This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).
This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?
Solution
If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.
[box]
Petes-3750#ping 10.2.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
[/box]
I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;
[box]
Petes-3750#clear ip arp 10.2.1.252
[/box]
Then it was fine?
[box]
Petes-3750#ping 10.2.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If you’re running Cisco IOS on all you devices then you can use CDP to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices).
[box]
Petes-Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Petes-CPE.petenetlive.com
Gig 1/0/19 148 R S I CISCO2901 Gig 0/0
Petes-Switch#
[/box]
But just about every other vendor uses LLDP (Link Layer Discovery Protocol,) to do the same job. So how do you discover what ports you are plugged into on them, or what they are?
Solution
Well in most cases, (depending on your code) your devices also support LLDP, it’s just disabled by default. You simply turn it on with an ‘lldp run’ command.
[box]
Petes-Switch(config)#lldp run
Petes-Switch(config)#exit
Petes-Switch#show lldp ?
entry Information for specific neighbor entry
errors LLDP computational errors and overflows
interface LLDP interface status and configuration
neighbors LLDP neighbor entries
traffic LLDP statistics
| Output modifiers
[/box]
Now I see my neighbours, (yes that is how it’s spelt I’m English!) In my example below the neighbour is a Dell Switch.
When I first started in IT, I went and did my Cisco CCNA. So I learned that to connect Cisco switches and pass VLAN traffic between them, I needed to create a ‘Trunk’ to pass the VLAN traffic. Fast forward a few years, and I now work for an HP reseller. Very early on I came to realise that what HP called a ‘trunk’ was very different from what I had been taught. Below is an article I did a while ago about setting up HP Trunks.
I was in some HP/Wireless training last week and once again I was struggling with their terminology, so today I lined up a bunch of switches on the test bench and worked out the differences.
Scenario 1 Configuring Cisco Catalyst Switches with VLANs.
In ‘Ciscoland’ All ports are either in access mode or trunk mode, the access mode allows the port to communicate with the VLAN. The trunk mode carries the VLAN traffic to another switch (or device). So to replicate the diagram above, this is what you would need to do. (Note: For older switches like the 3550XL the VLAN commands are a little different see here)
[box]
Switch01>
Switch01>enable
Password: xxxxxxxx
Switch01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch01(config)#vlan 10
Switch01(config-vlan)#name Admin
Switch01(config-vlan)#exit
Switch01(config)#vlan 20
Switch01(config-vlan)#name Data
Switch01(config-vlan)#exit
Switch01(config)#int f0/2
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 10
Switch01(config-if)#exit
Switch01(config)#inf f0/16
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 20
Switch01(config-if)#exit
Switch01(config)#int f0/23
Switch01(config-if)#switchport mode trunk
Switch02(config-if)#switchport trunk allowed vlan 1,10,20
Switch01(config-if)#exit
Switch01(config)#exit
Switch01#write mem
Building configuration...
[OK]
Switch01#
Switch02>
Switch02>enable
Password: xxxxxxx
Switch02#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch02(config)#vlan 10
Switch02(config-vlan)#name Admin
Switch02(config-vlan)#exit
Switch02(config)#vlan 20
Switch02(config-vlan)#name Data
Switch02(config-vlan)#exit
Switch02(config)#int f0/2
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 10
Switch02(config-if)#exit
Switch02(config)#inf f0/15
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 20
Switch02(config-if)#exit
Switch02(config)#int f0/1
Switch02(config-if)#switchport mode trunk
Switch02(config-if)#switchport trunk allowed vlan 1,10,20
Switch02(config-if)#exit
Switch02(config)#exit
Switch02#write mem
Building configuration...
[OK]
Switch02#[/box]
Scenario 2 Configuring HP Switches with VLANs.
With HP switches the terminology is different, here switch ports are either tagged members or untagged members of a VLAN.
What’s the difference between tagged and untagged? If a port is a tagged member it passes the VLAN information with the traffic it sends. If it is untagged it sends the VLAN traffic without adding in the VLAN tag. So you would only make a port a tagged member if the device that is plugged into it is VLAN aware, i.e. another switch, router, or machine with a VLAN aware NIC. (Note: The VLAN tag is the ID that gets inserted into the head of a network packet). So to do exactly the same as we did in scenario 1, but with HP switches, you would do the following:
BE AWARE: Any single port can only be untagged on one VLAN. Out of the box all ports are untagged on VLAN 1 (or the default VLAN), so if you untag a port into VLAN 20 (for example) it will automatically remove the ‘vlan 1 untagged’ property for that port.
