Solved: Re: Can ping internal switches, can't ping external - suspect OSPF con

XBLOssia · ‎08-12-2021

Well, I can't go home until I figure this one out, so I figured I'd reach out for help.

I was tasked with bringing a production switch from one school district's network to another (districts merged, long story), so I was trying to maintain as much as possible here, but in the process of bringing the switch in, I've somehow managed to create a situation where the switch can see all the internal networks, but can't see past our network's connection to a switch managed by our state IT, which serves as the connection to the rest of the world. I'm fairly new to managing a network of this scale, so naturally I'm a bit in over my head here, as in the process we lost our network admin and I got a battlefield promotion, so to speak.

Configs:

Working switch:

Current configuration : 16126 bytes
!
! Last configuration change at 13:42:00 CST Tue Aug 10 2021 by ****
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service unsupported-transceiver
!
hostname 1-Core
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
switch 1 provision ws-c3850-12xs
switch 2 provision ws-c3850-12xs
!
ip routing
!
system mtu 9198
no errdisable detect cause gbic-invalid
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
!
redundancy
mode sso
!
!
vlan configuration 70,170,270,400
ip flow monitor Netflow-to-Prime input
!
vlan 70
name Old Data
!
vlan 904
name Loop-*source
!
vlan 905
name Loop-*School2
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
template 1/0/1
!
interface TenGigabitEthernet1/0/11
description Loop-*school2
switchport access vlan 905
switchport mode access
!
interface TenGigabitEthernet2/0/11
description Loop-0core
switchport access vlan 904
switchport trunk native vlan 904
switchport mode access
storm-control broadcast level 10.00
storm-control unicast level 10.00
!
interface Vlan1
ip address 172.16.7.6 255.255.255.128
ip ospf 10 area 0
!
interface Vlan70
description ***DATA VLAN***
ip address 10.162.72.1 255.255.252.0
ip helper-address 10.162.64.65
ip helper-address 10.162.64.30
ip helper-address 10.2.5.40
!
interface Vlan904
description Edu - *school1
ip address 172.16.0.38 255.255.255.248
ip ospf 10 area 0
!
interface Vlan905
description *school1 - *school2
ip address 172.16.0.41 255.255.255.248
ip ospf 10 area 0
!
interface Vlan921
ip address 172.16.0.137 255.255.255.248
ip ospf 10 area 0
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.162.16.0 0.0.3.255 area 0
network 10.162.72.0 0.0.3.255 area 0
network 10.162.84.0 0.0.1.255 area 0
network 10.162.136.0 0.0.0.255 area 0
network 10.162.176.0 0.0.1.255 area 0
network 10.162.178.0 0.0.1.255 area 0
network 10.162.180.0 0.0.1.255 area 0
network 10.162.182.0 0.0.1.255 area 0
network 10.162.184.0 0.0.1.255 area 0
network 10.162.186.0 0.0.1.255 area 0
network 10.162.240.0 0.0.1.255 area 0
network 10.162.242.0 0.0.1.255 area 0
network 10.162.244.0 0.0.1.255 area 0
network 10.162.246.0 0.0.1.255 area 0
network 172.16.0.32 0.0.0.7 area 1
network 172.16.0.136 0.0.0.7 area 0
network 172.22.2.0 0.0.0.255 area 0
network 172.22.4.0 0.0.0.255 area 0
network 172.22.16.0 0.0.0.255 area 0
!
ip default-gateway 10.162.64.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.162.64.1
!
!
access-list 101 permit udp host 10.162.64.102 any eq 16962
!

ap group default-group
end

Trouble switch:

