08-29-2011 09:03 AM - edited 03-07-2019 01:57 AM
Here's a good one I'm stuck on.
Most of my buildings are divided up by VLANs. In one particular building, no one else in the buildings VLAN can communicate with devices on the third floor. From what I can gather so far from my troubleshooting, the switch doesn't appear to be passing incoming broadcasts. I'm fairly certain both L2 and L3 broadcasts are effected. Devices connected to the 4006 appear to be able to use broadcasts, as they are getting their addresses via DHCP. ARP packets sent from within the VLAN from other parts of the building never reach the third floor. I can ping the devices from the core and other networks, as the core does have ARP entries for the other devices.
The switch on the third floor is a 4006 with a SUPII running CatOS. The next upstream switch is a 375012S, which is the distribution switch. From there it goes to our core router. The uplink between the 4006 and the 375012 is multimode fiber (SX transcievers). There are no port errors on any of the uplinks. The 4006 does show one of the Ethernet line cards as faulty, but client communtications appear to be working and I have confirmed that clients on the other cards can not be contacted as well.
I'm really grasping at straws at this point. I have scheduled after hours maintenance this week, any thing I should try? I was going to take another switch over to confirm/deny the problem lies in the 4006, possibly reboot the 4006.
Any suggestions would be helpful.
08-29-2011 11:36 AM
Hello,
Correct me if i'm wrong, please. You want broadcasts on one vlan to be sent out another vlan.
If yes, that's how it should work. a vlan is a broadcast segment, and the hosts will only see broadcasts for the vlan it is connected to.
Regards,
Bruno Silva.
08-29-2011 12:26 PM
No, the broadcasts from devices in the vlan (VL60) are not reaching clients in the same vlan connected to this 4006. From what I can tell from my captures, clients connected to the 4006 can see each other's broadcasts and can make broadcasts out. Unicast traffic isn't effected.
Heath
08-29-2011 01:45 PM
Hello,
Do you have any other L2 switch with devices on vlan 60? I don't see it mentioned on the question.
If yes, can you please post the sanitized configs? Also, make sure you have the trunks allowing this vlan to pass through.
Regards,
Bruno Silva.
08-29-2011 03:05 PM
Bruno,
The trunks are there, otherwise other stuff wouldn't work either (first place I looked).
There are several L2 devices in VL60. The VLAN interface resides on our core (6509). Off the core is a trunk link to the buildings distribution switch, a375012s. The 375012 feeds off to the various closets in the building, including a stack of 3750s, a 4503, a 2900, and another 4006.
Port 1/1 is the uplink to the 375012. In addition to the 4006's config what other devices' configs would you like?
#dot1x
set feature dot1x-radius-keepalive disable
!
#system
set system name hlrc300c4006p
set system location
set system contact
!
#Default Inlinepower
set inlinepower defaultallocation 6000
!
#frame distribution method
set port channel all distribution mac both
!
#snmp
set snmp community read-only 1t5pub1t5
set snmp community read-write 1t5priv1t5
set snmp trap enable module
set snmp trap enable chassis
set snmp trap enable vtp
set snmp trap enable vlancreate
set snmp trap enable vlandelete
set snmp trap enable auth
set snmp trap enable entityfr
set snmp trap enable ippermit
set snmp targetaddr nms param ip_addr 10.30.0.8 udpport 162 maxmsgsize 484 timeout 1500 retries 3 nonvolatile
set snmp trap enable vmps
set snmp trap enable entity
set snmp trap enable config
set snmp trap enable stpx
set snmp trap enable syslog
set snmp trap enable system
set snmp trap enable envfan
set snmp trap enable envpower
set snmp trap enable envstate
set snmp trap x.x.x.x 1t5pub1t5 port 162 owner CLI index 1
!
#tacacs+
set tacacs server x.x.x.x primary
set tacacs key c15c0
!
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs enable http primary
!
