Solved: Re: Cisco 891 Router Config for Subnets

ecilop2010 · ‎03-12-2018

Hi. I have some questions when it comes to configuring subnets on my Cisco 891 Router. I have the DHCP pools setup on a DHCP Server to lease the IP's each of the subnets.

Subnets: 172.16.10.x, 172.16.11.x, 172.16.12.x, 172.16.13.x, and 172.16.15.x

So I am not sure what I need to add to my router config so that that when one DHCP runs out it will start using the the other subnets. Although ideally each building is on a subnet but should be able to communicate on the network with the other subnets. I also have Cisco 3850 and 2960 switches at the other buildings so I am sure I have to add some programming into the switches as well to get this to work. Can someone help me and point me in the right direction to get this to work?

Below is my current config, but I am lost on what to do to get the subnetting to work with the DHCP server which is separate from the router and then obviously what I need to do with my switches. The switches between each. building is connected by multimode fiber and each switch has a SFP connected to FIber to pull the internet from the main building. I preferably need these subnets so that I don't run out of IP addresses. Any help would be greatly appreciated:

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname H0455
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone Chicago -6 0
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-2330784270
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2330784270
revocation-check none
rsakeypair TP-self-signed-2330784270
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.10.1 172.16.10.20
!
ip dhcp pool ccp-pool
import all
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 97.64.168.10
lease 0 2
!
!
!
ip domain name lincolnschallenge.org
ip name-server 97.64.168.10
ip name-server 97.64.183.163
ip name-server 97.64.209.35
ip name-server 97.64.168.11
ip name-server 97.64.183.162
ip name-server 97.64.209.34
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
license udi pid C891FW-A-K9 sn FJC2053L1JX
!
!
ip ssh port 2001 rotary 1
ip ssh version 2
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
ip address 104.xxx.xxx.xx (Static IP from ISP) 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
description LCA
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool ccp-pool 172.16.10.21 172.16.10.240 netmask 255.255.255.0
ip nat inside source list 7 interface FastEthernet0 overload
ip nat inside source list 23 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx (IP address Gateway from ISP)
ip route 172.16.10.0 255.255.255.0 FastEthernet0
!
no cdp run
!
access-list 7 permit 172.16.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner login ^Cine
UNAUTHORIZED ACCESS IS PROHIBITED!! ALERTS SENT TO AUTOMATICALLY TO ADMIN!! ^C
!
line con 0
no modem enable
speed 19200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
access-class 7 in
exec-timeout 5 0
transport input ssh
!
scheduler allocate 20000 1000
!
end

Seb Rupik · ‎03-27-2018

Hi Chris,
Glad to hear the VLANs are working. If you are going to use VTP, make sure you secure it with a password to protect against rogue VTP servers corrupting your VLAN database.

Regarding you DHCP, I am not sure the 127.0.0.1 will work as you intend. If a DHCP client does install 127.0.0.1 as its primary server it will perform a DNS lookup against its own loopback address, not the server. It will therefore always fail. If you want the primary DNS server to be your server then list the IP address which the DNS service is listening on.

As for why VLAN 1 is unaffected by all these problems, it is probably because you still have the DHCP server config active on H0455:

!
ip dhcp pool ccp-pool
 import all
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.1
 dns-server 97.64.168.10
 lease 0 2
!

...when a client sends out its DHCP DISCOVER broadcast, the router will respond quicker than the server. Check the output of sh ip dhcp binding on the router and you will probably see all of your VLAN 1 clients.
With DHCP working on the server it should be safe to remove the above DHCP pool:

!
no ip dhcp pool ccp-pool
!

cheers,
Seb.

View solution in original post

Seb Rupik · ‎03-13-2018

Hi there,
You should provision your subnets to be large enough to meet current size requirements and also have additional head room for future growth.
Your idea of having access switchports dynamically change VLAN when the current one has exhausted the subnet capacity, is unusual, but not impossible with a fair bit of scripting. That said it is much easier to correctly size your subnets.

As for router config, the below config will route all of your subnets on the 891 router and forward any DHCP requests towards the standalone DHCP server. Gi0 is a trunk link that would be connected to one of your building access layer switches.
I've also changed your NAT ACL to allow all VLANs access to external networks.

