3

I have two devices here, a Netscreen SSG520 and a Cisco 3750.

#show ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.

The Cisco is currently being used as the central router. It has an IP interface defined on VLAN1. The revision of IOS is the one recommended to us by Cisco to cover some other oddities we have uncovered in the switch's behavior.

Right now my Netscreen has only an untagged interface. The Cisco treats this as VLAN1, and it works.

I want to add tagged interfaces to the netscreen (I need to remove the Cisco from routing certain VLANs for reasons I won't go into here). So the first thing I do is define the Cisco interface as trunked:

interface GigabitEthernet1/0/1
 description Netscreen SSG520
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,11,102
 switchport mode trunk

Now, when I plug in my netscreen, the Cisco reports all the "trunk allowed" VLAN interfaces are UP. It does not report the interface on VLAN1 as up. And the expected traffic does not flow between the Cisco and the Netscreen. Neither can ping the other.

If I plug the Netscreen into an access port defined as so:

interface GigabitEthernet1/0/11
 description castor

...the Cisco then reports VLAN1 as up, both devices can ping each other, and traffic can flow between the Cisco and the Netscreen properly.

I have even tried defining the VLANs as tagged sub-interfaces on the Netscreen, and while the tagged VLANs work, VLAN1 does not.

I've played with the switchport trunk native vlan 1 command and the no switchport trunk native vlan command and the switch still does not use VLAN1 on that interface.

I already have a no shutdown command in the definition for interface vlan1; the fact that when the netscreen is plugged into the access port the VLAN comes up proves that.

For various reasons (mostly involving history) we can't just not use VLAN1.

I've spent the last two hours trying to get these devices to talk to each other the way I want them.

So.

How do I get the Cisco to recognize, and use, VLAN1 when I have a trunk defined?

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • Perhaps the Cisco switch is adding tagging to the frames on VLAN1 and/or Netscreen is discarding frames when you're enabling tagging on each end? Have you tried tagging VLAN1 on each end and seeing if traffic is passed then? – James Yale May 03 '11 at 21:09

1 Answers1

5

You've blocked vlan 1 traffic. Add it to your allowed vlans on the trunk port:

switchport trunk allowed vlan 1,10,11,102

Despite the fact that vlan 1 is the native vlan, it's still being evaluated for whether it's allowed through the port (which is why the vlan interface is showing as down; no port on the switch is able to deal with traffic for the vlan).

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • I tried that. The cisco won't add vlan 1 to the list of 'trunk allowed'. However, even if I do add it, that means that vlan 1 would be tagged on the port, which would conflict with the native vlan. (Note the cisco refused to add vlan 1 to the list of 'trunk allowed' even after setting the native vlan to a vid that isn't on this list.) – David Mackintosh May 03 '11 at 22:00
  • @David The native vlan is never tagged unless you've entered the `vlan dot1q tag native` command (do you have this? it's global for the switch). The `trunk allowed vlan` command has no bearing on what vlan is tagged or not; it's a filter of what's allowed in the port, not a determination of what should be tagged. What error are you seeing when you attempt to add vlan 1 to the allowed list? Here's a nice little [youtube video](http://www.youtube.com/watch?v=Ik7cGfDhV54) demonstrating that the native vlan needs to be in the allowed list. – Shane Madden May 03 '11 at 22:32
  • you are correct, adding vlan 1 to the list of permitted VLANs worked. Too much Dell PowerConnect melts my brain. – David Mackintosh May 04 '11 at 18:54