#Local User
#vtp
set vtp domain washburn
set vtp mode client vlan
!
#ip
set interface sc0 1 192.168.254.224/255.255.254.0 192.168.255.255
set interface sl0 down
set interface me1 down
set ip route 0.0.0.0/0.0.0.0 192.168.254.254
set ip alias default 0.0.0.0
!
#rcp
set rcp username cwuser
!
#dns
set ip dns server x.x.x.x primary
set ip dns server x.x.x.x
set ip dns enable
set ip dns domain washburn.edu
!
#spantree
#portfast
set spantree global-default bpdu-guard enable
set spantree global-default bpdu-filter enable
!
#cgmp
set cgmp enable
!
#syslog
set logging console disable
set logging server enabl
set logging server x.x.x.x
set logging level ethc 2 default
set logging server facility SYSLOG
!
#ntp
set ntp broadcastclient enable
set ntp client enable
set ntp server x.x.x.x
set timezone central -6 0
set summertime enable
set summertime recurring second Sunday March 02:00 first Sunday November 02:00 60
!
#set boot command
set boot config-register 0xf
set boot system flash bootflash:cat4000-k9.8-3-1-GLX.bin
set boot system flash bootflash:cat4000.6-1-1.bin
!
#permit list
set ip permit enable telnet
set ip permit enable ssh
set ip permit enable snmp
set ip permit x.x.x.x ssh
set ip permit x.x.x.x snmp
set ip permit x.x.x.x ssh
set ip permit x.x.x.x ssh
set ip permit x.x.x.x ssh
!
#port channel
set port channel 2/1-4 551
set port channel 2/5-8 552
set port channel 2/9-12 553
set port channel 2/13-16 554
set port channel 2/17-20 555
set port channel 2/21-24 556
set port channel 2/25-28 557
set port channel 2/29-32 558
set port channel 2/33-36 559
set port channel 2/37-40 560
set port channel 2/41-44 561
set port channel 2/45-48 562
set port channel 4/1-4 822
set port channel 4/5-8 823
set port channel 4/9-12 824
set port channel 4/13-16 825
set port channel 4/17-20 826
set port channel 4/21-24 827
set port channel 4/25-28 828
set port channel 4/29-32 829
set port channel 4/33-36 830
set port channel 4/37-40 831
set port channel 4/41-44 832
set port channel 4/45-48 833
set port channel 6/1-4 834
set port channel 6/5-8 835
set port channel 6/9-12 836
set port channel 6/13-16 837
set port channel 6/17-20 838
set port channel 6/21-24 839
set port channel 6/25-28 840
set port channel 6/29-32 841
set port channel 6/33-36 842
set port channel 6/37-40 843
set port channel 6/41-44 844
set port channel 6/45-48 845
!
#accounting
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting commands enable all stop-only tacacs+
!
#crypto key
set crypto key rsa 1024
!
#multicast filter
set igmp filter disable
!
#module 1 : 2-port 1000BaseX Supervisor
set port trap 1/1-2 enable
set udld enable 1/2
clear trunk 1/1 2-16,18-59,61-96,98,101-148,150-1005,1025-4094
set trunk 1/1 on dot1q 1,17,60,97,99-100,149
set trunk 1/2 nonegotiate dot1q 1-1005,1025-4094
set spantree portfast 1/1-2 disable
set spantree guard none 1/1-2
!
