4

This is my first time setting up VLANs on a Cisco so I've probably made some mistakes - would appreciate some suggestions. Thank you in advance.

...

From my understanding of switches, when a layer 2 broadcast packet is received, the switch should send it out to all other ports within the broadcast domain except the originating port.

Without VLANs, the broadcast domain should be all physical ports. If those ports are attached to switches, then those switches would in turn replicate it to all other ports as well.

In a VLAN setup, the broadcast domain is all physical ports that are "configured" to use that VLAN.
Note: Technically "interfaces" .. and "tagged" are correct terminology but I'm being careful not to use words that can mean different things with different vendors.

So if my understanding is correct, then something seems to be preventing broadcast traffic from being sent to all other ports. I've used a packet sniffer on the router to determine this. There are no received packets on the specific interface with a destination mac address of ff:ff:ff:ff:ff:ff:ff:ff.

My physical setup is this:

Cisco SG500-52MP switch. Three ports are configured for VLAN #14. In Cisco language these are configured as "Access Ports". My understanding of that is that it means all ingress traffic is tagged to VLAN 14. All egress traffic is untagged. When I say "tagged", I mean the VLAN id is added to the packet, and untagged means its stripped.

Of those three ports, one connects to a PC, one to a controller, and one to the Mikrotik Router. The interface on the router has no VLAN configuration at all - the ports aren't bridged - its functioning as an actual router.

On the Cisco switch, when I do "show vlan" it shows me:

`Vlan Tagged Ports UnTagged Ports ---- ------------ -------------- 1 gi1/23-24,gi1/31-47,gi1/49-52,po1-32 10 14 gi1/25-30 32 gi1/49 gi1/1-22,gi1/48 200 gi1/50

Interfaces 27-29 have the same switchport configuration.
show interfaces switchport ge1/1/27

Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi1/27
Port Mode: Access 
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 14

Port is member in: 

Vlan               Name               Egress rule     Added by     
---- -------------------------------- ----------- ---------------- 
 14                BMS                 Untagged          S         


Forbidden VLANS: 
Vlan               Name               
---- -------------------------------- 


Classification rules: 

Protocol based VLANs:                                 
  Group ID   Vlan ID 
------------ ------- 


Mac based VLANs: 
  Group ID   Vlan ID 
------------ -------

I notice it says "Ingress Filtering: true" .. My understanding is that should not filter out packets without a VLAN identifier (VLan #1 in Cisco language), since its an access port.

show run int ge1/1/29

interface gigabitethernet1/29
 switchport mode access
 switchport access vlan 14
!

Also - the version ... show version

SW version    1.4.11.2 ( date  26-Sep-2019 time  20:01:21 )
Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:21 )
HW version    V03

When I use the router's packet sniffer tool on the specific port for this VLAN, I can only see multicast packets between the switch and the router .. and one lone discovery packet from the router. It very clearly shows that no packets are received with a VLAN ID - which is what I expect. Packet Sniff/Winbox Passive Results

When I do a packet sniff while trying to ping the static IP of the controller host, I can see the ARP requests leaving the router correct, but nothing being received. Packet Sniff/Winbox ARP Results

Previously I took another small Mikrotik and hooked it into one of the three ports on the cisco and did a packet capture on the receiving end. The ARP packets did not make it through.

So this tells me the Cisco is filtering them .. but why? I should add that when I configured these switches, I did a complete factory reset, and then copied / pasted the configuration commands I had saved. This is my way of ruling out any sort of typos, or referencing the wrong interface by accident. I know these Small Business switches have some nuances to them vs the Catalysts - and something tells me I'm being bit by one of them.