!
int vlan10
  ip address 172.16.10.254 255.255.255.0
  ip helper-address <DHCP_SERVER>
  ip nat inside
!
int vlan11
  ip address 172.16.11.254 255.255.255.0
  ip helper-address <DHCP_SERVER>
  ip nat inside
!
int vlan12
  ip address 172.16.12.254 255.255.255.0
  ip helper-address <DHCP_SERVER>
  ip nat inside
!
int vlan13
  ip address 172.16.13.254 255.255.255.0
  ip helper-address <DHCP_SERVER>
  ip nat inside
!
int vlan15
  ip address 172.16.15.254 255.255.255.0
  ip helper-address <DHCP_SERVER>
  ip nat inside
!
!
int gi0
  switchport trunk allowed vlan 10-13,15
  switchport mode trunk
!
no access-list 7 permit 172.16.10.0 0.0.0.255
access-list 7 permit 172.16.0.0 0.0.255.255
!

cheers,

Seb.

ecilop2010 · ‎03-13-2018

Seb,

Ok I have attached my configuration with the changes you suggested. I took a cable from the Gi0 port on the back of the router and plugged it into the main switch and then tried to statically assign one of the IP's from one of the other subnets and I am not getting out to the internet at all and it doesn't even find the domain controller either. Normally when you have it get a DHCP address it brings up the domain name as the connection but when i statically assign it for one of the other subnets it doesn't when that port is plugged into the switch. Right now I have it plugged back in normally and get to things just fine. So maybe I am still doing something wrong or there is something else I am missing in the code? Attached is the most current config file.

Thanks,

Chris

Seb Rupik · ‎03-14-2018

Hi Chris,

What is the switch model that you are connecting Gi0 to? What does its running config for the connected switchport look like? Can you provide the switch config too?

cheers,

Seb.

ecilop2010 · ‎03-14-2018

Seb,

I have included the file with the switch config.

This specific model of switch is a 3850 model.

I have some 2960 and 3960 models I will be using at the other buildings on the subnets. But I am sure they are very much the same.

Chris

Seb Rupik · ‎03-15-2018

Hi Chris,
Looks like you are using VLAN1 for switch management, that is not best practice, so we will create VLAN2 for that function and that will be reflected in the config below. Also remove some erroneous NAT and static routes.
We will connect Gi0 on the router to Gi1/0/1 on the 3850 stack, and we will configure the subsequent switchports on each VLAN so you can test functionality :

!! H0455
!
no int vlan1
!
vlan2
  name LCA-MGMT
!
interface Vlan2
 description LCA-MGMT
 ip address 172.16.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
int gi0/1
  switchport trunk allowed vlan 2,11-15
  switchport mode trunk
!
no ip nat inside source list 23 interface FastEthernet0 overload
!
no ip route 172.16.10.0 255.255.255.0 FastEthernet0
no ip route 172.16.11.0 255.255.255.0 FastEthernet0
no ip route 172.16.12.0 255.255.255.0 FastEthernet0
no ip route 172.16.13.0 255.255.255.0 FastEthernet0
no ip route 172.16.15.0 255.255.255.0 FastEthernet0
!

!! Admin-A209A1
!
no int vlan 1
!
vlan2
  name LCA-MGMT
vlan11
  name LCA-GED
vlan12
  name LCA-Edu
vlan13
  name LCA-Gym
vlan14
  name LCA-Open
vlan15
  name Challenge-Unlimited
!
!
int vlan 2
  ip address 172.16.10.6 255.255.255.0
!
int gi1/0/1
  switchport mode trunk
  switchport trunk allowed vlan 2,11-15
!
int range gi1/0/2-6
  switchport mode access
  spanning-tree portfast
!
int gi1/0/2
  switchport access vlan11
int gi1/0/3
  switchport access vlan12
int gi1/0/4
  switchport access vlan13
int gi1/0/5
  switchport access vlan14
int gi1/0/6
  switchport access vlan15
!

cheers,

Seb.

ecilop2010 · ‎03-17-2018

Seb,

So when I deleted the VLAN 1 information and tried to put it into VLAN 2 it took down my entire network and I couldn't get out to the internet. I even reloaded the router and still nothing. So I changed it back to how I had it. I have included a network diagram of how things are connected in the building and between buildings to see if that helps make sense of things and maybe makes it easier to come up with a solution. All the other subnets unless noted would be in the main admin building but would coming from switches within the admin building. Is it possible to setup a time with you where I could possibly do a screen sharing session with you and maybe walk through some of this if I can't get it going fairly soon? Look forward to hearing from you soon.

