Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Symptoms

I started working on a project, but didn't finish and came back to it 2 weeks later.
Now an AP was not getting an IP address, and not showing up in Central.

Initial Troubleshooting

1. Port enabled, correct native/untagged VLAN assigned
   
   
2. DHCP server (on the switch) was showing leases (on a different subnet)
3. Plugged a test device into the switch in a different port in the same VLAN 930 - lease assigned and device booted OK
4. Moved the test device into the original port - didn't work, no DHCP.

Port Mirror

This is what port mirroring is for!

In my home lab I have a 5Gb NIC permanently connected to a dedicated 5Gb SmartRate port on my switch, so I just had to define the source interface (1/1/16) and enable the mirror session. This is easily done with MultiEdit.

Now I can watch what is happening on port 1/1/16 with WireShark.

I can see that there is traffic visible on tagged VLAN 27 (which carries subnet 172.20.27.0), but nothing on untagged/native VLAN 930 (subnet 10.20.30.0).
This is a problem, because the DHCP broadcast is on the untagged VLAN 930, and there are no DHCP responses coming back.

Resolution

In step 1 of my initial troubleshooting, I didn't check the full VLAN config in Central or CLI.
Highlight the port in Central GUI and click edit to properly inspect the config. The Native VLAN must also be listed in the Allowed VLANs list - which was not the case here, with only VLAN 27 allowed.

After adding my native VLAN 930 to the Allowed VLANs list, it worked as expected.

And the same view from MultiEdit

As soon as VLAN 930 was allowed on port 1/1/16, DHCP worked, and the AP came online in Central.
You can see the proper DHCP sequence of Discover - Offer - Request - ACK, and also the 10.20.30.0 IP addresses

Summary

When dealing with multiple VLANs on a CX switch port (ie a trunk port), it is important to include your native VLAN (the untagged VLAN) in the list of allowed VLANs. Failure to do so will mean that the switch ignores any native VLAN packets.

------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------

Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Symptoms

I started working on a project, but didn't finish and came back to it 2 weeks later.
Now an AP was not getting an IP address, and not showing up in Central.

Initial Troubleshooting

1. Port enabled, correct native/untagged VLAN assigned
   
   
2. DHCP server (on the switch) was showing leases (on a different subnet)
3. Plugged a test device into the switch in a different port in the same VLAN 930 - lease assigned and device booted OK
4. Moved the test device into the original port - didn't work, no DHCP.

Port Mirror

This is what port mirroring is for!

In my home lab I have a 5Gb NIC permanently connected to a dedicated 5Gb SmartRate port on my switch, so I just had to define the source interface (1/1/16) and enable the mirror session. This is easily done with MultiEdit.

Now I can watch what is happening on port 1/1/16 with WireShark.

I can see that there is traffic visible on tagged VLAN 27 (which carries subnet 172.20.27.0), but nothing on untagged/native VLAN 930 (subnet 10.20.30.0).
This is a problem, because the DHCP broadcast is on the untagged VLAN 930, and there are no DHCP responses coming back.

Resolution

In step 1 of my initial troubleshooting, I didn't check the full VLAN config in Central or CLI.
Highlight the port in Central GUI and click edit to properly inspect the config. The Native VLAN must also be listed in the Allowed VLANs list - which was not the case here, with only VLAN 27 allowed.

After adding my native VLAN 930 to the Allowed VLANs list, it worked as expected.

And the same view from MultiEdit

As soon as VLAN 930 was allowed on port 1/1/16, DHCP worked, and the AP came online in Central.
You can see the proper DHCP sequence of Discover - Offer - Request - ACK, and also the 10.20.30.0 IP addresses

Summary

When dealing with multiple VLANs on a CX switch port (ie a trunk port), it is important to include your native VLAN (the untagged VLAN) in the list of allowed VLANs. Failure to do so will mean that the switch ignores any native VLAN packets.

------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------

Nice post.

That is also something I have noticed. On CX you need to add the VLAN both to Native VLAN and allowed vlan list. 

On AOS-S switches (f.x 2930) you do not have to add the vlan to tagged vlan list, only as untagged vlan.

------------------------------
Ole Morten Kårbø
ACEA ACSP
Netnordic Norway
------------------------------

Original Message:
Sent: Mar 18, 2023 09:35 AM
From: Richard Litchfield
Subject: Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Symptoms

I started working on a project, but didn't finish and came back to it 2 weeks later.
Now an AP was not getting an IP address, and not showing up in Central.