#module 2 : 48-port Inline Power Module
set vlan 60 2/1-15,2/18-48
set port speed 2/6,2/12,2/14,2/35,2/37-38,2/40-42,2/44-45 10
set port speed 2/16-17 100
set port duplex 2/6,2/12,2/14,2/16-17,2/35,2/37-38,2/40-42,2/44-45 full
set port trap 2/1-48 enable
set port name 2/7 sobujet2
set port name 2/9 Rise
set port name 2/16 air3hlrce225
set port name 2/17 air3hlrc224
set port name 2/26 lookhere
set port name 2/36 311A
set port name 2/47 MMEHC316-02783
set port security 2/1 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/2 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/3 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/4 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/5 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/6 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/7 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/8 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/9 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/10 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/11 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/12 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/13 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/14 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/15 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/16 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/17 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/18 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/19 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/20 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/21 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/22 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/23 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/24 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/25 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/26 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/27 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/28 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/29 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/30 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/31 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/32 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/33 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/34 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/35 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/36 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/37 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/38 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/39 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/40 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/41 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/42 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/43 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/44 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/45 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/46 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/47 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port security 2/48 disable age 1440 maximum 1 shutdown 0 unicast-flood enable violation restrict
set port protocol 2/1-48 ipx off
set cdp disable 2/1-15,2/18-48
set trunk 2/1 off dot1q 1-1005,1025-4094
set trunk 2/2 off dot1q 1-1005,1025-4094
set trunk 2/3 off dot1q 1-1005,1025-4094
set trunk 2/4 off dot1q 1-1005,1025-4094
set trunk 2/5 off dot1q 1-1005,1025-4094
set trunk 2/6 off dot1q 1-1005,1025-4094
set trunk 2/7 off dot1q 1-1005,1025-4094
set trunk 2/8 off dot1q 1-1005,1025-4094
set trunk 2/9 off dot1q 1-1005,1025-4094
set trunk 2/10 off dot1q 1-1005,1025-4094
set trunk 2/11 off dot1q 1-1005,1025-4094
set trunk 2/12 off dot1q 1-1005,1025-4094
set trunk 2/13 off dot1q 1-1005,1025-4094
set trunk 2/14 off dot1q 1-1005,1025-4094
set trunk 2/15 off dot1q 1-1005,1025-4094
clear trunk 2/16 2-96,98,101-148,150-1005,1025-4094
set trunk 2/16 on dot1q 1,97,99-100,149
clear trunk 2/17 2-96,98,101-148,150-1005,1025-4094
set trunk 2/17 on dot1q 1,97,99-100,149
set trunk 2/18 off dot1q 1-1005,1025-4094
set trunk 2/19 off dot1q 1-1005,1025-4094
set trunk 2/20 off dot1q 1-1005,1025-4094
set trunk 2/21 off dot1q 1-1005,1025-4094
set trunk 2/22 off dot1q 1-1005,1025-4094
set trunk 2/23 off dot1q 1-1005,1025-4094
set trunk 2/24 off dot1q 1-1005,1025-4094
set trunk 2/25 off dot1q 1-1005,1025-4094
set trunk 2/26 off dot1q 1-1005,1025-4094
set trunk 2/27 off dot1q 1-1005,1025-4094
set trunk 2/28 off dot1q 1-1005,1025-4094
set trunk 2/29 off dot1q 1-1005,1025-4094
set trunk 2/30 off dot1q 1-1005,1025-4094
set trunk 2/31 off dot1q 1-1005,1025-4094
set trunk 2/32 off dot1q 1-1005,1025-4094
set trunk 2/33 off dot1q 1-1005,1025-4094
set trunk 2/34 off dot1q 1-1005,1025-4094
set trunk 2/35 off dot1q 1-1005,1025-4094
set trunk 2/36 off dot1q 1-1005,1025-4094
set trunk 2/37 off dot1q 1-1005,1025-4094
set trunk 2/38 off dot1q 1-1005,1025-4094
set trunk 2/39 off dot1q 1-1005,1025-4094
set trunk 2/40 off dot1q 1-1005,1025-4094
set trunk 2/41 off dot1q 1-1005,1025-4094
set trunk 2/42 off dot1q 1-1005,1025-4094
set trunk 2/43 off dot1q 1-1005,1025-4094
set trunk 2/44 off dot1q 1-1005,1025-4094
set trunk 2/45 off dot1q 1-1005,1025-4094
set trunk 2/46 off dot1q 1-1005,1025-4094
set trunk 2/47 off dot1q 1-1005,1025-4094
set trunk 2/48 off dot1q 1-1005,1025-4094
set spantree portfast 2/16-17 disable
set spantree portfast 2/1-15,2/18-48 enable
set port channel 2/1-48 mode off
!