DHW
  • 53
  • 1
  • 8
  • Switches switch frames, not packets; routers strip off the frame to route the packet, and apply a new frame for the next interface. Switches only tag frames on trunks, where there can be several different VLANs. The switch does not tag or filter internally. The switch will simply not send any frames received on one VLAN to an interface configured for a different VLAN. Switching happens in hardware. The original VLAN tagging (Cisco ISL, was really encapsulation, not tagging) did encapsulate the frames with the tag internally. – Ron Maupin Feb 19 '20 at 22:34
  • Could you post the output of: show run int ge1/1/27 Thanks, Mike D – Mike Dooley Feb 20 '20 at 01:30
  • @MikeDooley Added the Show Run results. Also verified that the show run results are identical for interfaces 27 through 29. – DHW Feb 20 '20 at 10:44
  • This model of router lists five switchport modes: general, access, trunk, customer, private-vlan. The description of "access" says "vlan unaware port" .. My thinking is that by setting ports 27-29 to switchport mode "access", and then setting their native VLAN to 14 . is that I'm creating a separate virtual switch. I would expect it to function the same as if I had a physical 3 port switch. Maybe this is wrong? – DHW Feb 21 '20 at 15:02
  • The thing is, once a port goes into a VLAN, it becomes like it's in a different network from the other ports. In order for the traffic to reach a port in a different VLAN, the traffic needs to go through a router, and routers do not forward broadcasts by default. – Davidw Feb 26 '20 at 04:16
  • @Davidw Yes - but that's exactly what I want. Ports 27 to 29 are all on the same VLAN and only one VLAN, which means they should function as if they were a completely separate switch. When I said I was packet sniffing from the router - I was not looking at packets being forwarded through the router - I was merely using it as a host on the vlan so I could packet sniff. Something is stopping layer 2 broadcast traffic when the ports are tagged.. remove the VLAN and it works. – DHW Feb 26 '20 at 06:31
  • Since the router is vlan aware, wonder if I should try setting it up as a trunking port. Who knows - maybe its something stupid like Cisco only forwards broadcast traffic between single access ports and trunk lines (like port isolation) – DHW Feb 26 '20 at 06:33
  • I believe both ends MUST be set to trunking if you're using static trunking (as opposed to VTP). – Davidw Feb 26 '20 at 17:31
  • @DavidW not sure what you mean by "both" .. its not a tunnel or something. To me, what I'm trying to do should not be this complicated. I have three physical devices that I want to connect together via a switch. Instead of using a 5 port switch, I've opted to carve out 3 ports on the managed switch. I set this up by making all the ports access ports (vlan unaware) and assigning them to their own unique VLAN. The switch is in layer 2 mode. VTP is not being used. – DHW Feb 27 '20 at 13:17
  • I assume this is a typo: `1 gi1/23-35,gi1/30-47,gi1/49-52,po1-32` and should read `1 gi1/23-25,gi1/30-47,gi1/49-52,po1-32`? Otherwise you somehow have ports duplicated on that VLAN and other ports with two untagged VLANs. – YLearn Feb 29 '20 at 06:18
  • Yes - thanks for catching that. Also I had changed the config so I updated it to match my recent changes (expanded VLAN 14 from 5 ports from 3). Its almost as if the ports are behaving in protected mode .. but when I listed protected ports - I saw none – DHW Feb 29 '20 at 19:20
  • So this specific issue has corrected itself while I was troubleshooting. I had expanded the VLAN ports from 3 to 6.. I unplugged the RJ45 and moved them to the new ports. I connected three new devices (2 Mikrotik Hex S, and 1 Windows 10 PC) to the other ports .. All of a sudden I could see everything that I was blind to before.. broadcast traffic working .. can ping the IPs .. I moved everything back to the way it was before .. and its still working. This is strange since I had reset the switch back to factory. Scratching my head. – DHW Mar 10 '20 at 18:57
  • I have the same issue with another link .. but I can't bring it up and down until Spring Break (end of month). I will keep the question open and update it with the information from the other problem. The other one is same issue .. except it involves broadcast packets not traversing the LAG interface. I will double and triple check everything before updating question. One thing that *may* have been the cause with the original question .. was POE. It gets enabled by default. I shut off inline power as a precaution. – DHW Mar 10 '20 at 19:00

0 Answers0