Invalid license: Your evaluation license of RefinedTheme expired.



Here's an overview of CLI-Based VLAN management and other important settings in this switch.

Using the CLI is almost mandatory for working with VLANs since the Web interface's way of managing VLANs is... the worst UX ever.


Using EXEC mode from Configure

Since the CLI is less structured than real IOS you will end up checking back on things, it works using the "DO" prefix.

cisco1(config)#do sh run


Using ranges

interface range GigabitEthernet 5-10

Better designations like 5-10,11,20-50 are not supported.


Saving changes

copy running-config startup-config

(You have to tab-complete)

Setting up NTP, SNMP and syslog


Basic SNMPv1/v2c setup in this example:

snmp-server server
snmp-server location "where it's at"
snmp-server community public ro FIRST_IP_ADDR view Default
snmp-server community public ro SECOND_IP_ADDR view Default


Settings for roughly local time. Daylight savings time instead of UTC on the Switch isn't 100% ideal for us techies but the other people tend to be happier with it. Well actually almost everyone hates DST, so no idea...


clock timezone "TIMEZONE_NAME" 2
clock summer-time web recurring eu
clock source sntp
clock source browser
sntp unicast client enable
sntp unicast client poll
sntp server FIRST_IP poll
sntp server SECOND_IP poll
sntp server THIRD_IP poll



You can define one or more syslog hosts and also select the minimum severity that should be logged.

I've chose notifications which is one level above "INFO" meaning I'll get a little less spam.

logging host IPADDRESS severity notifications
logging source-interface vlan 25

The second line isn't really needed, You don't need to set the source vlan - in normal cases the switch will auto-select it



Changing the management VLAN

This is a bit tricky - there are some UI bugs that don't let you select the management VLAN via GUI. That'll force you to change the default VLAN, too.

At one of those switches, at one time, we were able to select a VLAN from the drop-down menu. It offered only two of the 3 VLANs we had on the switch and it's just ... i don't know. Too strange, too dangerous and not recommendable to touch this.

Since we wanted to do that we went ahead and changed the default vlan and removed all client ports from it to a new "client" vlan.

vlan database
default-vlan vlan 1234

Note you cannot assign a name to the default vlan.

Now you might have noticed the VLAN database command; just to be clear about this, those switches don't run 2950-like code, there is no VLAN management using VMPS or anything like that.

Switching a GENERAL port back to access

switchport general vlan remove NUMBER,NUMBER2
no switchport general pvid
switchport mode access
switchport access vlan NUMBER


Setting up Spanning Tree for an access port

The switch defaults to RSTP, can also do MSTP and cannot do PVSTP+ or any other fast VLAN-safe mode as far as I understood.

spanning-tree portfast (optional)
# spanning-tree edge-port (optional)
# spanning-tree bpduguard (optional)


Setting up a Trunk port

switchport mode trunk
no switchport trunk vlan native
switchport mode trunk vlan add NUMBER,NUMBER2

There's a few icky points here, if you have a native vlan assigned make sure it's not coming in as tagged from the remote end, and vice-versa.

The switch will tell you about it in a message like this:

%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface Po1.

It's more than tricky to debug on the first run. Carefully try adding/removing native vlans on both ends.

Of course that's not easy if this switch forces you to use the management vlan as default VLAN, right?


Setting up LACP

lacp system-priority 1000
interface range GigabitEthernet 51-52
lacp timeout short
channel-group 1 mode auto
interface Port-channel1
switchport trunk allowed vlan add NUMBER,NUMBER2

auto in this case means proper LACP

If I run show running config I see NO other config on the trunk interfaces. Don't assign a PVID / native VLAN if you don't need it.

One of the nice things is you can do single-cable LACP port channels and later join a second leg.

In that respect it's better than very bad chinese ones.


Debugging LACP

This shows an inactive Portchannel - it'll still use load distribution, but it's not "active" LACP - we never learned our partners' name:

cisco2#sh lacp Port-Channel 1
Port-Channel Po1
       Port Type Gigabit Ethernet
       Attached Lag id:
               System Priority:1000
               MAC Address:    [redacted]
               Admin Key:      1000
               Oper Key:       1000
               System Priority:0
               MAC Address:    00:00:00:00:00:00
               Oper Key:       0


A working link would look like this:

cisco1#sh lacp Port-Channel 1
Port-Channel Po1
       Port Type Gigabit Ethernet
       Attached Lag id:
               System Priority:500
               MAC Address:    [redacted]
               Admin Key:      1000
               Oper Key:       1000
               System Priority:32768
               MAC Address:    [also redacted but NUMBERS!!!]
               Oper Key:       14425



To identify with end of the LACP conversation isn't talking use this:

cisco2#sh lacp statistics GE51
gi51 LACP statistics:
      LACP Pdus sent:                2117
      LACP Pdus received:            0
cisco2#sh lacp statistics GE52
gi52 LACP statistics:
      LACP Pdus sent:                2291
      LACP Pdus received:            0


So we learned we'll have to check at the the other end to find out what's wrong.



Other notes

The switch supports CDP, but not LLDP, our Avaya backbone does yet another thing.

We've left it enabled but like with those proprietary standards you're not going to get anything done in terms of management.