#module 3 empty
!
#module 4 : 48-port Inline Power Module
set vlan 60 4/1-48
set port speed 4/4-5,4/26,4/28,4/32,4/38-40,4/44-45,4/48 10
set port duplex 4/4-5,4/26,4/28,4/32,4/38-40,4/44-45,4/48 full
set port trap 4/1-48 enable
set port protocol 4/1-48 ipx off
set cdp disable 4/1-48
set trunk 4/1 off dot1q 1-1005,1025-4094
set trunk 4/2 off dot1q 1-1005,1025-4094
set trunk 4/3 off dot1q 1-1005,1025-4094
set trunk 4/4 off dot1q 1-1005,1025-4094
set trunk 4/5 off dot1q 1-1005,1025-4094
set trunk 4/6 off dot1q 1-1005,1025-4094
set trunk 4/7 off dot1q 1-1005,1025-4094
set trunk 4/8 off dot1q 1-1005,1025-4094
set trunk 4/9 off dot1q 1-1005,1025-4094
set trunk 4/10 off dot1q 1-1005,1025-4094
set trunk 4/11 off dot1q 1-1005,1025-4094
set trunk 4/12 off dot1q 1-1005,1025-4094
set trunk 4/13 off dot1q 1-1005,1025-4094
set trunk 4/14 off dot1q 1-1005,1025-4094
set trunk 4/15 off dot1q 1-1005,1025-4094
set trunk 4/16 off dot1q 1-1005,1025-4094
set trunk 4/17 off dot1q 1-1005,1025-4094
set trunk 4/18 off dot1q 1-1005,1025-4094
set trunk 4/19 off dot1q 1-1005,1025-4094
set trunk 4/20 off dot1q 1-1005,1025-4094
set trunk 4/21 off dot1q 1-1005,1025-4094
set trunk 4/22 off dot1q 1-1005,1025-4094
set trunk 4/23 off dot1q 1-1005,1025-4094
set trunk 4/24 off dot1q 1-1005,1025-4094
set trunk 4/25 off dot1q 1-1005,1025-4094
set trunk 4/26 off dot1q 1-1005,1025-4094
set trunk 4/27 off dot1q 1-1005,1025-4094
set trunk 4/28 off dot1q 1-1005,1025-4094
set trunk 4/29 off dot1q 1-1005,1025-4094
set trunk 4/30 off dot1q 1-1005,1025-4094
set trunk 4/31 off dot1q 1-1005,1025-4094
set trunk 4/32 off dot1q 1-1005,1025-4094
set trunk 4/33 off dot1q 1-1005,1025-4094
set trunk 4/34 off dot1q 1-1005,1025-4094
set trunk 4/35 off dot1q 1-1005,1025-4094
set trunk 4/36 off dot1q 1-1005,1025-4094
set trunk 4/37 off dot1q 1-1005,1025-4094
set trunk 4/38 off dot1q 1-1005,1025-4094
set trunk 4/39 off dot1q 1-1005,1025-4094
set trunk 4/40 off dot1q 1-1005,1025-4094
set trunk 4/41 off dot1q 1-1005,1025-4094
set trunk 4/42 off dot1q 1-1005,1025-4094
set trunk 4/43 off dot1q 1-1005,1025-4094
set trunk 4/44 off dot1q 1-1005,1025-4094
set trunk 4/45 off dot1q 1-1005,1025-4094
set trunk 4/46 off dot1q 1-1005,1025-4094
set trunk 4/47 off dot1q 1-1005,1025-4094
set trunk 4/48 off dot1q 1-1005,1025-4094
set spantree portfast 4/1-48 enable
set port channel 4/1-48 mode off
!
