Re: Dropping packets between VLANS

trbonja05 · ‎08-05-2008

It's Cisco shop ranging from Cat2900 to 3750 (dual 3750 is stacked with 2 units used as a core and router)

Everything within VLAN 1 (management VLAN) is working (10+ Servers & few workstations)

Accessing any vlan (In/out) is next to impossible as 40% of packets are dropped.

Even within all VLAN's packets are dropped, except from VLAN 1 which works just fine

suspect is spanning tree configuration or misconfiguration but there is no blocked ports or any errors or core switch overload.

Problem started when I have configured already in production swith for trunking but that switch had duplicate IP(IP address of an old switch - 1900 series that should't be in production to begin with). I have removed that VLAN (and old switch from VTP server and changed the IP address on the switch, configured as a VTP Client and VTP Domain name - VLANs propagated from Core/VTP Server but problem is still there.

Thank you for any assistance or suggestion you may have.

==================================

Access switch :

3750_M_Office#sho spanni root

Root Hello Max Fwd

Vlan Root ID Cost Time Age Dly Root Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0001 1000 0004.27be.4d40 12 2 20 15 Gi1/0/49

VLAN0003 32768 0004.27be.4d41 12 2 20 15 Gi1/0/49

VLAN0004 32768 0004.27be.4d42 12 2 20 15 Gi1/0/49

VLAN0005 32768 0004.27be.4d43 12 2 20 15 Gi1/0/49

VLAN0006 32768 0004.27be.4d44 12 2 20 15 Gi1/0/49

VLAN0007 32768 0004.27be.4d45 12 2 20 15 Gi1/0/49

VLAN0008 32768 0004.27be.4d46 12 2 20 15 Gi1/0/49

VLAN0009 32768 0004.27be.4d47 12 2 20 15 Gi1/0/49

VLAN0010 32768 0004.27be.4d48 12 2 20 15 Gi1/0/49

VLAN0011 32768 0004.27be.4d49 12 2 20 15 Gi1/0/49

VLAN0012 32768 0004.27be.4d4a 12 2 20 15 Gi1/0/49

VLAN0013 32768 0004.27be.4d4b 12 2 20 15 Gi1/0/49

VLAN0020 32768 0004.27be.4d4c 12 2 20 15 Gi1/0/49

Core switch:

interface Vlan1

description Management Interface

ip address 10.0.0.30 255.0.0.0

!

interface Vlan3

description Steelprep

ip address 192.168.3.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan4

description Works Office

ip address 192.168.4.1 255.255.255.0

ip helper-address 10.0.0.1

ip helper-address 192.168.2.1

!

interface Vlan5

description Time bunker

ip address 192.168.5.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan7

description QPS

ip address 192.168.7.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan9

description Q.A.

ip address 192.168.9.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan10

description Engineering VLAN

ip address 192.168.1.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan11

description HR 2nd Floor

ip address 192.168.11.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan12

ip address 192.168.12.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan13

description Warehouse

ip address 192.168.13.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

interface Vlan20

description Wireless

ip address 192.168.20.1 255.255.255.0

ip helper-address 10.0.1.1

ip helper-address 192.168.1.2

!

ip default-gateway 10.0.0.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Core#show vtp st

VTP Version : 2

Configuration Revision : 10

Maximum VLANs supported locally : 1005

Number of existing VLANs : 17

VTP Operating Mode : Server

VTP Domain Name : NSC

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

4rmorris · ‎08-05-2008

You should figure out exactly where the root is, or if you want it to be your core switches (you do, trust me) then you should make sure they have the lowest priority.

In your 3750 stack, configure them for root priority. This command will allow the stack to automatically work out the priority for every VLAN so it is the root:

(config)# spanning-tree vlan 1-4094 root primary

Right now it looks like your root is off the core at port gig0/49. Maybe that device can't handle the traffic.

Let us know how it goes,

Ryan

lamav · ‎08-05-2008

Please provide a diagram and the STP configs of each switch....

VL

trbonja05 · ‎08-05-2008

Thank you both for replies.

Hopefully attached info will provide adequate info Lamav requested.

Yes the root switch is the Core (stacked 3750)

What's annoying is that even from the core it self, provider of ip routing simple ping to VLANs (other that VLAN 1) will sometimes fail - 25% fail rate.

Again thank you for your replies

4rmorris · ‎08-06-2008

I reviewed quickly... your core switch is NOT the root for VLAN 1. Check this out:

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 1000

Address 0004.27be.4d40

Cost 4

Port 3 (GigabitEthernet1/0/3)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0016.461a.c500

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

The root for VLAN1 is somewhere up port Gig1/0/3. This could be affecting you.