Current configuration : 17572 bytes
!
! Last configuration change at 19:59:44 CST Sun Feb 28 1993 by ****
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service unsupported-transceiver
!
hostname *****-3560G-Sw
!
boot-start-marker
boot-end-marker
!
system mtu routing 1500
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name *domain*
!
no errdisable detect cause gbic-invalid
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name Voice
!
vlan 904
lldp timer 60
lldp reinit 3
lldp run
!
interface GigabitEthernet0/14
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
storm-control broadcast level 0.50
storm-control multicast level 0.50
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
description *0core-*school1
switchport access vlan 904
switchport trunk encapsulation dot1q
switchport trunk native vlan 904
switchport mode access
!
interface Vlan1
ip address 10.160.80.1 255.255.255.0
ip helper-address 10.2.5.40
!
interface Vlan100
description Voice Vlan
ip address 10.160.81.1 255.255.255.0
!
interface Vlan904
description *0core-*school1
ip address 172.16.0.37 255.255.255.248
ip ospf cost 30000
ip ospf mtu-ignore
ip ospf 10 area 0
!
!
router eigrp 100
network 10.160.80.0 0.0.0.255
redistribute connected
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.160.0.0 0.0.255.255 area 0
network 172.16.0.32 0.0.0.7 area 0
!
ip route 0.0.0.0 0.0.0.0 10.162.0.8
!
ntp server 129.6.15.28 prefer
ntp server 129.6.15.29
end

Output of traceroute on trouble switch:

Tracing the route to 8.8.8.8

1 172.16.0.38 0 msec 0 msec 0 msec
2 172.16.0.46 0 msec 0 msec 0 msec
3 172.16.0.54 8 msec 0 msec 0 msec
4 172.16.0.62 8 msec 0 msec 0 msec
5 * * *
6 * *

Output on OK switch (next hop):

Tracing the route to dns.google (8.8.8.8)
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.0.46 0 msec 10 msec 0 msec
2 172.16.0.54 0 msec 0 msec 0 msec
3 172.16.0.62 10 msec 10 msec 0 msec
4 * * *
5 * * *
6 * * *

As you can see, both get hung up in traceroute at the same spot, but the good one is able to get dns info. The bad switch naturally also doesn't get DHCP from the helper-address.

What obvious thing have I missed due to being new to this?

XBLOssia · ‎08-14-2021

The switch that was giving me trouble was part of another network, and I haven't cleared out some of the old configuration, which is why EIGRP is set up. The configs for trunk mode on vlan 904 were in there from when I was attempting to trunk that port, but I changed my mind and made it consistent with the existing configuration on the rest of the network I was joining. I actually cleared out the trunk portion of the config while I continued to troubleshoot the switch, but after I asked the question.

Traceroute from the trouble switch was showing that traffic was able to move across several hops to the edge of our network, where a static route connects us with a router controlled by our state's IT department - this is consistent with the activity on working switches on our network.

As it turns out, the issue wasn't on part of the network I control, it was an issue with the router managed by state IT. They were rejecting traffic from 10.160.80.0/24 and 10.160.81.0/24 over their router, as their configuration was set to only accept traffic from that subnet through the router that the switch was formerly connected through. Once I was able to get in touch with our contact at state IT, I was able to get them to block the subnet on the old router and open that subnet on the new router I was pathing through, and this allowed the switch to reach out.

View solution in original post

XBLOssia · ‎08-12-2021

As a quick note, the networks in the "good switch" are all used on interfaces that are present, I just trimmed those interfaces to save you all the headache of looking at all that irrelevant info.

XBLOssia · ‎08-12-2021

Another note: 172.16.0.62 is an interface on the last switch stack before the gateway. Configs here (be warned, it's an Aruba):

; hpStack_KB Configuration Editor; Created on release #KB.16.10.0012
; Ver #14:6f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:00