#module 5 empty
!
#module 6 : 48-port Inline Power Module
set vlan 60 6/1-48
set port disable 6/41-48
set port speed 6/37 10
set port duplex 6/37 full
set port trap 6/1-48 enable
set port name 6/10 histjet
set port name 6/11 HC316 mmcljet
set port name 6/41 faulty
set port name 6/42 faulty
set port name 6/43 faulty
set port name 6/44 faulty
set port name 6/45 faulty
set port name 6/46 faulty
set port name 6/47 faulty
set port name 6/48 faulty
set port protocol 6/1-48 ipx off
set cdp disable 6/1-48
set trunk 6/1 off dot1q 1-1005,1025-4094
set trunk 6/2 off dot1q 1-1005,1025-4094
set trunk 6/3 off dot1q 1-1005,1025-4094
set trunk 6/4 off dot1q 1-1005,1025-4094
set trunk 6/5 off dot1q 1-1005,1025-4094
set trunk 6/6 off dot1q 1-1005,1025-4094
set trunk 6/7 off dot1q 1-1005,1025-4094
set trunk 6/8 off dot1q 1-1005,1025-4094
set trunk 6/9 off dot1q 1-1005,1025-4094
set trunk 6/10 off dot1q 1-1005,1025-4094
set trunk 6/11 off dot1q 1-1005,1025-4094
set trunk 6/12 off dot1q 1-1005,1025-4094
set trunk 6/13 off dot1q 1-1005,1025-4094
set trunk 6/14 off dot1q 1-1005,1025-4094
set trunk 6/15 off dot1q 1-1005,1025-4094
set trunk 6/16 off dot1q 1-1005,1025-4094
set trunk 6/17 off dot1q 1-1005,1025-4094
set trunk 6/18 off dot1q 1-1005,1025-4094
set trunk 6/19 off dot1q 1-1005,1025-4094
set trunk 6/20 off dot1q 1-1005,1025-4094
set trunk 6/21 off dot1q 1-1005,1025-4094
set trunk 6/22 off dot1q 1-1005,1025-4094
set trunk 6/23 off dot1q 1-1005,1025-4094
set trunk 6/24 off dot1q 1-1005,1025-4094
set trunk 6/25 off dot1q 1-1005,1025-4094
set trunk 6/26 off dot1q 1-1005,1025-4094
set trunk 6/27 off dot1q 1-1005,1025-4094
set trunk 6/28 off dot1q 1-1005,1025-4094
set trunk 6/29 off dot1q 1-1005,1025-4094
set trunk 6/30 off dot1q 1-1005,1025-4094
set trunk 6/31 off dot1q 1-1005,1025-4094
set trunk 6/32 off dot1q 1-1005,1025-4094
set trunk 6/33 off dot1q 1-1005,1025-4094
set trunk 6/34 off dot1q 1-1005,1025-4094
set trunk 6/35 off dot1q 1-1005,1025-4094
set trunk 6/36 off dot1q 1-1005,1025-4094
set trunk 6/37 off dot1q 1-1005,1025-4094
set trunk 6/38 off dot1q 1-1005,1025-4094
set trunk 6/39 off dot1q 1-1005,1025-4094
set trunk 6/40 off dot1q 1-1005,1025-4094
set trunk 6/41 off dot1q 1-1005,1025-4094
set trunk 6/42 off dot1q 1-1005,1025-4094
set trunk 6/43 off dot1q 1-1005,1025-4094
set trunk 6/44 off dot1q 1-1005,1025-4094
set trunk 6/45 off dot1q 1-1005,1025-4094
set trunk 6/46 off dot1q 1-1005,1025-4094
set trunk 6/47 off dot1q 1-1005,1025-4094
set trunk 6/48 off dot1q 1-1005,1025-4094
set spantree portfast 6/1-48 enable
set port channel 6/1-48 mode off
!
