网络 – 本地VLAN不匹配和丢失VLAN?

我正试图通过新网站的网络堆栈配置来了解这里到底发生了什么.我正在工作的这件特别的东西很简单,但我很难弄清楚最初的意图是什么.有一个Cisco Catalyst 3750x有三个端口通道(每个通道有四个接口)连接到三个ESXi主机. Catalyst通过单一接口(无端口通道)通过Meraki MS42连接到网络的其余部分. VLAN 100承载网络流量,其他VLAN专用于vMotion或隔离网络等.我认为我在这方面的很大一部分困难是我不会说Cisco-ese.

安装程序

港口通道1

interface Port-channel1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk

interface GigabitEthernet1/0/1
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/2
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/3
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on

港口通道2
(我正在省略Port-Channel 3,因为它的配置与Port-Channel 2相同)

interface Port-channel2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/6
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/7
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/8
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on

上行端口

在催化剂上:

interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

在Meraki:

Trunk port using native VLAN 1; allowed VLANs: all

问题/

>允许交换机端口访问和交换机端口中继的组合使交换机端口访问配置成为无操作,对吧?除非我弄错,否则您无法在访问模式和中继模式下拥有端口.有人可以帮我确认吗?
>我的理解是,一旦您将端口添加到端口通道的所有VLAN,STP配置将按端口通道完成,而不是按端口完成.如果我在Fa 1/10和Fa 1/11之外创建一个端口通道,我使用它们分配的端口通道将它们配置为中继,而不是它们各自的端口(至少这是我对ProCurves的处理).它是否正确?
>如果最后一项是正确的,则表示端口通道成员的所有端口配置都是无操作或在该端口成为端口通道成员之前完成.这是一个合理的假设吗?
>来自VLAN 100的流量如何通过上行链路(我可以访问ESXi主机上托管的VM)?一旦到达Meraki并且本地VLAN标记不同,VLAN 100就会消失.事情正在发挥作用,但我不禁觉得这种设置有些奇怪,最好将VLAN 100一直推到堆栈的其余部分.为了使事情变得更加奇怪,VLAN 2终止于Meraki的端口41,其他所有内容都设置为Native VLAN 1.

继续前进我倾向于放弃VLAN 100或重新配置堆栈的其余部分,以便在VLAN 100上运行的子网不使用多个VLAN(100和1)并解决上行链路上的本地VLAN标记不匹配(端口41 – – Gi 1/0/24).关于这个计划的想法?

最佳答案
  • The combination of switchport access and switch port trunk allowedmakes theswitchport access` configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?

不完全是.让我分解一下配置:

interface Port-channel1
    switchport access vlan 100
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 100,101,172,192
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk

此配置的最终结果是:

>当端口处于访问模式时:

>它只会在VLAN 100上传递(未标记的)流量

>当端口处于中继模式(≥1VLAN)时:

>端口将在VLAN 1上传递未标记的流量
>端口将在VLAN 100,101,172,192上传递带标记的流量
>但是请注意,VLAN 1不在允许列表中→不允许未标记的流量遍历此端口
> switchport mode trunk→此端口将始终处于中继模式
> switchport nonegotiate→不发送DTP frames – 这些帧可能会被错误地转发并导致其他交换机上的端口在它们不应该的时候协商到中继.
>您可能希望添加:switchport trunk native vlan 100如果链路的另一端期望未标记的流量为VLAN 100.

  • It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?

是的,对于生成树目的,聚合端口是一个链接.要更改端口配置,请更改聚合端口的配置,它将传播到各个接口.

  • If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?

它不是无操作 – 它们必须匹配或不允许端口加入聚合:

May 30 17:11:25.956: %EC-5-CANNOT_BUNDLE2: Gi0/20 is not compatible with Gi0/19 and will be suspended (vlan mask is different)

开关会抱怨:)

  • How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can’t help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.
interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

这有点危险 – 未标记的流量将在VLAN 100或VLAN 2上,具体取决于端口的模式.您应该强制模式中继(switchport模式中继)或至少使未标记的VLAN匹配.

在此模式(switchport mode dynamic)中发生的情况是端口将进入访问模式,但如果检测到任何标记的数据包,则切换到中继. (这是简化的)

具有多个VLAN的交换机(有时是交换机到主机)链路(思科用语中的中继)始终具有本机(未标记)VLAN 1,这是“惯例”.

默认值未显示在配置中.如果您不确定默认值,可以随时全部运行:

interface Port-channel1
 description blch1-sw1
 switchport
 switchport access vlan 1
 switchport trunk native vlan 1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 no shutdown
 ipv6 mld snooping tcn flood
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 spanning-tree port-priority 3
 spanning-tree cost 3
 ip dhcp snooping limit rate 4294967295
 no ip dhcp snooping trust
 no ip dhcp snooping information option allow-untrusted

VS:

interface Port-channel1
 description blch1-sw1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
end

请注意switchport trunk native vlan 1不在第二个列表中.这是默认值.

转载注明原文:网络 – 本地VLAN不匹配和丢失VLAN? - 代码日志