Conflict between two VLANs

sagarshaha · ‎01-13-2013

Hi,

We have a strange problem here....let me give you some background of my setup.

We have Cisco 3560X L3 swtich with 2 VLANs configured as mentioned below

VLAN1 - Server VLAN (192.168.0.1/255.255.254.0) (Swtich Port - Gi0/2 to 0/10)

VLAN2 - User VLAN (192.168.152.1/255.255.248.0) (Swtich Port - Gi0/11 to 0/22)

We have connect L2 switches on respective VLANs and then the servers and user LANs respectively. We have configured the DHCP server on this switch to get the IPs to LAN users from VLAN2.

So, as per the configuration done in the swtich, all the user should receive the IPs from 192.168.152.0/255.255.248.0 range from DHCP server but some of users receives the IP from VLAN1 which 192.168.0.X something like this.

When we do IP reset/renew it goes back to normal behaviour and assigns the IP from 152.X series.

This happends daily to most of our users.

Can someone please help us here?

Thanks in advance.

Regards,

Sagar

Abzal · ‎01-13-2013

Hi,

1. It could that User's PC connected to port that assigned to VLAN 2. You may check ports if it has wrong VLAN.

2. Users move and connect to wall socket that configured to VLAN 2.

You may assign ports to VLAN 2 only that connect to Server and all other ports to VLAN 1.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

sagarshaha · ‎01-13-2013

Hi Abzal,

Thanks for your reply.

I think mby mistake you wrote VLAN2 instead of VLAN1, as I said VLAN2 is USER VLAN and VLAN1 is SERVER VLAN.

Anyways, I understand the point and here are the answers.

1. It could that User's PC connected to port that assigned to VLAN 1. You may check ports if it has wrong VLAN.

Ans ->We have connected L2 switches from VLANs, so the workstations cables are not directly connecting to VLANs.

So, the route is User->L2 switch->VLAN2

2. Users move and connect to wall socket that configured to VLAN1

Ans-> We have not configured ANY wall socket to VLAN1 as they are only for our server room.

You may assign ports to VLAN 2 only that connect to Server and all other ports to VLAN 1.

Yes, we have done the same thing. All the ports from G0 to G10 are for server VLAN and G11 to G22 are for User VLAN.

Thanks in advance.

Regards,

Sagar

Abzal · ‎01-13-2013

Ok then. Can you show DHCP pools and SVIs configuration.

.

And output from 3560:

sh int trunk

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

sagarshaha · ‎01-13-2013

Here you go....

VLAN config...

L3(config)#interface vlan 1

L3(config-if)#ip address 192.168.0.1 255.255.254.0

L3(config-if)#no shutdown

L3(config-if)exit

L3(config)#interface vlan 2

L3(config-if)#ip address 192.168.152.1 255.255.248.0

L3(config-if)#no shutdown

L3(config-if)exit

L3(config-if)#end

L3#wr

DHCP Config...

L3(config)#service dhcp

L3(config)#ip dhcp pool XXXX

L3(dhcp-config)#network 192.168.152.0 /21

L3(dhcp-config)#domain-name XXXX.com

L3(dhcp-config)#dns-server 192.168.0.75 192.168.0.76 202.56.230.5 4.2.2.2 8.8.8.8

L3(dhcp-config)#default-router 192.168.152.1

L3(dhcp-config)#lease 7 0 0

L3(dhcp-config)#exit

L3(config)#ip dhcp excluded-address 192.168.152.1 192.168.152.100

L3(config)#exit

L3#wr

sh int trunk Output...

L3>show int trunk

Port Mode Encapsulation Status Native vlan

Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/1 1-4094

Port Vlans allowed and active in management domain

Gi0/1 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned

Gi0/1 1,10,20,30

L3>

Thanks,

Sagar

Abzal · ‎01-13-2013

One question:

What device is connected on port G0/1? Is it L2 switch where users resides? This port not allowing VLAN 2 to 3560.

sh run int g0/1

Have you created VLAN 2 on that switch?

sh vlan

sh spanning-tree vlan 2

sh int trunk

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

sagarshaha · ‎01-13-2013

Hi Abzal,

G0/1 is connected to Firewall. Its a trunking port.

Yes, all VLANs are configured on this 3560X switch.

sh run int g0/1 output....

L3#sh run int g0/1

Building configuration...

Current configuration : 97 bytes

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

end

L3#

sh vlan output....

User Access Verification

Password:

KOMLI_L3>sh run int g0/1

^

% Invalid input detected at '^' marker.

KOMLI_L3>sh run int g0

^

% Invalid input detected at '^' marker.

KOMLI_L3>en

Password:

KOMLI_L3#sh r

KOMLI_L3#sh run int g0.1

^

% Invalid input detected at '^' marker.