#authorization
set authorization commands enable all tacacs+ deny console
set authorization commands enable all tacacs+ deny telnet
end
08-30-2011 06:40 AM
Hello,
So far i don't see any configuration error on the 4006.
But I would check the following:
- What is connected to these trunk links other than on port 1/1? Other switches?
- I see that you only have devices on vlan 60. Is it possible for you to make the uplink an access port and try?
- When this problem started to occur? Was there a change that caused it or started suddenly?
- Is it possible to run a debug ip packet with an acl for only the broadcast address? I really don't remember if that's possible on CatOS.
Regards,
Bruno Silva.
08-30-2011 07:17 AM
The other trunks go to two access-points, which are in other vlans. I can try making the uplink an access port tonight during our maintenance window, but that's probably not going to be a solution as the wireless lan is in other vlans.
I'm not sure when this started. I work at a University and classes just got back in session, so it could have started at any point over the summer wouldn't have known there was an issue. I checked the syslog don't show anything unsual.
I check on the debug.
08-30-2011 09:10 AM
Hi,
Are you sure that there is no storm-control enabled on the 3750 distribution switch?
Regards,
Alex
08-30-2011 10:13 AM
No, there's no storm control configured. Below is the 3750's config. G1/0/1 is the uplink to the core router and g1/0/3 is the link to the 4006 in question.
version 12.2
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hlrc1bc375012g
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server tacacs+ tac_admin
server
!
aaa group server tacacs+ tac_acct
server
!
aaa authentication login default group tac_admin local
aaa authentication enable default group tac_admin enable
aaa authorization commands 15 default group tac_admin local
aaa accounting exec default start-stop group tac_acct
aaa accounting commands 15 default start-stop group tac_acct
!
!
!
aaa session-id common
clock timezone central -6
clock summer-time CDT recurring
switch 1 provision ws-c3750g-12s
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip domain-name wn.washburn.edu
!
!
!
!
crypto pki trustpoint TP-self-signed-1283969536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1283969536
revocation-check none
rsakeypair TP-self-signed-1283969536
!
!
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
description bt103c6509core 4/21
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,4,6,8,17,35,41,42,53,60,66,75,76,79,97,99
switchport trunk allowed vlan add 100,149
switchport mode trunk
!
interface GigabitEthernet1/0/2
description hrlc1bC6506 1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
description hlrc300C4006p 1/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,17,60,97,99,100,149,1002-1005
switchport mode trunk
!
interface GigabitEthernet1/0/4
description hlrc1bfgs24gp
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,35,41,53,60,97,99,100,149,1002-1005
switchport mode trunk
!
interface GigabitEthernet1/0/5
description hlrc200C4503p 1/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,4,60,97,99,100,149,1002-1005
switchport mode trunk
!
interface GigabitEthernet1/0/6
description hlrcll4006 1/1 trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,8,35,41,42,60,66,75,97,99,100,149,1002-1005
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,35,1002-1005
switchport mode trunk
!
interface GigabitEthernet1/0/8
description hlrc1bC3750stkg 1/1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,35,60,75,76,79
switchport mode trunk
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface Vlan1
ip address 192.168.254.220 255.255.254.0
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ip default-gateway 192.168.254.254
ip classless
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap errors
logging facility syslog
logging
!
snmp-server engineID local 000000090200000142AE62C0
snmp-server view cutdown internet included
snmp-server view cutdown at excluded
snmp-server view cutdown ip.20 excluded
snmp-server view cutdown ip.21 excluded
snmp-server view cutdown ip.22 excluded
snmp-server community
snmp-server community
snmp-server location HLRC 1b
snmp-server contact
snmp-server chassis-id 0x13
snmp-server system-shutdown
snmp-server enable traps snmp coldstart
snmp-server enable traps license
snmp-server host
tacacs-server host
tacacs-server directed-request
tacacs-server key 7
!
banner login ^C
##########################################################################
###############################!!!Warning!!!##############################
## ##
## This is private network. If you are not authorized leave now. ##
## ##
## This access attempt was logged. ##
## ##
##########################################################################
^C
!
line con 0
logging synchronous
stopbits 1
line vty 0 4
access-class 10 in
password 7
logging synchronous
transport input ssh
line vty 5 15
access-class 10 in
password 7
logging synchronous
transport input ssh
!
ntp clock-period 36028945
ntp server prefer
ntp server
end
08-30-2011 04:06 PM
Hello,
I wasn't able to find any bugs associated with your situation. BUT...