Chris

Seb Rupik · ‎03-20-2018

Hi Chris,

I've come up with this diagram for the current as-is topology:

Sorry about VLAN1, clearly it is used for more than management! We won't try to unpick it at this time. All the other config suggestions should remain, so the 891 looks like this:

!! H0455
!
int gi0/1
  switchport trunk allowed vlan 1,11-15
  switchport mode trunk
!
no ip nat inside source list 23 interface FastEthernet0 overload
!
no ip route 172.16.10.0 255.255.255.0 FastEthernet0
no ip route 172.16.11.0 255.255.255.0 FastEthernet0
no ip route 172.16.12.0 255.255.255.0 FastEthernet0
no ip route 172.16.13.0 255.255.255.0 FastEthernet0
no ip route 172.16.15.0 255.255.255.0 FastEthernet0
!

I've made the assumption that all 3850 switches are connected to the distribution switch on their Gi1/1/1 switchport. Therefore all the VLANs we created on the c891 need to be trunked through the first 3850 (Admin-A209A1) and towards the distribution switch:

!! Admin-A209A1
!
vlan11
  name LCA-GED
vlan12
  name LCA-Edu
vlan13
  name LCA-Gym
vlan14
  name LCA-Open
vlan15
  name Challenge-Unlimited
!
!
int gi1/0/1
  desc UPLINK
  switchport mode trunk
  switchport trunk allowed vlan 1,11-15
!
int te1/1/1
  desc DISTRIBUTION_SWITCH
  switchport mode trunk
  switchport trunk allowed vlan 1,11-15
!

On the distribution switch, pick apart those VLANs and only trunk the the relevant ones to the downstream switches (I've guessed at the GYM and EDU VLANs, not sure what you need on 1st and 3rd floor Admin building).

!
vlan11
  name LCA-GED
vlan12
  name LCA-Edu
vlan13
  name LCA-Gym
vlan14
  name LCA-Open
vlan15
  name Challenge-Unlimited
!
int gi1/0/1
  desc Admin-A209A1
  switchport mode trunk
  switchport trunk allowed vlan 1,11-15
!
int gi1/0/1
  desc ADMIN-03-SW01
int gi1/0/2
  desc ADMIN-03-SW02
int gi1/0/3
  desc ADMIN-01-SW01
int gi1/0/4
  desc GYM-SW1
  switchport mode trunk
  switchport trunk vlan 13
int gi1/0/5
  desc EDU-SW1
  switchport mode trunk
  switchport trunk vlan 12
!

The downstream switches will need to be configured to receive these tagged frames and then we will place every remaining switchport in access mode for that VLAN.

!! Gym-SW1 (3560)
!
vlan 13
  name LCA-Gym
!
int gi10/48
  switchport mode trunk
  switchport trunk allowed vlan 13
!
int range gi1/0/1-47
  switchport mode access
  switchport access vlan 13
  spanning-tree portfast
!

With regard to a slight re-design you may want to visit in the future, it makes more sense to connect the 891 directly to the distribution switch than via the 3850 access-layer switch.

cheers,

Seb.

ecilop2010 · ‎03-20-2018

Seb,

I think we are a little closer than what were last time. However when I load the configs as suggested and go to the education building I lose connection and it doesn't do anything. It appears that it doesn't even reach the router in the main building, it doesn't get to the internet outside, and it can't even reach the DHCP server to get an IP address. The router and the DHCP server reside on the 172.16.10.xx network and the education center should get a 172.16.12.xx address. I have attached files of the configs of the router, the main switch in the admin building, the fiber distro switch and the education switch. Maybe its just something I am missing or typed in wrong. I also have one other question the SFP ports on the right of the normal ports are they considered gi1 or te1 ports? The reason I ask is in the config files it has them listed in there both ways and the same number of each port. I guess I am asking is is how does it determine which it is using when it comes to that, if they are infact the same thing, because I don't see any other ports on the router that would explain this.

Chris

Seb Rupik · ‎03-21-2018

Hi Chris,
I looks like you haven't defined any of the VLANs on the switches.
On the distribution switch what is the output of sh vlan ?
It should list 1,11,12,13,14,15
Likewise if you run sh int trunk , it will show which VLANs are tagged on what switchports.
In your case I'd expect to see 1,11-15 listed against Te1/0/1, VLAN13 against Te1/0/3, etc.
Please share the output of both commands.

