Re: [c-nsp] VLAN 1 troubles?
Sorry my 12.2 code is: Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2) I pasted in the bootloader earlier -Original Message- From: cisco-nsp On Behalf Of Nick Cutting Sent: Tuesday, August 28, 2018 9:07 AM To: John Osmon ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VLAN 1 troubles? This message originates from outside of your organisation. Well the big change that I seemed to care about was they added local routes to the route table, the /32 of configured interfaces. I can't say I've ever seen anything different with the way tagged and untagged traffic was treated. We have a Vmware lab environment on 3560G's, running both 12.2 and 15.x - but as other said we avoid vlan1 , not for "best practice, or security" but because of voodoo on the vlan, weirdness. BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1) C 10.180.6.6/31 is directly connected, GigabitEthernet0/21 v.s. Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1) C10.180.6.0/31 is directly connected, GigabitEthernet0/21 L10.180.6.1/32 is directly connected, GigabitEthernet0/21 It is more likely you ran into a bug on 12.2 that allowed you to pass tagged traffic on Vlan1 than a problem with 15.x If you change the native Vlan on the port to another vlan - does it then pass traffic tagged on vlan1? Compare the output of show int gi0/15 switchport on both versions. The command should be exactly the same between versions. Nick -Original Message- From: cisco-nsp On Behalf Of John Osmon Sent: Sunday, August 26, 2018 12:48 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VLAN 1 troubles? This message originates from outside of your organisation. I've got a 3560 switch in a lab situation that I'm looking for insight. I have a virtualization host hung off of a trunking port. VMs on this platform are able to communicate over any VLAN if I'm running a 12.2 image. As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the switch port -- but all other VLANs do. This is true whether the packets are explicitly tagged as VLAN 1, or if I leave them "native." I have means to work around the issue, but it's bugging me... Is there some esoteric change between IOS 12 and IOS 15? Is there something I've been doing wrong for years with IOS switches? Am I hitting a bug? Do I just need to get rid of this test switch and get something more modern for a lab switch? Switch details: model: WS-C3560G-24TS working image: c3560-advipservicesk9-mz.122-25.SEE2.bin failing image: c3560-ipservicesk9-mz.150-2.SE10.bin port config: interface GigabitEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 troubles?
Well the big change that I seemed to care about was they added local routes to the route table, the /32 of configured interfaces. I can't say I've ever seen anything different with the way tagged and untagged traffic was treated. We have a Vmware lab environment on 3560G's, running both 12.2 and 15.x - but as other said we avoid vlan1 , not for "best practice, or security" but because of voodoo on the vlan, weirdness. BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1) C 10.180.6.6/31 is directly connected, GigabitEthernet0/21 v.s. Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1) C10.180.6.0/31 is directly connected, GigabitEthernet0/21 L10.180.6.1/32 is directly connected, GigabitEthernet0/21 It is more likely you ran into a bug on 12.2 that allowed you to pass tagged traffic on Vlan1 than a problem with 15.x If you change the native Vlan on the port to another vlan - does it then pass traffic tagged on vlan1? Compare the output of show int gi0/15 switchport on both versions. The command should be exactly the same between versions. Nick -Original Message- From: cisco-nsp On Behalf Of John Osmon Sent: Sunday, August 26, 2018 12:48 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VLAN 1 troubles? This message originates from outside of your organisation. I've got a 3560 switch in a lab situation that I'm looking for insight. I have a virtualization host hung off of a trunking port. VMs on this platform are able to communicate over any VLAN if I'm running a 12.2 image. As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the switch port -- but all other VLANs do. This is true whether the packets are explicitly tagged as VLAN 1, or if I leave them "native." I have means to work around the issue, but it's bugging me... Is there some esoteric change between IOS 12 and IOS 15? Is there something I've been doing wrong for years with IOS switches? Am I hitting a bug? Do I just need to get rid of this test switch and get something more modern for a lab switch? Switch details: model: WS-C3560G-24TS working image: c3560-advipservicesk9-mz.122-25.SEE2.bin failing image: c3560-ipservicesk9-mz.150-2.SE10.bin port config: interface GigabitEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 troubles?
On 26/Aug/18 22:15, John Osmon wrote: > Yeah. I've already moved things to another VLAN, but it was nice in a > lab setting to be able to "just plug in" while testing things. I have a US$70 Netgear 8-port "unmanaged" Ethernet switch that forms a key part of my home LAN. I just plugged everything into that and it's all good :-). Enterprise and Service Provider switches are what they used to call "managed" Ethernet switches. So in many cases, just plugging in and going should work, but that would be too underkill for said switches. > I figured someone else would've gotten caught on the same issue and > had some insight. I run out of count on the number of VLAN 1 related issues I ran into years ago. Since 2005, I decided that VLAN 1 is as about as useful as admin/admin. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 troubles?
On Sun, Aug 26, 2018 at 08:37:37PM +0200, Mark Tinka wrote: > > Due to the way Cisco has always treated VLAN 1, general advice over the > years has been to avoid using it for production traffic. > > We don't even use it for switch management. Yeah. I've already moved things to another VLAN, but it was nice in a lab setting to be able to "just plug in" while testing things. I figured someone else would've gotten caught on the same issue and had some insight. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 troubles?
On 8/26/18 1:36 PM, Mark Tinka wrote: On 26/Aug/18 18:47, John Osmon wrote: I've got a 3560 switch in a lab situation that I'm looking for insight. I have a virtualization host hung off of a trunking port. VMs on this platform are able to communicate over any VLAN if I'm running a 12.2 image. As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the switch port -- but all other VLANs do. This is true whether the packets are explicitly tagged as VLAN 1, or if I leave them "native." I have means to work around the issue, but it's bugging me... Is there some esoteric change between IOS 12 and IOS 15? Is there something I've been doing wrong for years with IOS switches? Am I hitting a bug? Do I just need to get rid of this test switch and get something more modern for a lab switch? Switch details: model: WS-C3560G-24TS working image: c3560-advipservicesk9-mz.122-25.SEE2.bin failing image: c3560-ipservicesk9-mz.150-2.SE10.bin port config: interface GigabitEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk Due to the way Cisco has always treated VLAN 1, general advice over the years has been to avoid using it for production traffic. We don't even use it for switch management. Mark. We use a lot of those switches running both 12.x and 15.x, and, while I can't say I've seen that particular behavior before, I 100% agree with Mark. Never use VLAN 1 for anything, regardless of vendor. Too many potential gotchas/caveats. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN 1 troubles?
On 26/Aug/18 18:47, John Osmon wrote: > I've got a 3560 switch in a lab situation that I'm looking for insight. > > I have a virtualization host hung off of a trunking port. VMs on this > platform are able to communicate over any VLAN if I'm running a 12.2 > image. > > As soon as I change to a 15.0 image, packets for VLAN1 no longer pass > the switch port -- but all other VLANs do. This is true whether the > packets are explicitly tagged as VLAN 1, or if I leave them "native." > > I have means to work around the issue, but it's bugging me... > > Is there some esoteric change between IOS 12 and IOS 15? > Is there something I've been doing wrong for years with IOS switches? > Am I hitting a bug? > Do I just need to get rid of this test switch and get something more > modern for a lab switch? > > > Switch details: > model: WS-C3560G-24TS > working image: c3560-advipservicesk9-mz.122-25.SEE2.bin > failing image: c3560-ipservicesk9-mz.150-2.SE10.bin > port config: >interface GigabitEthernet0/15 > switchport trunk encapsulation dot1q > switchport mode trunk Due to the way Cisco has always treated VLAN 1, general advice over the years has been to avoid using it for production traffic. We don't even use it for switch management. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 troubles?
On 26/Aug/18 18:47, John Osmon wrote: > I've got a 3560 switch in a lab situation that I'm looking for insight. > > I have a virtualization host hung off of a trunking port. VMs on this > platform are able to communicate over any VLAN if I'm running a 12.2 > image. > > As soon as I change to a 15.0 image, packets for VLAN1 no longer pass > the switch port -- but all other VLANs do. This is true whether the > packets are explicitly tagged as VLAN 1, or if I leave them "native." > > I have means to work around the issue, but it's bugging me... > > Is there some esoteric change between IOS 12 and IOS 15? > Is there something I've been doing wrong for years with IOS switches? > Am I hitting a bug? > Do I just need to get rid of this test switch and get something more > modern for a lab switch? > > > Switch details: > model: WS-C3560G-24TS > working image: c3560-advipservicesk9-mz.122-25.SEE2.bin > failing image: c3560-ipservicesk9-mz.150-2.SE10.bin > port config: >interface GigabitEthernet0/15 > switchport trunk encapsulation dot1q > switchport mode trunk Due to the way Cisco has always treated VLAN 1, general advice over the years has been to avoid using it for production traffic. We don't even use it for switch management. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN 1 troubles?
I've got a 3560 switch in a lab situation that I'm looking for insight. I have a virtualization host hung off of a trunking port. VMs on this platform are able to communicate over any VLAN if I'm running a 12.2 image. As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the switch port -- but all other VLANs do. This is true whether the packets are explicitly tagged as VLAN 1, or if I leave them "native." I have means to work around the issue, but it's bugging me... Is there some esoteric change between IOS 12 and IOS 15? Is there something I've been doing wrong for years with IOS switches? Am I hitting a bug? Do I just need to get rid of this test switch and get something more modern for a lab switch? Switch details: model: WS-C3560G-24TS working image: c3560-advipservicesk9-mz.122-25.SEE2.bin failing image: c3560-ipservicesk9-mz.150-2.SE10.bin port config: interface GigabitEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