stacking
member 1 type "JL075A" mac-address f860f0-ee4780
member 2 type "JL075A" mac-address f860f0-ee9a00
exit
hostname "101-*school*-Core"
dhcp-relay option 82 keep ip
trunk 1/1,2/1 trk1 lacp
trunk 1/2,2/2 trk2 lacp
trunk 1/3,2/3 trk3 lacp
trunk 1/4,2/4 trk4 lacp
trunk 1/5,2/5 trk5 lacp
trunk 1/6,2/6 trk6 lacp
trunk 1/7,2/7 trk7 lacp
trunk 1/13,2/13 trk13 lacp
igmp lookup-mode ip
timesync ntp
ntp unicast
ntp server 10.162.64.15 burst
ip dns server-address priority 1 10.10.10.10
ip route 0.0.0.0 0.0.0.0 10.161.0.9
ip routing
ip multicast-routing
***
oobm
no ip address
member 1
no ip address
exit
member 2
no ip address
exit
exit
router ospf
area backbone
redistribute connected
redistribute static
enable
exit
router pim
enable
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/8-1/10,1/15-1/16,2/9,Trk5-Trk7
untagged 1/11-1/12,1/14,2/8,2/10-2/12,2/14-2/16,Trk1-Trk4,Trk13
no ip address
ip helper-address 10.10.10.10
ip helper-address 10.2.5.40
exit
vlan 10
name "Data"
untagged 1/9,2/9
tagged 1/10,Trk1-Trk4
ip address 10.162.0.1 255.255.252.0
ip helper-address 10.162.0.10
ip helper-address 10.162.64.65
ip helper-address 10.2.5.40
ip igmp
ip igmp version 3
ip ospf 10.162.0.1 passive
ip ospf 10.162.0.1 area backbone
ip pim-dense
ip-addr any
exit
exit
vlan 110
name "Voice"
tagged 1/10,Trk1-Trk4,Trk13
ip address 10.162.80.1 255.255.255.0
ip helper-address 10.162.64.20
ip helper-address 10.2.5.40
ip igmp
ip igmp version 3
ip ospf 10.162.80.1 passive
ip ospf 10.162.80.1 area backbone
voice
exit
(a bunch of vlans that deal with other buildings)
vlan 907
name "Loop-hop2-hop1"
untagged 1/8
ip address 172.16.0.62 255.255.255.248
ip helper-address 10.2.5.40
ip ospf 172.16.0.62 area backbone
jumbo
exit
vlan 1000
name "WAN-**"
untagged 1/15
tagged Trk4
ip address 10.161.0.10 255.255.255.248
ip helper-address 10.2.5.40
exit

spanning-tree
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
spanning-tree Trk13 priority 4
spanning-tree config-name "***-MST"
spanning-tree instance 1 vlan 10 110 1010 1110 1510
spanning-tree instance 1 priority 1
spanning-tree instance 1 Trk1 priority 4
spanning-tree instance 1 Trk2 priority 4
spanning-tree instance 1 Trk3 priority 4
spanning-tree instance 1 Trk4 priority 4
spanning-tree instance 1 Trk5 priority 4
spanning-tree instance 1 Trk6 priority 4
spanning-tree instance 1 Trk7 priority 4
spanning-tree instance 1 Trk13 priority 4
spanning-tree priority 1
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update

balaji.bandi · ‎08-13-2021

Bit Long configuration, First suggestion is make a small network diagram in Paper with the IP address (post here to understand)

if the trace stopping, next hop is Internet Router, (there may be NAT entry missing to go out internet, and routing back not available , if you are running OSPF, that should work) - what internet Router you have ?

there are some issue in the config syntax exmaple :

ip default-gateway 10.162.64.1 <- you do not need this, if the switch acting as Routing(not Layer2)
ip route 0.0.0.0 0.0.0.0 10.162.64.1

interface TenGigabitEthernet2/0/11
description Loop-L&C
switchport access vlan 904 < -if this is access port
switchport trunk native vlan 904 <- you do not need this , please config you need to be trunk to pass more vlan ? - then make it trunk (switch to switch always suggest to have Trunk with allowed VLAN to control)
switchport mode access
storm-control broadcast level 10.00
storm-control unicast level 10.00

Why on the trouble switch you are running both EIGRP and OSPF ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

XBLOssia · ‎08-14-2021

The switch that was giving me trouble was part of another network, and I haven't cleared out some of the old configuration, which is why EIGRP is set up. The configs for trunk mode on vlan 904 were in there from when I was attempting to trunk that port, but I changed my mind and made it consistent with the existing configuration on the rest of the network I was joining. I actually cleared out the trunk portion of the config while I continued to troubleshoot the switch, but after I asked the question.

Traceroute from the trouble switch was showing that traffic was able to move across several hops to the edge of our network, where a static route connects us with a router controlled by our state's IT department - this is consistent with the activity on working switches on our network.

As it turns out, the issue wasn't on part of the network I control, it was an issue with the router managed by state IT. They were rejecting traffic from 10.160.80.0/24 and 10.160.81.0/24 over their router, as their configuration was set to only accept traffic from that subnet through the router that the switch was formerly connected through. Once I was able to get in touch with our contact at state IT, I was able to get them to block the subnet on the old router and open that subnet on the new router I was pathing through, and this allowed the switch to reach out.

Can ping internal switches, can't ping external - suspect OSPF config