Re: Interesting Vlan problem..

chris.styles · ‎05-11-2004

Hi all, I appear to be having trouble with inter vlan routing.

I have a 2900 edge switch who's ports are assigned to different Vlan's as required. this is connected to a 4500.

We already have three vlans all working fine, but I have tried to set up another, and I can't get connectivity.

The Vlan's appear in the 4500 and the new one was propergated to the 2900. I have assigned an ip address to the 4500 vlan interface, and the 2900 can ping this ip address. However when I give a client an IP on the new vlan, it can't ping anything at all, even though the 2900 switch can. All other clients connected to different vlans on the switch can ping the new vlan router ip.

I have included config's below. The port in question is fast0/23 and the new Vlan is 60. Truncated due to character restrictions.

Any help would be greatfully appreciated, I probably just have to activate somthing I don't know is there.

ip subnet-zero

!

ip multicast-routing

!

spanning-tree extend system-id

spanning-tree vlan 1-100 priority 24576

!

interface GigabitEthernet1/1

!

...truncated..

interface GigabitEthernet3/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

...truncated..

!

interface GigabitEthernet3/18

switchport mode trunk

!

interface Vlan1

description Services VLAN 1 - 172.30.0.0 / 16

ip address 172.30.2.100 255.255.0.0

ip helper-address 172.30.1.30

ip pim sparse-mode

ip cgmp

!

interface Vlan40

description User VLAN John Dalton House

ip address 172.40.1.254 255.255.0.0

ip helper-address 172.30.1.30

ip pim sparse-mode

ip cgmp

!

interface Vlan50

description User VLAN Deansgate and Lincoln House

ip address 172.50.1.254 255.255.0.0

ip helper-address 172.30.1.30

ip pim sparse-mode

ip cgmp

!

interface Vlan60

description Telephony VLAN

ip address 172.60.1.254 255.255.0.0

ip helper-address 172.30.1.30

ip pim sparse-mode

ip cgmp

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.30.1.34

ip http server

!

Config of 2924...

interface FastEthernet0/1

switchport access vlan 50

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 50

spanning-tree portfast

!

...truncated..

!

interface FastEthernet0/22

switchport access vlan 50

spanning-tree portfast

!

interface FastEthernet0/23

switchport access vlan 60

spanning-tree portfast

!

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

!

interface VLAN1

ip address 172.30.2.14 255.255.0.0

no ip directed-broadcast

no ip route-cache

!

Vlan 50 = 172.50.x.x

vlan 60 = 172.60.x.x

vlan 1 = 172.30.x.x

The port with the machine in 172.60.x.x is fa0/23

This switch goes through a 3512 to the 4500, config as below..

ip subnet-zero

cluster enable LINCOLNHOUSE 0

cluster member 3 mac-address 0030.94ed.e5c0

cluster member 4 mac-address 00b0.646b.01c0

cluster member 5 mac-address 00b0.6486.1ac0

cluster member 6 mac-address 00d0.baf5.a940

cluster member 7 mac-address 00d0.baf9.f480

cluster member 8 mac-address 00d0.baf9.ff80

cluster member 9 mac-address 00b0.646a.e5c0

!

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

!

...truncated...

interface FastEthernet0/12

duplex full

spanning-tree portfast

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet0/2

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

!

interface VLAN1

ip address 172.30.2.4 255.255.0.0

no ip directed-broadcast

ip nat outside

!

jamey · ‎05-11-2004

Just a quick look of the configs-nothing jumps out at me as being wrong.

I notice you have IP helper on the SVI VLAN60, ostensibly pointing to a DHCP server. Did you make a scope for the new subnet? Are the PC IP settings correct IP/mask/Default Gateway?

Just my $.02

chris.styles · ‎05-11-2004

Hi Jamey, yes you are correct I do have it pointed to a DHCP server, but I am using a static address for testing purposes. The DHCP scope is a copy of a working one so I don't think my probs are located there but you never know I will recheck anyway.

bolds04 · ‎05-11-2004

Do you have vlan 60 configured on the 3512? If not I would add it and do a no shut on the sub-interface. Everything else looks good.

Something else to make sure of is that all of you VLANs are up and running. If those are ok then I would move the fa0/22 in VLAN 50 over to VLAN60 and see if the wkst could ping out with the corect IP. Check those and let me know. If I have just a little more info on this I can get it up and running. Brandon

chris.styles · ‎05-12-2004

Hi Bolds, and all.

doing a show vlan on all switches shows.

2900

VLAN Name Status Ports

1 default active

40 VLAN0040 active Fa0/23

50 VLAN0050 active Fa0/1, Fa0/2, Fa0/3, Fa0/4,

Fa0/5, Fa0/6, Fa0/7, Fa0/8,

Fa0/9, Fa0/10, Fa0/11, Fa0/12,

Fa0/13, Fa0/14, Fa0/15, Fa0/16,

Fa0/17, Fa0/18, Fa0/19, Fa0/20,

Fa0/21, Fa0/22

60 VLAN0060 active

1002 fddi-default active

Truncated.

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

1 enet 100001 1500 - - - - - 0 0

40 enet 100040 1500 - - - - - 0 0

50 enet 100050 1500 - - - - - 0 0

60 enet 100060 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

Truncated.

4500

VLAN Name Status Ports

1 default active Gi1/1, Gi1/2, Gi2/1, Gi2/2

Gi2/3, Gi2/4, Gi2/5, Gi2/6

Gi3/11, Gi3/15, Gi3/16, Gi3/17

Gi3/18

40 VLAN0040 active

50 VLAN0050 active

60 VLAN0060 active

1002 fddi-default active

Truncated.

