan 50,60,70,127
ip arp inspection vlan 50,60,70,127
ip arp inspection log-buffer entries 10
ip arp inspection log-buffer logs 1 interval 86400
!
!
!

spanning-tree mode mst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
 name COLLEGEIBRA
 revision 1
 instance 1 vlan 50
 instance 2 vlan 60
 instance 3 vlan 70
 instance 4 vlan 127
!
spanning-tree mst 0-15 priority 0
spanning-tree vlan 1-4094 priority 24576
 --More--         !
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 11
 name DMZ
!
vlan 12-18
!
vlan 50
 name VLAN_50<student>
!
vlan 60
 name VLAN_60<teacher>
!
vlan 70
 name VLAN_70<wirent>
!
vlan 127
 name VLAN_127<Management>
!
vlan 177-178,180,182,184,188,190,255
!

interface GigabitEthernet0/24
 description **Connected to EL303AP(BRIDGE)**
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 127
 switchport trunk allowed vlan 50,60,70,127,184,185
 switchport mode trunk


interface Vlan1
 no ip address
 shutdown
!
interface Vlan127
 description *** Management Vlan ***
 ip address 192.168.x.27 255.255.255.0
!

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.1
ip http server
!

link

answered 2011-10-30 at 09:59:30

sadiqallawati's gravatar image

sadiqallawati

Ok, apologies - you're running ARP inspection globally so you must re-enable it on the interfaces.
link

answered 2011-10-31 at 07:39:51

craigbeck's gravatar image

craigbeck

Non of these worked out
link

answered 2011-10-31 at 11:34:27

sadiqallawati's gravatar image

sadiqallawati

Solution did not work

link

answered 2011-12-13 at 00:39:05

sadiqallawati's gravatar image

sadiqallawati

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×3
×85
×1

Asked: 10/24/2011 08:33

Seen: 504 times

Last updated: 12/16/2011 05:21