To fix the issue, run the following commands on every switch:

!
spanning-tree mode rapid-pvst
!
vlan11
  name LCA-GED
vlan12
  name LCA-Edu
vlan13
  name LCA-Gym
vlan14
  name LCA-Open
vlan15
  name Challenge-Unlimited
!

Also on the router we should make it the STP root bridge, so apply the following config to H0445:

!
spanning-tree vlan 1 root primary
spanning-tree vlan 11 root primary
spanning-tree vlan 12 root primary
spanning-tree vlan 13 root primary
spanning-tree vlan 14 root primary
spanning-tree vlan 15 root primary
!

Once you've applied to the following config, you should be able to connect to the EDU switch and run the command sh spanning-tree vlan 12 . Hopefully you will see a line like:

Gi1/1/1        Root FWD 1

Regarding your question about the Network-module installed in the switches, apply the config under the interface which is relevant. With a C3850-NM-4-10G you would configure just the TeX/1/1-4 interfaces regardless of SFP (1g or 10G) . With a C3850-NM-2-10G You can configure GiX/1/1-4 and TeX/1/2 and TeX/1/4 and then with a C3850-NM-4-1G just GiX/1/1-4 .

Cheers,

Seb.

ecilop2010 · ‎03-21-2018

Ok I was able to get outputs from the Distro Switch and the EDU Switch. Still get no connection as before. I also did add the vlan stuff but for some reason it is not showing in the config, i believe that is because it is not put in as an interface? And the conf t prompt i type vlan 12 (enter) then name LCA-Edu (enter) and it takes it, so unless it needs to be done as int vlan 12 (enter) it doesn't show... Here are the outputs from those commands you wanted me to run:

Distro Switch:

LCA-Fiber-Distro#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Te1/0/2, Te1/0/3, Te1/0/4
                                                Te1/0/6, Te1/0/7, Te1/0/8
                                                Te1/0/9, Te1/0/10, Te1/0/11
                                                Te1/0/12
11   LCA-GED                          active
12   LCA-Edu                          active
13   LCA-Gym                          active
14   LCA-Open                         active
15   Challenge-Unlimited              active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet 100001     1500 -      -      -        -    -        0      0
11   enet 100011     1500 -      -      -        -    -        0      0
12   enet 100012     1500 -      -      -        -    -        0      0
13   enet 100013     1500 -      -      -        -    -        0      0

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
14   enet 100014     1500 -      -      -        -    -        0      0
15   enet 100015     1500 -      -      -        -    -        0      0
1002 fddi 101002     1500 -      -      -        -    -        0      0
1003 tr    101003     1500 -      -      -        -    -        0      0
1004 fdnet 101004     1500 -      -      -        ieee -        0      0
1005 trnet 101005     1500 -      -      -        ibm -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

LCA-Fiber-Distro#sh int trunk

Port        Mode             Encapsulation Status        Native vlan
Te1/0/1     on               802.1q         trunking      1
Te1/0/5     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/0/1     1,11-15
Te1/0/5     11-12

Port        Vlans allowed and active in management domain
Te1/0/1     1,11-15
Te1/0/5     11-12

Port        Vlans in spanning tree forwarding state and not pruned
Te1/0/1     1,11-15
Te1/0/5     11-12

sh spanning-tree vlan 12

VLAN0012
Spanning tree enabled protocol rstp
Root ID    Priority    32780
             Address     003c.10f1.b780
             Cost        4
             Port        5 (TenGigabitEthernet1/0/5)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32780 (priority 32768 sys-id-ext 12)
             Address     00bf.7757.2b00
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/0/1             Desg FWD 4         128.1    P2p
Te1/0/5             Root FWD 4         128.5    P2p

Output from the EDU Switch:

Edu-C214B#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34, Gi1/0/35, Gi1/0/36
                                                Gi1/0/37, Gi1/0/38, Gi1/0/39
                                                Gi1/0/40, Gi1/0/41, Gi1/0/42
                                                Gi1/0/43, Gi1/0/44, Gi1/0/45
                                                Gi1/0/46, Gi1/0/47, Gi1/0/48
                                                Gi1/1/2, Gi1/1/3, Gi1/1/4
                                                Gi2/0/48, Gi2/1/1, Gi2/1/2
                                                Gi2/1/3, Gi2/1/4
11   LCA-GED                          active
12   LCA-Edu                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi2/0/1, Gi2/0/2, Gi2/0/3
                                                Gi2/0/4, Gi2/0/5, Gi2/0/6
                                                Gi2/0/7, Gi2/0/8, Gi2/0/9
                                                Gi2/0/10, Gi2/0/11, Gi2/0/12
                                                Gi2/0/13, Gi2/0/14, Gi2/0/15
                                                Gi2/0/16, Gi2/0/17, Gi2/0/18
                                                Gi2/0/19, Gi2/0/20, Gi2/0/21
                                                Gi2/0/22, Gi2/0/23, Gi2/0/24
                                                Gi2/0/25, Gi2/0/26, Gi2/0/27
                                                Gi2/0/28, Gi2/0/29, Gi2/0/30
                                                Gi2/0/31, Gi2/0/32, Gi2/0/33
                                                Gi2/0/34, Gi2/0/35, Gi2/0/36
                                                Gi2/0/37, Gi2/0/38, Gi2/0/39
                                                Gi2/0/40, Gi2/0/41, Gi2/0/42
                                                Gi2/0/43, Gi2/0/44, Gi2/0/45
                                                Gi2/0/46, Gi2/0/47
13   LCA-Gym                          active
14   LCA-Open                         active
15   Challenge-Unlimited              active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet 100001     1500 -      -      -        -    -        0      0
11   enet 100011     1500 -      -      -        -    -        0      0
12   enet 100012     1500 -      -      -        -    -        0      0
13   enet 100013     1500 -      -      -        -    -        0      0
14   enet 100014     1500 -      -      -        -    -        0      0
15   enet 100015     1500 -      -      -        -    -        0      0
1002 fddi 101002     1500 -      -      -        -    -        0      0
1003 tr    101003     1500 -      -      -        -    -        0      0
1004 fdnet 101004     1500 -      -      -        ieee -        0      0
1005 trnet 101005     1500 -      -      -        ibm -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Edu-C214B#sh int trunk

Port        Mode             Encapsulation Status        Native vlan
Gi1/1/1     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/1/1     11-12

Port        Vlans allowed and active in management domain
Gi1/1/1     11-12

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/1/1     11-12
Edu-C214B#
Edu-C214B#sh spanning-tree vlan 12

VLAN0012
Spanning tree enabled protocol rstp
Root ID    Priority    32780
             Address     003c.10f1.b780
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32780 (priority 32768 sys-id-ext 12)
             Address     003c.10f1.b780
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/2             Desg FWD 19        128.2    P2p Edge
Gi1/0/3             Desg FWD 4         128.3    P2p Edge
Gi1/0/4             Desg FWD 4         128.4    P2p Edge
Gi1/0/11            Desg FWD 100       128.11   P2p Edge
Gi1/0/12            Desg FWD 19        128.12   P2p Edge
Gi1/0/14            Desg FWD 4         128.14   P2p Edge
Gi1/0/16            Desg FWD 4         128.16   P2p Edge
Gi1/0/17            Desg FWD 4         128.17   P2p Edge

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Gi1/0/18            Desg FWD 4         128.18   P2p Edge
Gi1/0/20            Desg FWD 4         128.20   P2p Edge
Gi1/0/22            Desg FWD 100       128.22   P2p Edge
Gi1/1/1             Desg FWD 4         128.49   P2p
Gi2/0/19            Desg FWD 4         128.115 P2p Edge
Gi2/0/23            Desg FWD 4         128.119 P2p Edge
Gi2/0/37            Desg FWD 4         128.133 P2p Edge
Gi2/0/44            Desg FWD 100       128.140 P2p Edge

Another issue I am seeing is that i have cameras that will plugged into the ge1/0/26-40 ports and i get the message insufficient power and changes the state to down and it flops up and down. I did totally take out everything on those ports only for no spanning-tree portfast, trunking etc...