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

1 enet 100001 1500 - - - - - 0 0

40 enet 100040 1500 - - - - - 0 0

50 enet 100050 1500 - - - - - 0 0

60 enet 100060 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

Truncated.

and 3512.. interesting..

VLAN Name Status Ports

1 default active Fa0/9, Fa0/10, Fa0/11, Fa0/12

40 VLAN0040 active

50 VLAN0050 active

1002 fddi-default active

Truncated.

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

1 enet 100001 1500 - - - - - 0 0

40 enet 100040 1500 - - - - - 0 0

50 enet 100050 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

Truncated.

so.. 3512 is showing no vlan 60. but..

L1#sh vtp status

VTP Version : 2

Configuration Revision : 2

Maximum VLANs supported locally : 254

Number of existing VLANs : 7

VTP Operating Mode : Server

VTP Domain Name : *******

VTP Pruning Mode : Enabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x2A 0x5A 0x0E 0x77 0x09 0x4E 0x48 0x0E

Configuration last modified by 172.30.2.4 at 3-1-93 06:45:49

Is this the problem do you think, and how can I force an update / manually add the vlan?

Thanks in advance.

mbacklund2 · ‎09-01-2004

Do a show vtp status on every switch and see if

Configuration Revision is the same. If 3512 have a higher revision than 4500. It will not update its vlandatabase with vlan 60 and because of that 3512 will not pass vlan 60 out on the trunk to the 2900.

A tip set up 4500 as a vtp server and the other switch to client in the same vtp domain. Then you will get more controll and know where you should do the changes. Note clear the vtp database before you set up the vtp structure so that the configuration Revision is the same from the begining.

yar9960 · ‎05-11-2004

For testing purposes, it's not a bad idea to hard-code the test machine plugged into VLAN60 with a valid IP (subnet mask, gateway, etc..) for this subnet. If you then have connectivity, you're looking at a DHCP configuration problem. If not, then it could be a network/switch configuration issue.

Another thing to keep in mind when testing connectivity from the 2900 switch itself is to check which VLAN the switch itself is using to source management traffic. In this case, since the switch's IP address is configured using int VLAN 1 (if I remember the config correctly), then going across the dot1q trunk it will be tagged (or not tagged if VLAN 1 is the native VLAN) as VLAN 1. You should make sure that VLAN60 is allowed on the trunk from the 4500 down to the 2900 and vice versa. Another useful troubleshooting technique would be to start at L2 and compare the mac-address-tables of the 2900 and the 4500 to see which VLAN60 entries there are. If trunking is setup correctly, the 4500 should respond to ARP requests for 172.60.1.254, and the MAC address table of the 2900 should be populated with the router's (i.e. the SVI's) MAC address which should be learned on the uplink port and within VLAN60.

chris.styles · ‎05-11-2004

Hi all, thaks for your valuable input.

I'm going to do a bit more digging around with the Mac address tables. One point though, how would I restrict allowing a VLAN down the trunks? I thought trunks automatically carry all VLAN traffic.

The 2900 can ping 172.60.1.254, so I see this as Vlan 1 up the trunk to 4500, onto Vlan60, hit 172.60.1.254, return back down Vlan 1. So it APPEARS to me that the inter VLAN routing is working, but traffic on Vlan 60 entering the 2900 is not being sent up to the trunk, as per you idea.

Am I going round in circles!!

chris.styles · ‎05-12-2004

OK, went onto the 3512 and into vlan database.

Set as a server, added vlan 60 and applied the changes.

All works atreat, but anyone any idea why the vlan wasn't being picked up by the vtp clients and how to force some vtp replication?

Ta

yar9960 · ‎05-12-2004

When in doubt, manually configure those VLANs!

In terms of the VTP issue, if the 3512 had a higher (i.e. "better") revision number then it would not be updated with the new VLAN info. That's one theory anyway. The "Best Practices" doc for 4000/4500s seems to advocate using Transparent mode for VTP:

http://www.cisco.com/warp/customer/473/185.html#cg1

It's more typing, but less guesswork sometimes :)

joseph-chapman · ‎05-13-2004

Rules for VLAN trunking success:

1) Both ends of trunk link have same encap

2) Both ends of trunk link have same native VLAN

3) Both ends of trunk link have required VLANs ALLOWED

4) Both ends of trunk link have same VTP domain name (this is case sensitive)

5) Both ends of trunk link have same VLAN database configuration (SHOW VLAN is identical)

In terms of VLAN database, they don't have to match but if you need VLAN 60 to get through three switches, ALL THREE SWITCHES must have VLAN 60 configured even if the VLAN 60 traffic is just 'transiting' the middle switch (there are no 'access' ports assigned to VLAN 60; VLAN 60 is only on trunk links.)

You can always create a 'dummy VLAN' -- a VLAN which you would only use for testing and forcing a 'push'. Then you can create/delete this VLAN and it will cause a push. This is not perfect, but more likely to succeed.

jperrin · ‎06-30-2004

For starters u have spantree portfast on both uplinks/downlink ports. The client switch may not have enough time to get needed info from the server.

Rule #1 never have portfast on on a switch to switch link port.

yar9960 · ‎05-12-2004

You can manually "prune" which VLANs are allowed on a particular trunk by using the "switchport trunk allowed vlan " command in interface config mode (on either end of the trunk). It's comparable to the "clear trunk " command on CatOS switches.

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml#vtp_span_tree