cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2162
Views
0
Helpful
49
Replies

2 Vlans Stopped Communicating

ccoperryc
Level 1
Level 1

Our School District has 25 buildings and each have it's own vlan assigned to it. Recently one of our building vlans, 111, just stopped communicating with another, 157, but does communicate with the remaining 23 vlans. Vlan 157 is not able to communicate with vlan 111 but can communicate with the other 23 vlans.

We have a 6509 sup720 running CatOS with 3500 series edge switches.

Any suggestions on where to start looking would be greatly appreciated.

Cathy Perry

WWCSD Tech Group

49 Replies 49

Jon Marshall
Hall of Fame
Hall of Fame

Cathy

Where are the L3 interfaces for the vlans - are they on the 6500 switch ?

The 3550 edge switches, do they have multiple vlans on each switch and are they connected back via trunks to the 6500.

Where are you trying to connect from / to ie. are you on a PC in vlan 111 trying to connect to a PC in vlan 157 and are these on different switches.

Jon

Jon,

The L3 interfaces for these vlans are on the 6500 switch. The edge switches for Vlan157 have multiple vlans and trunk back to the 6500. The edge switches for Vlan111 have been manually pruned with the assistance of Cisco TAC Support last summer and also trunk back to the 6500.

To answer your last question we actually tried to ping from a server in either Vlan to the server in the other Vlan. Pinging in either direction fails. Both servers are connected directly to the 6500 by trunk ports.

Thank you,

Cathy

Cathy

What exactly do you mean when you say servers are trunked. If you mean trunked as in cisco trunk then which vlans are they members of ?

Or do you mean trunked in the cisco etherchannel sense ?

If both servers are connected into the 6500 and the routing is done on the 6500 then we can probably rule out an issue with the access-layer switches.

Do you have any filtering with access-lists.

What are the IP address/subnet mask/default-gateway details for your 2 servers.

Jon

Jon,

Each server in our network has a dedicated port on the 6500 for it's individual Vlan.

You are correct, both servers connect directly to the 6500 and routing is done on the 6500.

This is the only access list filtering I have been able to locate on our router.

Extended IP access list 101

10 deny tcp any any eq 5554

20 deny tcp any any eq 9996

30 permit tcp any any eq www

40 deny tcp any any eq 445

Vlan 111 10.91.72.4 255.255.252.0 10.191.72.2

Vlan 157 10.91.48.4 255.255.252.0 10.191.48.2

Cathy

Cathy

Do you know if/where the access-list 101 is applied ?

Jon

Jon,

I believe this is what you are asking me:

The access-list 101 in my previous response came from the MSFC on the 6509. I ran the sho access-lists command to get it.

MSFC#sho access-lists

Extended IP access list 101

10 deny tcp any any eq 5554

20 deny tcp any any eq 9996

30 permit tcp any any eq www

40 deny tcp any any eq 445

Cathy

Sorry Cathy, i didn't explain myself very well.

Can you post the output of a

sh run int vlan 111

sh run int vlan 157

Jon

Jon,

Thank you for your patience with me.

Here it is:

MSFC#sho run int vlan 111

Building configuration...

Current configuration : 132 bytes

!

interface Vlan111

description Stev-Instr

ip address 10.91.72.2 255.255.252.0

no ip redirects

ip pim sparse-mode

ip cgmp

end

MSFC#sho run int vlan 157

Building configuration...

Current configuration : 132 bytes

!

interface Vlan157

description Adam-Instr

ip address 10.91.48.2 255.255.252.0

no ip redirects

ip pim sparse-mode

ip cgmp

end

This is as it has always been.

Cathy

Cathy

No problem, i just wanted to confirm the access-list wasn't applied to these vlan interfaces. Sometimes these problems can tke a while to sort out and can take quite a few questions.

The other thing - in a previous post you said servers ip addresses/subnet mask/DG were

Vlan 111 10.91.72.4 255.255.252.0 10.191.72.2

Vlan 157 10.91.48.4 255.255.252.0 10.191.48.2

Are the default-gateways typos ie.

10.191.72.2 should be 10.91.72.2

and

10.191.48.2 should be 10.91.48.2

Jon

Sorry Jon,

Yes, 10.91.72.2 and 10.91.48.2 are the appropriate gateways.

I was hopping in and out of switches and do this sometimes.

Cathy

Cathy

Okay can we try a few things

1) From the server in vlan 111 can you ping vlan 157 interface - result ?

2) From server in vlan 157 can you ping vlan 111 interface ?

3) From server in vlan 111 can you ping a server in a different vlan ?

4) Same as 3 for server in vlan 157.

5) Can you post a "sh ip route" from the 6500.

6) Can you post the interface vlan configuration off the 6500.

Edit - which module(s) are the servers connected into and which IOS version are you running.

Apologies for requesting all this info but there is nothing obvious (at least to me ! )

Jon

Jon,

I agree there is nothing obvious, especially since there have been no configuration changes to the 6500 in at least a month.

1) From the server in vlan 111 can you ping vlan 157 interface - result ?

Yes

2) From server in vlan 157 can you ping vlan 111 interface ?

No

3) From server in vlan 111 can you ping a server in a different vlan ?

4) Same as 3 for server in vlan 157.

Yes, to both 3 & 4

5) Can you post a "sh ip route" from the 6500.

“sh ip route” did not give me the response I expected to see. What information

should I see when I run this for you?

6) Can you post the interface vlan configuration off the 6500.

#module 9 : 16-port 1000BaseX Ethernet

set vlan 16 9/1-2,9/11

set vlan 109 9/3,9/5,9/16

set vlan 111 9/14 (Bldg Server)

set vlan 113 9/7

set vlan 115 9/15

set vlan 139 9/6

set vlan 141 9/4

set vlan 147 9/13

set vlan 153 9/12

set vlan 157 9/9-10 (IE filtering Server & Bldg Server)

set vlan 888 9/8

set port name 9/3 Nautilus

set port name 9/8 Lincoln-Vandenberg

set port name 9/16

set cdp disable 9/16

set udld enable 9/3

set trunk 9/3 on dot1q 1-4094

set trunk 9/4 on dot1q 1-4094

clear trunk 9/8 2-15,17-130,133-144,147-4094

set trunk 9/8 on dot1q 1,16,131-132,145-146

set trunk 9/9 off dot1q 1-4094 (this config questionable)

set spantree portfast 9/1-16 disable

Edit - which module(s) are the servers connected into

Server in Vlan 111 is connected to 9/14 - Building Server

Server in Vlan 157 is connected to 9/9 - IE Filtering Server 9/10 - Building Server

Which IOS version are you running.

Sup720 is running cat6000-sup720k8.8-5-9

MSFC "bootflash:c6msfc3-psv-mz.122-17d.SXB8"

MSFC3 Software (C6MSFC3-PSV-M), Version 12.2(17d)SXB8, RELEASE SOFTWARE (fc2)

Cathy

You ran the "sh ip route" on the supervisor but you are running in hybrid mode so you need to run it from the MSFC.

Can you

1) Post the output of a "sh module"

2) Log on to the MSFC and post the output of a "sh ip route"

3) On the MSFC post the output of the running config - "sh run"

Jon

Jon,

Attached are the outputs you have requested.

Again I would like to thank you for your patience. As you have probably already figured out I am new to trouble shooting so thank you.

Cathy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco