Solved: can't communicate on L3 on specific interfaces

3moloz123 · ‎04-25-2011

Hi,

I have a Cisco 2821 with 2x HWIC-4ESW. Two of the ports on the first module (range 0/0/1-2) are access ports, with one vlan each. The vlans has ips configured in /30 nets, where the other usable address are ebgp neighbours. The port Im trying to use for management is on module number 2 (0/1/3).

Seems to me it's identical hwics, see output of 'show inventory'.

So port 0/1/3 has vlan 999, and vlan 999 is configured with address 10.1.0.132/25. I configured 0/1/2 as vlan 999 too, connected a laptop and it can ping through the router to the switch connected on 01/3 - but not other device can reach the routers ip 10.1.0.132, and the router cant reach any of the devices on 10.1.0.128/25.

To sumarize the problem: I can ping the other hosts in vlan 100 and vlan 101, but not the other hosts in vlan 999.

It's connected like this:

# show version

NAME: "2821 chassis", DESCR: "2821 chassis"

PID: CISCO2821 , VID: V05 , SN: FCZ123456

NAME: "4 Port FE Switch on Slot 0 SubSlot 0", DESCR: "4 Port FE Switch"

PID: HWIC-4ESW , VID: V01 , SN: FOC123456

NAME: "4 Port FE Switch on Slot 0 SubSlot 1", DESCR: "4 Port FE Switch"

PID: HWIC-4ESW , VID: V01 , SN: FOC123456

# show run

interface FastEthernet0/0/0

description a specific IX

switchport access vlan 101

no cdp enable

!

interface FastEthernet0/0/1

description specific ISP

switchport access vlan 100

no cdp enable

!

interface FastEthernet0/1/3

description network management

switchport access vlan 999

!

interface Vlan100

description specific isp

ip address 1.2.3.150 255.255.255.252

no ip proxy-arp

!

interface Vlan101

description some IX

ip address 2.3.4.70 255.255.255.192

no ip proxy-arp

!

interface Vlan999

ip address 10.1.0.132 255.255.255.128

no ip proxy-arp

!

# show ip interface brief

FastEthernet0/0/0 unassigned YES unset up up

FastEthernet0/0/1 unassigned YES unset up up

FastEthernet0/1/3 unassigned YES unset up up

Vlan1 unassigned YES NVRAM up down

Vlan100 1.2.3.150 YES NVRAM up up

Vlan101 2.3.4.70 YES NVRAM up up

Vlan999 10.1.0.132 YES manual up up <- does manual mean "not yet saved to startup-config", or is it an indicator of a difference between hwic 1 and hwic 2?

cadet alain · ‎04-26-2011

Hi,

And now while investigating, I suddently found a third mac address on the router:

0017.0e8d.3c0d Dynamic 999 FastEthernet0/1/3

0023.4719.a920 Dynamic 999 FastEthernet0/1/3

f062.8195.f100 Dynamic 999 FastEthernet0/1/3

# show arp

Internet 10.1.0.143 0 0017.0e8d.3c00 ARPA Vlan999

But not vice versa:

Internet 10.1.0.132 0 Incomplete ARPA

The new mac addresses correspond to a HP procurve gears , is it normal?

Can you do a sh cdp nei .

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

glen.grant · ‎04-27-2011

If you are running 2 hwic 4 esw's you have to stack them together to work correctly,

You have to tie one port from one hwic to aniother port on the other hwic , otherwise

it won't work correctly. Has this been done? If not they will work as isolated switches. Go here to see how to configure stacking. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1049119

Stacking of Cisco 10/100BASE-T Ethernet Switch HWICs

Stacking is the connection of two Ethernet switch HWICs resident in the same chassis so that they behave as a single switch. Stacking is accomplished by daisy-chaining the two cards together with an external RJ-45 crossover cable that is connected to the specified stacking port on each switch.

When a chassis is populated with two Ethernet switch HWICs, the user must configure the cards to operate in stacked mode.

Note There is no option to unstack two Ethernet switch HWICs. When two Ethernet switch HWICs are in the same chassis, they can operate only in stacked mode. If you configure the cards to operate unstacked, they will not operate correctly.

You must designate one port on each switch to be the stacking port. On the HWIC-4ESW card, this port is nominally the first port (port 0), although any port can be chosen. On the HWIC-D-9ESW card, this port is nominally the ninth port (port 8), although any port can be chosen. We recommend the use of port 8 as the stacking port, because it has been designed as an extra port on the HWIC-D-9ESW card and does not provide inline power.

Note Only one port on an Ethernet switch HWIC can be configured as a stacking port.

All combinations of Ethernet switch HWICs may be stacked: two HWIC-D-9ESW cards, an HWIC-D-9ESW card with an HWIC-4ESW card, or two HWIC-4ESW cards.

See the Configuration Guidelines for HWIC-4ESW and HWIC-D-9ESW Interface Cards document for information on how to configure stacking ports.

View solution in original post

cadet alain · ‎04-26-2011

Hi,

but not other device can reach the routers ip 10.1.0.150

How come this IP is not in the sh ip int br output?

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

Sorry, that's a typo. 10.1.0.132 as per the configuration is correct - and not pingable from any device connected to vlan 999.

Edit: to clarify, not only not pingable, but not reachable in any way. Tried adding acls for ssh/telnet and debugging it with no go. Cannot find any of the other devices in 999 in arp list either.

cadet alain · ‎04-26-2011

and not pingable from any device connected to vlan 999.

Can you clarify? if you put a PC in a port belonging to VLAN999 you can't ping int VLAN999 and there is no entry in the arp table for this PC?

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

Exactly.

I connected a laptop to 0/1/2, configured the interface to be an access port in vlan 999.

The laptop can't reach the router on 10.1.0.132, but it can however reach devices that are connected to the switch (which in term is connected to 0/1/3 on the router).

/

0/1/2

<2821>

0/1/3

\

So both 0/1/2, 0/1/3 and the ports on the switch are all access ports in 999. The laptop can reach "other devices" and vice versa, but no one can reach the routers 10.1.0.132, and the router has no arp entries with ips that matches the devices..

laptop: 10.1.0.133

Some of the other devices include: switch 1 10.1.0.141, switch 2 .142, switch 3 .143 etc etc..

Trying to reach .141:

# show arp

Internet 10.1.0.132 - 0026.994c.6560 ARPA Vlan999

Internet 10.1.0.141 0 Incomplete ARPA

edit: the only reason FastEthernet 0/1/2 is not configured in the config shown earlier, is that I only used it to make sure that I could actually use the ports as Layer 2, ie ping from a laptop in 0/1/2 to something connected behind 0/1/3 - and because it worked I removed the configuration and continued using only 0/1/3.

cadet alain · ‎04-26-2011

Hi,

So you can reach .141 from .133 but don't see any arp entries for .141 ? But IMHO this is normal behaviour because they are in the same VLAN and so this pure L2 switching.

Can you post sh ip route and sh run | s ip routing as well as sh run | in ip default

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

Yes, I understand. But I should see the arps if I try to ping any other host in 10.1.0.128/25 I should get arp entries of them.

# sh ip route

B* 0.0.0.0/0 [20/10] via 195.67.149.9, 7w0d

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.1.0.128/25 is directly connected, Vlan999

L 10.1.0.132/32 is directly connected, Vlan999

<200 other routes not included>

# sh run | s ip routing

returns nothing

# sh run | in ip default

returns nothing

cadet alain · ‎04-26-2011

But I should see the arps if I try to ping any other host in 10.1.0.128/25 I should get arp entries of them.

Yes but if you ping from the router itself not from host to host.

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

The router cannot ping any device in 10.1.0.128/25, and no device in 10.1.0.128/25 can ping the router (on 10.1.0.132).

cadet alain · ‎04-26-2011

Can you post output of sh access-list and sh ip int Vlan999

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

Standard IP access list 21

10 permit 4.5.6.109 (1356606 matches)

Standard IP access list 23

20 permit 4.5.8.0, wildcard bits 0.0.0.255

Standard IP access list 24

10 permit x.y.105.126

Standard IP access list 25

10 permit 10.1.0.0, wildcard bits 0.0.0.7

Extended IP access list 101

10 permit ip host 7.8.9.126 any (6 matches)

20 permit ip 10.1.0.0 0.0.0.255 any

30 permit ip host 7.7.7.40 any (18 matches)

Vlan999 is up, line protocol is up

Internet address is 10.1.0.132/25

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: MCI Check

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

cadet alain · ‎04-26-2011

ok,

ping a host in Vlan 999 from your router and at same time debug arp and post output

Regards.

Alain.

Don't forget to rate helpful posts.

3moloz123 · ‎04-26-2011

Sending 5, 100-byte ICMP Echos to 10.1.0.141, timeout is 2 seconds:

Apr 26 09:48:04: ARP TABLE: inserting entry 10.1.0.141/0000.0000.0000 on Vl999 for Incomplete

Apr 26 09:48:04: IP ARP: creating incomplete entry for IP address: 10.1.0.141 interface Vlan999

Apr 26 09:48:04: IP ARP: sent req src 10.1.0.132 0026.994c.6560,

dst 10.1.0.141 0000.0000.0000 Vlan999.

Apr 26 09:48:06: IP ARP throttled out the ARP Request for 10.1.0.141

Apr 26 09:48:08: IP ARP: sent req src 10.1.0.132 0026.994c.6560,

dst 10.1.0.141 0000.0000.0000 Vlan999

Apr 26 09:48:10: IP ARP: sent req src 10.1.0.132 0026.994c.6560,

dst 10.1.0.141 0000.0000.0000 Vlan999.

Apr 26 09:48:12: IP ARP: sent req src 10.1.0.132 0026.994c.6560,

dst 10.1.0.141 0000.0000.0000 Vlan999.

cadet alain · ‎04-26-2011

Is .141 receiving the arp request ? Can you sniff the interface ? If yes is it replying?

Can you also do ipconfig/all to query mac of .141 and then a sh mac address( or show mac-address) dynamic Vlan 999 | xxxx.xxxx.xxxx where xxxx.xxxx.xxxx is the mac address of .141

Regards.

Alain.

Don't forget to rate helpful posts.

bbb bbb · ‎04-26-2011

Hi

# sh ip route

B* 0.0.0.0/0 [20/10] via 195.67.149.9, 7w0d

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.1.0.128/25 is directly connected, Vlan99

L 10.1.0.132/32 is directly connected, Vlan999 << should this be in your routing table? possible overlapped subnet..?

# show ip interface brief <<<-- in your output there is no FastEthernet0/1/2 (where your laptop is connected)?

FastEthernet0/0/0 unassigned YES unset up up

FastEthernet0/0/1 unassigned YES unset up up

FastEthernet0/1/3 unassigned YES unset up up

Vlan1 unassigned YES NVRAM up down

Vlan100 1.2.3.150 YES NVRAM up up

Vlan101 2.3.4.70 YES NVRAM up up

Vlan999 10.1.0.132 YES manual up u

another is, check the laptop/PC if it has configured a default gateway to 10.1.0.132 and laptop subnet mask is 255.255.255.128

regards