Thanks,

Chris

Seb Rupik · ‎03-22-2018

Well at least the STP is functioning between LCA-Fiber-Distro and the EDU switch.
Did you configure those spanning-tree vlan X root primary commands on H0455? I would have expected to see Te1/0/1 on LCA-Fiber-Distro as the Root port for all VLANs. The fact that we are not indicates an issue with that link in particular.
On LCA-Fiber-Distro, does sh cdp neigh te1/0/1 show H0455 on the other end?
Also what is the output of sh spanning-tree vlan 1

On H0455 what is the output of:
sh spanning-tree summary
sh int trunk

Regarding the PoE issue on Edu-C214, what is the output of:
sh power inline

ecilop2010 · ‎03-26-2018

Seb,

As of today I have fixed, the POE issue, it wasn't getting enough power from the power supply as it has redundant power supplies and one wasn't plugged in. Once I plugged it in the POE issues went away. So I think someone might have snagged the power cable and it came loose.

As far as the VLANS, it appears I have them working to an extent. So to fix the issue I made each NIC on the DHCP server an assigned a IP Address that matched the VLAN. Then took them and plugged them into a port on the main switch Admin209A which was assigned for that VLAN. I also had to make the Distro Switch the Server by using the vtp mode Server and all other switches set them to vtp mode client. I also set the vtp domain to LCA on the distro and all switches.

So now the computers are picking up an IP addressein the correct subnet that they are assigned on the switch. Here is the kicker though it gets the proper IP address and says it has internet access on the machine NIC and even says the domain name. The problem is that it can get out to some internet sites while others it can't find at all. I did notice the ones it does get out to it says something about a TLS handshake right before the page loads. I am not sure why some sites are getting through while others are not. However on the main subnet I can get to any website and am not limited. Any ideas on what is causing this?

On the DHCP server each NIC is configured below: (ie: IP address, subnet mask, gateway, DNS, DNS)

NIC 1 = VLAN 1 (172.16.10.15, 255.255.255.0, 172.16.10.1, 127.0.0.0, 97.64.183.10)

NIC 2 = VLAN 1 (172.16.11.15, 255.255.255.0, 172.16.11.1, 127.0.0.0, 97.64.183.10)

NIC 3 = VLAN 1 (172.16.12.15, 255.255.255.0, 172.16.12.1, 127.0.0.0, 97.64.183.10)

NIC 4 = VLAN 1 (172.16.13.15, 255.255.255.0, 172.16.13.1, 127.0.0.0, 97.64.183.10)

NIC 5 = VLAN 1 (172.16.14.15, 255.255.255.0, 172.16.14.1, 127.0.0.0, 97.64.183.10)

NIC 6 = VLAN 1 (172.16.15.15, 255.255.255.0, 172.16.15.1, 127.0.0.0, 97.64.183.10)

The reason DNS is 127.0.0.1 is because the DHCP server also does DNS so i keep it with the local address for the first DNS entry and the second DNS entry is the one provider by the ISP. In the router i have the IP helper address set to the 172.16.x.1 address depending on which VLAN it is.

I am confused as to what is now causing the issue with certain web pages to load and certain ones can't load? Thinking it is still something with the programming of the switches, distro switch or router.

Thanks,

Chris

Seb Rupik · ‎03-27-2018

Hi Chris,
Glad to hear the VLANs are working. If you are going to use VTP, make sure you secure it with a password to protect against rogue VTP servers corrupting your VLAN database.

Regarding you DHCP, I am not sure the 127.0.0.1 will work as you intend. If a DHCP client does install 127.0.0.1 as its primary server it will perform a DNS lookup against its own loopback address, not the server. It will therefore always fail. If you want the primary DNS server to be your server then list the IP address which the DNS service is listening on.

As for why VLAN 1 is unaffected by all these problems, it is probably because you still have the DHCP server config active on H0455:

!
ip dhcp pool ccp-pool
 import all
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.1
 dns-server 97.64.168.10
 lease 0 2
!

...when a client sends out its DHCP DISCOVER broadcast, the router will respond quicker than the server. Check the output of sh ip dhcp binding on the router and you will probably see all of your VLAN 1 clients.
With DHCP working on the server it should be safe to remove the above DHCP pool:

!
no ip dhcp pool ccp-pool
!

cheers,
Seb.

ecilop2010 · ‎03-28-2018

Seb,

I appreciate all your help on this, and we finally have got everything working and communicating properly. I have learned a lot from just working with you on this and have a better understanding now of why some of the things were not working, etc. Thanks again for all your help it was greatly appreciated...

Chris