By re-reading your question, I see that you are almost sure that the clients can communicate fine since they are using DHCP. The question is: Is the DHCP server in the same subnet as the hosts on vlan 60? I don't see the ip-helper configured on the 3750.
Also, does it mean then, that the only affected vlan is the vlan 60? Since the other access-points use other vlans, and you only mentioned the vlan 60, is that correct? If yes, i've seen a weird bug, even though it was on IOS, that hosts on a vlan x would not be able to communicate, and if you just changed the vlan number, it would work fine. Basically, we need to do some testing to try to isolate this issue.
Please try removing and adding the vlan again (on the vtp server, since the 4006 is the client). Also, using another vlan number, or using two hosts (one on one switch, and one in the 4006) on the access-points vlans to try to isolate this issue.
And for sure, i wouldn't care to reboot the switch itself IF possible. That can save us a lot of troubleshooting.
If we do all this and yet no point is made, upgrading the CatOS image to the latest might be good as well.
Let me know your findings, as this is becoming more interesting
Regards,
Bruno Silva.
09-01-2011 11:19 AM
Bruno,
No the DHCP server is not in the same VLAN. The IP helper is on the core where the VLAN interface resides.
I haven't tried the wireless on the third floor yet, but I will now. Only clients exist in the wireless subnets, so theres no reason for anyone to contact another client and the reason why I haven't seen any complaints from that direction. I'll update with how that goes.
My after hours maintenance was postponed until next Wednesday, so I won't be able to do anything invasive until then. Rebooting will probably be included in the things I try.
I'm fairly sure this 4006 has the final CatOS image on it, but I'll check to be sure.
Besides verifying that the wireless network connected to the 4006 is affected as well, there's not much else I can do until next Wednesday. I'll update with my findings then.
Heath
09-01-2011 11:28 AM
Hello,
Your concept of access and distribution is kind of different then. According to Cisco the distribution block is where a broadcast domain should end. This is not your case.
BTW, why don't you have the vlan 60 allowed on interfaces Gig1/0/1 and Gig1/0/7 ?
Please also post the core config.
Let me know once you do the testing next wednesday.
Thank you.
Regards,
Bruno Silva.
09-01-2011 12:16 PM
Yeah, I inherited this network like this. Almost all the Vlans reside at the core currently, the 3750 in this case is just L2 distribution. I have been moving stuff off the core to the Cisco three tiered model, I just haven't gotten to this particular building yet.
G1/0/1 does have vlan 60 allowed, G1/0/7 doesn't have clients in the VLAN on it. Special case.
09-01-2011 05:44 PM
Hello,
Sorry, didn't realize the scroll bar at the bottom.
Let me know once you do those tests, then we can move forward with the investigation.
Regards,
Bruno Silva.
09-07-2011 09:55 AM
Here's what I did last night:
Took a PC's connection that was not reachable from other floors in the building.
Replace 4006 with 3550.
Put PC's connection (in vlan 60) on 3550 it pings while I'm connected to the 4503 down stairs.
Put PC back on 4006, ping fails from 4503.
Connect my laptop to 4006, I can ping the PC.
I believe this confirms that the 4006 is the issue.
Reload 4006
Can ping the PC from 4503 (yea!)
This was all done between midnight and 2 a.m. this morning, so I have yet to find out if the problem has truly been fixed. I'm going to do some more digging and will update later.
Heath
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide