Solved: 3560CG failing to open ports - Page 2

Matthew Lucas · ‎03-31-2013

I'm becoming a real pest on here, haha.

I have a number of 3560CG-8PC-S switches. My intention for them is to act as kind of gateway L3 switches - one for each satellite site. My thinking was simply to have an L3 device at the gateway to each of those sites so that any inter-vlan traffic within each site can stay within the site rather than having to traverse the relatively slow radio links to get back to the 3750X stack in the core. They are also, however, going to be directly serving client devices

My issue is that for some reason, when connecting a new device (laptop etc) to one of the access ports on the 3560's, the port behaves as if it's being blocked. No DHCP addresses go through, the indicator remains orange, and the clients have no connectivity. However, if I wipe the config, I get a VLAN 1 IP address for my client no problems at all. And to make matters more confusing, only two out of my four 3560's are doing this. The other two have exactly the same config, but work perfectly.

To that end, I'm loading the config below. I've followed that by the show running-config output, and show ip interface brief outputs.

configure terminal

hostname ASW34

!

enable secret *RuT1l3&

service password-encryption

username xxxx password xxxx

!

ip domain-name sierra-rutile.local

crypto key generate rsa

1024

line vty 0 1

login local

transport input ssh

!

line vty 2 15

transport input none

exit

!

line con 0

login local

exit

no ip http server

no ip http secure-server

!

vtp mode client

vtp domain sierra

vtp password rutile

!

ip default-gateway 10.0.4.10

!

ntp server 10.0.4.10

!

interface vlan 1

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

no shutdown

exit

!

interface vlan 4

ip address 10.0.4.41 255.255.252.0

exit

!

interface vlan 8

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 16

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 20

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 24

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 28

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 32

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 36

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 248

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

interface vlan 252

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

exit

!

ip routing

ip route 0.0.0.0 0.0.0.0 10.0.4.10

!

access-list 101 deny ip 192.168.8.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

interface vlan 244

ip access-group 101 in

!

interface range g0/9 -10

switchport trunk encapsulation dot1q

switchport mode trunk

exit

!

interface range g0/1 -8

switchport mode access

switchport access vlan 12

spanning-tree portfast

exit

!

spanning-tree mode rapid-pvst

end

write memory

Now a running config copy from the NOT working switch. This is identical (i've gone through them both line by line side by side) with one of the other identical switches that IS working.

SW31#sh run

Building configuration...

Current configuration : 3386 bytes

!

! Last configuration change at 04:31:31 UTC Fri Apr 1 2011

! NVRAM config last updated at 04:31:31 UTC Fri Apr 1 2011

!

version 15.0

service config

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ASW31

!

boot-start-marker

boot-end-marker

!

enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE

!

username xxxx password 7 11434A2B1043055F57186D

no aaa new-model

system mtu routing 1500

ip routing

!

ip domain-name sierra-rutile.local

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/2

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/3

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/4

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/5

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/6

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/7

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/8

switchport access vlan 12

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/9

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/10

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan4

ip address 10.0.4.41 255.255.252.0

!

interface Vlan8

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan16

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan20

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan24

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan28

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130!

!

interface Vlan32

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan36

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan244

no ip address

ip access-group 101 in

!

interface Vlan248

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan252

no ip address

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

ip default-gateway 10.0.4.10

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.0.4.10

!

access-list 101 deny ip 192.168.8.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

!

line con 0

login local

line vty 0 1

login local

transport input ssh

line vty 2 4

login

transport input none

line vty 5 15

login

transport input none

!

ntp server 10.0.4.10

end

And finally, show ip interface brief:

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES manual up up

Vlan4 10.0.4.41 YES manual up up

Vlan8 unassigned YES unset up up

Vlan16 unassigned YES unset up up

Vlan20 unassigned YES unset up up

Vlan24 unassigned YES unset up up

Vlan28 unassigned YES unset up up

Vlan32 unassigned YES unset up up

Vlan36 unassigned YES unset up up

Vlan244 unassigned YES unset up up

Vlan248 unassigned YES unset up up

Vlan252 unassigned YES unset up up

GigabitEthernet0/1 unassigned YES unset down down

GigabitEthernet0/2 unassigned YES unset down down

GigabitEthernet0/3 unassigned YES unset up up

GigabitEthernet0/4 unassigned YES unset down down

GigabitEthernet0/5 unassigned YES unset down down

GigabitEthernet0/6 unassigned YES unset down down

GigabitEthernet0/7 unassigned YES unset down down

GigabitEthernet0/8 unassigned YES unset down down

GigabitEthernet0/9 unassigned YES unset up up

GigabitEthernet0/10 unassigned YES unset up up

Matthew Lucas · ‎04-06-2013

Ok, I'm back. And now very confused. I've wiped both those 3560's and started again with the following config. Now I still find that if I plug a client into one of the access ports, the indicator stays orange (it's a gigabit port on the laptop) and the interface behaves as if it's shut down, though it doesn't report that it is in the config.

However, if I wipe the config and plug a client in, it waits for the 30 secs then goes green and I get an IP address within VLAN 1, which I'd expect. Am I missing something really obvious?

configure terminal

hostname ASW31

!

enable secret xxxx

service password-encryption

username xxxx password xxxx

!

ip domain-name sierra-rutile.local

crypto key generate rsa

1024

line vty 0 1

login local

transport input ssh

exit

!

line vty 2 15

transport input none

exit

!

line con 0

login local

exit

!

vtp mode client

vtp domain sierra

vtp password xxxx

!

ip default-gateway 10.0.4.10

ntp server 10.0.4.10

!

interface vlan 1

no ip address

no shutdown

exit

!

interface vlan 4

ip address 10.0.4.41 255.255.252.0

exit

!

interface range g0/9 -10

switchport mode trunk

exit

!

interface range g0/1 -8

switchport mode access

switchport access vlan 12

spanning-tree portfast

exit

!

spanning-tree mode rapid-pvst

!

no ip http server

no ip http secure-server

end

!

write memory

pille1234 · ‎04-06-2013

Alright, let's start with the basics first. Once Laptop and Switch are connected, do the following and post the output pls:

show int gi0/1-8 whereever the Laptop is connected to

show int gi0/1-8 status

show vlan brief

show vlan id 12

show spanning tree vlan 12

Matthew Lucas · ‎04-06-2013

Ok:

ASW32#sh int g0/4

GigabitEthernet0/4 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is 2401.c740.fe84 (bia 2401.c740.fe84)

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:06, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 5000 bits/sec, 1 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1171 packets input, 393900 bytes, 0 no buffer

Received 1102 broadcasts (984 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 984 multicast, 0 pause input

0 input packets with dribble condition detected

67 packets output, 21214 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

ASW32#sh int g0/4 status

Port Name Status Vlan Duplex Speed Type

Gi0/4 connected 12 a-full a-1000 10/100/1000BaseTX

ASW32#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active

4 INFRASTRUCTURE active

8 PLANTSITE active

16 DRYMINE active

20 LANTI active

24 NITTI active

28 GANGAMA active

32 CEMYARD active

36 VLAN0036 active

244 CCTV active

248 GUESTWIFI active

252 voice active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Ahaha - hold on - that's got it. Bloody idiot (me, not you). I hadn't amended one critical piece of documentation to reflect the fact that I'd removed vlan 12 so as to allow some expansion room for vlan 8. So there is no vlan 12, but I put all those interfaces in it anyway. No wonder it didn't work. It's always something basic. Pillie, thanks for prompting me. It's sorted now.

Everyone, thank you very much for your assistance all the way through, despite drifting away from the subject at hand into network design.