Initial Troubleshooting

1. Port enabled, correct native/untagged VLAN assigned
   
   
2. DHCP server (on the switch) was showing leases (on a different subnet)
3. Plugged a test device into the switch in a different port in the same VLAN 930 - lease assigned and device booted OK
4. Moved the test device into the original port - didn't work, no DHCP.

Port Mirror

This is what port mirroring is for!

In my home lab I have a 5Gb NIC permanently connected to a dedicated 5Gb SmartRate port on my switch, so I just had to define the source interface (1/1/16) and enable the mirror session. This is easily done with MultiEdit.

Now I can watch what is happening on port 1/1/16 with WireShark.

I can see that there is traffic visible on tagged VLAN 27 (which carries subnet 172.20.27.0), but nothing on untagged/native VLAN 930 (subnet 10.20.30.0).
This is a problem, because the DHCP broadcast is on the untagged VLAN 930, and there are no DHCP responses coming back.

Resolution

In step 1 of my initial troubleshooting, I didn't check the full VLAN config in Central or CLI.
Highlight the port in Central GUI and click edit to properly inspect the config. The Native VLAN must also be listed in the Allowed VLANs list - which was not the case here, with only VLAN 27 allowed.

After adding my native VLAN 930 to the Allowed VLANs list, it worked as expected.

And the same view from MultiEdit

As soon as VLAN 930 was allowed on port 1/1/16, DHCP worked, and the AP came online in Central.
You can see the proper DHCP sequence of Discover - Offer - Request - ACK, and also the 10.20.30.0 IP addresses

Summary

When dealing with multiple VLANs on a CX switch port (ie a trunk port), it is important to include your native VLAN (the untagged VLAN) in the list of allowed VLANs. Failure to do so will mean that the switch ignores any native VLAN packets.

------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------

Nice post.

That is also something I have noticed. On CX you need to add the VLAN both to Native VLAN and allowed vlan list. 

On AOS-S switches (f.x 2930) you do not have to add the vlan to tagged vlan list, only as untagged vlan.

------------------------------
Ole Morten Kårbø
ACEA ACSP
Netnordic Norway

Original Message:
Sent: Mar 18, 2023 09:35 AM
From: Richard Litchfield
Subject: Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port

Symptoms

I started working on a project, but didn't finish and came back to it 2 weeks later.
Now an AP was not getting an IP address, and not showing up in Central.

Initial Troubleshooting

1. Port enabled, correct native/untagged VLAN assigned
   
   
2. DHCP server (on the switch) was showing leases (on a different subnet)
3. Plugged a test device into the switch in a different port in the same VLAN 930 - lease assigned and device booted OK
4. Moved the test device into the original port - didn't work, no DHCP.

Port Mirror

This is what port mirroring is for!

In my home lab I have a 5Gb NIC permanently connected to a dedicated 5Gb SmartRate port on my switch, so I just had to define the source interface (1/1/16) and enable the mirror session. This is easily done with MultiEdit.

Now I can watch what is happening on port 1/1/16 with WireShark.

I can see that there is traffic visible on tagged VLAN 27 (which carries subnet 172.20.27.0), but nothing on untagged/native VLAN 930 (subnet 10.20.30.0).
This is a problem, because the DHCP broadcast is on the untagged VLAN 930, and there are no DHCP responses coming back.

Resolution

In step 1 of my initial troubleshooting, I didn't check the full VLAN config in Central or CLI.
Highlight the port in Central GUI and click edit to properly inspect the config. The Native VLAN must also be listed in the Allowed VLANs list - which was not the case here, with only VLAN 27 allowed.

After adding my native VLAN 930 to the Allowed VLANs list, it worked as expected.

And the same view from MultiEdit

As soon as VLAN 930 was allowed on port 1/1/16, DHCP worked, and the AP came online in Central.
You can see the proper DHCP sequence of Discover - Offer - Request - ACK, and also the 10.20.30.0 IP addresses

Summary

When dealing with multiple VLANs on a CX switch port (ie a trunk port), it is important to include your native VLAN (the untagged VLAN) in the list of allowed VLANs. Failure to do so will mean that the switch ignores any native VLAN packets.

------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------