Scenario 3 Setting up HP Switches with Trunked VLANs
Remember with HP a Trunk is adding together lots of links, (if you’re a Cisco head think of port-channeling). So here we create a trunk, then use that trunk to pass tagged VLAN traffic across the switches.
Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels
Now we have gone full circle, we know what all the differences are, the final part is to get them to talk to each other. So I’ll set up a two cable HP Trunk, and connect it to Cisco LACP port channel, and then finally add in the VLAN traffic.
[box]
Switch01> enable
Password:xxxxx
Switch01# configure terminal
Switch01(config)# vlan 10 name Admin
Switch01(config)# vlan 20 name Data
Switch01(config)# vlan 10
Switch01(vlan-10)# untagged 6
Switch01(vlan-10)# exit
Switch01(config)# vlan 20
Switch01(vlan-20)# untagged 16
Switch01(vlan-20)# exit
Switch01(config)# trunk 21,23 Trk1 LACP
Switch01(config)# vlan 10
Switch01(vlan-10)# tagged Trk1
Switch01(vlan-10)# exit
Switch01(config)# vlan 20
Switch01(vlan-20)# tagged Trk1
Switch01(vlan-20)# exit
Switch01(config)# write mem
Switch01(config)#
Switch02>
Switch02>enable
Password: xxxxxxx
Switch02#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch02(config)#vlan 10
Switch02(config-vlan)#name Admin
Switch02(config-vlan)#exit
Switch02(config)#vlan 20
Switch02(config-vlan)#name Data
Switch02(config-vlan)#exit
Switch02(config)#int f0/2
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 10
Switch02(config-if)#exit
Switch02(config)# interface range fa0/23 - 24
Switch02(config-if-range)# spanning-tree portfast trunk
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
Switch02(config-if-range)# channel-protocol lacp
Switch02(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
Switch02(config-if-range)# interface port-channel 1
Switch02(config-if)# switchport mode trunk
Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
Switch02(config-if)#exit
Switch02(config)#exit
Switch02#write mem
Building configuration...
[OK]
Switch02#
[/box]
Setting up VLANs on older Cisco Switches
Here’s an example using the older vlan database commands.
[box]
Switch01>
Switch01>enable
Password:
Switch01#
Switch01#vlan database
Switch01(vlan)#vlan 10 name Admin
VLAN 10 modified:
Name: Admin
Switch01(vlan)#vlan 20 name Data
VLAN 20 modified:
Name: Data
Switch01(vlan)#exit
APPLY completed.
Exiting....
Switch01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch01(config)#int f0/2
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 10
Switch01(config-if)#exit
Switch01(config)#int f0/16
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 20
Switch01(config-if)#exit
Switch01(config)#int f0/23
Switch01(config-if)#switchport mode trunk
Switch01(config-if)#switchport trunk encapsulation dot1q
Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
Switch01(config-if)#exit
Switch01(config)#exit
Switch01#write mem
Building configuration...
Switch01#[/box]
Related Articles, References, Credits, or External Links
If you want to manage your Cisco Catalyst switch it’s not always practical to plug a console cable in to change its settings or monitor what it is doing. Putting an IP address on it and enabling remote management via Telnet or from your web browser is a better alternative, particularly if you have a lot of switches.
Solution
Enable Telnet Management on Cisco Catalyst Switch
1. Connect to the Switch using a terminal emulation program like HyperTerminal or Putty,
2. Issue the following commands;
[box]
enable
{enter enable password if prompted}
conf t
line vty 0 15
password {password required}
login
exit
[/box]
Add a Management IP to a Cisco Catalyst Switch
3. Whilst still in configure terminal mode issue the following commands;
[box]
int vlan1
ip address {IP address required} {Subnet required}
no shutdown
exit
[/box]
Cisco Catalyst Set an Enable Password
4. If you telnet in you cant change any system settings without an enable password being set.
[box]enable password {Password required}[/box]
Optional : Set the Cisco Catalyst Switches Default Gateway
5. Just in case you need to manage the switch from another subnet, you will need to set a default gateway.