What about routing? Are you running any routing protocols? I don't think it's an issue here because you're talking about routing between vlans local on the switch, but if you're routing stuff into vlan1 which has an upstream root port and there's a layer 2 issue it might cause odd behaviour.

Also, is the server farm switch root port correct? If you're using etherchannel, are both links up and forwarding frames properly? Try turning UDLD on for the uplink ports, it will detect errors with unidirectional links. This can cause really weird stuff to happen if not detected. You need to turn it on on both sides of the link.

Let us know,

Ryan

trbonja05 · ‎08-06-2008

I just noticed that it's an old 3500 that is root for vlan 1 and poor thing is overloaded.

as for wiring it is a mess to say the list.

All links are up & running but will follow suggestion & turn on UDLD.

Thank you very much for your reply

Regards,

Trbonja

trbonja05 · ‎08-06-2008

With UDLD turned on the Server Farm switch I can't see any errors

Anything else I can try?

Thank you

Trbonja

Interface Gi1/0/25

---

Port enable administrative configuration setting: Follows device default

Port enable operational state: Enabled / in aggressive mode

Current bidirectional state: Unknown

Current operational state: Advertisement

Message interval: 7

Time out interval: 5

No neighbor cache information stored

Interface Gi1/0/26

---

Port enable administrative configuration setting: Follows device default

Port enable operational state: Enabled / in aggressive mode

Current bidirectional state: Unknown

Current operational state: Advertisement

Message interval: 7

Time out interval: 5

No neighbor cache information stored

4rmorris · ‎08-06-2008

You need to turn it on on both sides of the link. It should look something like this:

Interface Gi1/1

---

Port enable administrative configuration setting: Enabled / in aggressive mode

Port enable operational state: Enabled / in aggressive mode

Current bidirectional state: Bidirectional

Current operational state: Advertisement - Single neighbor detected

Message interval: 15

Time out interval: 5

Entry 1

---

Expiration time: 44

Device ID: 1

Current neighbor state: Bidirectional

Device name: 00d0003aa400

Port ID: 3/3

Neighbor echo 1 device: SCA033000W6

Neighbor echo 1 port: Gi1/1

Message interval: 15

Time out interval: 5

CDP Device name: SCA03430130

If you already turned it on on both sides of the link, it's possible the messages aren't getting there, which would be the sign of a problem.

Ryan

trbonja05 · ‎08-06-2008

It was enabled on both ends but it took almost 5 min to get the cdp info.

I have specified core (stacked 3750) as primary and and another barely used 3750_equipment as a secondary. Path costs are below and I'm not sure if they are adequate

Attached diagram as some one else requested is attached. VLAN 10 (prodend) is very high priority.

Thank you

Trbonja

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 1

Address 0016.461a.c500

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 1 (priority 0 sys-id-ext 1)

Address 0016.461a.c500

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi1/0/3 Desg FWD 4 128.3 P2p

Gi1/0/4 Desg FWD 4 128.4 P2p

Gi1/0/5 Desg FWD 4 128.5 P2p

Gi1/0/7 Desg FWD 19 128.7 P2p

Gi1/0/8 Desg FWD 19 128.8 P2p

Gi1/0/9 Desg FWD 19 128.9 P2p

Gi1/0/10 Desg FWD 4 128.10 P2p

Po1 Desg FWD 3 128.616 P2p

Po3 Desg FWD 3 128.632 P2p

Gi2/0/3 Desg FWD 4 128.55 P2p

Gi2/0/5 Desg FWD 4 128.57 P2p

Gi2/0/6 Desg FWD 19 128.58 P2p

Gi2/0/7 Desg FWD 19 128.59 Shr

Gi2/0/9 Desg FWD 4 128.61 P2p

Gi2/0/10 Desg FWD 4 128.62 P2p

Marwan ALshawi · ‎08-05-2008

if u send a simple diagram will be easier to have look at

by the way in the following valn i think the second dhcp server is configured mistakenly

interface Vlan4

description Works Office

ip address 192.168.4.1 255.255.255.0

ip helper-address 10.0.0.1

ip helper-address 192.168.2.1

trbonja05 · ‎08-06-2008

I've used the cofing backup on the core - no change.

Removed all trunks but 2 - 3750_server_farm & 3750_Main_ofice - No Change.

As soon as I can spare some time I'll make a diagram.

Again, thank you

Regards,

Trbonja

trbonja05 · ‎08-06-2008

Both of them were mistyped. Corrected. Thank you for the info