KOMLI_L3#sh run int g0/1

Building configuration...

Current configuration : 97 bytes

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

end

KOMLI_L3#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi0/23, Gi0/24

10 SERVERS_SW active Gi0/2, Gi0/3, Gi0/4, Gi0/5,Gi0/6,Gi0/7, Gi0/8, Gi0/9, Gi0/10

20 USERS_SW active Gi0/11, Gi0/12, Gi0/13, Gi0/14, Gi0/15, Gi0/16, Gi0/17, Gi0/18, Gi0/19,

Gi0/20, Gi0/21, Gi0/22

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

20 enet 100020 1500 - - - - - 0 0

30 enet 100030 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

--More--

sh spanning-tree vlan 2....

L3#sh spanning-tree vlan 20

VLAN0020

Spanning tree enabled protocol ieee

Root ID Priority 32768

Address 40f4.ecf1.695a

Cost 20004

Port 7 (GigabitEthernet0/7)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)

Address 442b.0393.4800

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Desg FWD 4 128.1 P2p

Gi0/11 Desg FWD 4 128.11 P2p

Gi0/12 Desg FWD 4 128.12 P2p

Gi0/13 Desg FWD 4 128.13 P2p

L3#

Thanks for your help !!

Regards,

Sagar

Abzal · ‎01-13-2013

Now it's a little bit unclear. Network diagram will be better with port connected.

Your topoly look like this?

users --- L2 switch ----g0/? 3560 g0/1 ----- Firewall

Is the port between L2 switch and L3 3560 configured as a trunk?

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

sagarshaha · ‎01-14-2013

Yes, as mentioned by you, the topology is correct.

User->L2 switch->User VLAN(G0/X) -> G0/1(Trunk Port)->Firewall

None of the ports on L3 switch are configured as Trunk except G0/1

Thanks,

Sagar

Abzal · ‎01-14-2013

But if my topology is correct then you should configure the port L2 swtich and L3 3560 as a trunk.

Show some outputs from L2 switch:

sh run

sh int trunk

And create VLAN 2 on L2 switch. Why IPs 192.168.152.1 and 192.168.0.1 are configured under VLAN 1 and VLAN 2 interface respectively. Or it just typo? Because you created VLAN 10/VLAN 20 but not VLAN 2 on KOMLI_L3 switch.

Suggestions:

1. Create VLAN 2 on all user switches.

2. Configure between ports L2 and L3 switches as a trunk.

3. Assign correct VLAN on ports (Users, Servers).

Verification:

sh vlan ---> to verify vlan database

sh int trunk ----> VLANs needs to be allowed VLAN 1/VLAN 2

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

sagarshaha · ‎01-14-2013

Hi Abzal,

Yes, its just a typo....we have VLAN10 and VLAN 20

L2 switches are just normal switches and we have not configured anything onto it. They are currently acting like unmanaged switch.

Please suggest.

Thanks,

Sagar

shamax_1983 · ‎01-14-2013

Hi Sagarshaha,

This could well be an issue with a Malware on one of the user PCs and nothing to do networking. ( I have gone through this before ). If one of the user PCs has a malware that replies to DHCP request, some of the PC's will end up getting IP address from the malware..

To figure this out, You can install Wireshark on a Laptop/PC ( one without a malware.. ) and plug that in one of the ports on VLAN2, filter only for DHCP traffic and start renewing DHCP IPs on each PCs while closely looking at the DHCP offers on Wireshark, if you see an offer coming from some IP other than the switch's SVI, that's your culprit.

Remove it from the production.. Clean it up before putting it back on.

Let me know how what you find..

Also don't forget to rate helpful answers.

Shamal

sagarshaha · ‎01-15-2013

Hi shamal,

Thanks for your reply.

we have ~180 users and its difficult to release/renew dhcp address on each of the laptops. Can you please suggest me some work around so I can find the culprit either from my switch?

Many Thanks,

Sagar

kcnajaf · ‎01-15-2013

Hi Sagar,

In order to eliminate the possible issue caused by ohter malware PC's on the network, next time when you find a user pc picking DHCP ip address from server vlan, do a ip config/all on that PC and verfy what is the dhcp server ip address it is showing up there. If it is anything other than the L3 interface of your switch then you can suspect a rogue pc on your network.

If you identify the DHCP server address is showing up anything other than L3 device you can trace back the culprit ip address and try removing from the network.

It is would have been helpful for every one if you had a topology (how the above said devices are connected) and running configurations on them.

Regards

Najaf

Please rate when applicable or helpful !!!

sagarshaha · ‎01-15-2013

Hi Najaf,

Yes, we did ipconfig/all on the PC and it picks up the IP from Server VLAN pool only. It is nothing from outside the network.

I have attached my current simple network architecture diagram.

Hope this is helpful !!