12-22-2010 01:21 AM - edited 03-06-2019 02:39 PM
Hii all,
I have a problem with a NM-ESW-16 network module in a Cisco 2651XM router running Advanced Security IOS v12.4(25d).
Prior to upgrading to this version of IOS, the router was running IOS v12.4(8). Switch ports 0-7 were configured to be in VLAN 2 and ports 8-15 were in VLAN 3 and it was working as expected, ie. the NM-ESW-16 was working as two 8-port switches.
The network config is set up for testing purposes only right now, so only 2 of the ports in VLAN 2 are used. One port is connected to an existing switch as an uplink, and the other port goes off to a workstation.
The Problem: Once the upgrade completed and the router reloaded, I was no longer able to ping the IP address of the router's built-in FastEthernet 0/0 interface from the workstation, however I could ping anything else on the network. This was not the behaviour before the IOS upgrade though, so I'm wondering if I need to configure something else now in order to get the packets flowing again?
I've spent quite a lot of time looking for a) simply how to configure the NM-ESW-16 as two port-based VLANs (finally got there) and (b) trying to figure out why the router is not forwarding packets over these VLANs when those packets are addressed to it, so I would appreciate any help/ideas.
The config for this router is about 20k, so if you need to see parts of it let me know. I've included some parts that may be relevant below:
interface FastEthernet1/0
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/1
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/2
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/3
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/4
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/5
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/6
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/7
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/8
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/9
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/10
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/11
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/12
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/13
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/14
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/15
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
no ip address
!
c2651xm#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
2 DMZ active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
3 PUBLIC active Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
c2651xm#
The next thing I was going to try was adding FastEthernet 0/0 into VLAN 2, not sure if it will let me or not, or what affects it might have on the network when I do it.
Thanks,
- Rob.
12-22-2010 01:38 AM
Hi,
interface Vlan2
no ip address
!
interface Vlan3
no ip address
If you want intervlan routing between vlan3 and vlan2 then you must put an ip address for each vlan interface and put this address as default gateway for machines in this vlan.
Regards.
Alain.
12-22-2010 01:45 AM
Hi Alain,
I'm not trying to get interVLAN routing going or anything of that nature, all I'm trying to do is use the 16 switch ports as two 8-port "dumb" switches, nothing more than that. They are working in this way at present but since the IOS upgrade I can't ping the router IPs from the workstation connected to VLAN2, even though there shouldn't be anything stopping it (packets should go in FastEthernet 1/1, then out FastEthernet 1/0 to the existing switch, and from there back to the Cisco switch (FastEthernet 0/0)
Thanks,
- Rob.
12-22-2010 02:06 AM
Hi Rob,
I can't ping the router IPs from the workstation connected to VLAN2,
if int vlan 2 has no ip add it won't work.
Regards.
Alain.
12-22-2010 02:19 AM
Hi Alain,
Ok. Thanks.
Why is it that I can ping anything else on the network though?
The setup is pretty simple, just in case I wasn't clear:
Cisco 2651XM has IP 10.92.184.1 on FastEthernet 0/0
Also has the NM-ESW-16 module installed (FastEthernet 1/0 - 15)
The ESW module is basically split in half, ie. ports Fa1/0 - 1/7 are in VLAN 1, the rest in VLAN 2 (VLAN 2 is currently unused).
A separate switch is connected to the Cisco 2651XM's FastEthernet 0/0 port and also FastEthernet 1/0.
A workstation is plugged into FastEthernet 1/1
The workstation can ping everything on the network except the IP of FastEthernet 0/0.
Is that what you would really expect, and if so, why?
Thanks,
- Rob.
12-22-2010 02:36 AM
Hi,
A separate switch is connected to the Cisco 2651XM's FastEthernet 0/0 port and also FastEthernet 1/0
ok so the workstation is in vlan1 but on your router you have got no int vlan1 ip address so it can't work
Because your router needs mac address of your machine to answer back and so to do arp requests you need a L3 interface as your machine is not directly connected to f0/0.
Why is it that I can ping anything else on the network though?
what do you mean by that ?
12-22-2010 03:16 AM
Hi Alain,
I'm not sure if you're understanding the problem I'm having here or not, so I've tried to describe how I think it should work. Maybe you can tell me where I'm wrong, but please don't tell me its because I don't have an IP assigned to the vlan interface, because although that may be the problem, it doesn't make sense, because I'm not trying to ping an interface on the NM-ESW-16 module, or a VLAN associated with it.
What I mean by "Why is it that I can ping anything else on the network though?" is exactly that. From the workstation I can ping various other machines on the network without a problem.
There is a path from the workstation to the rest of the network. This is via VLAN 2, because VLAN 2 is connected to our main network switch via port FastEthernet 1/0. Connected to the main switch is the routers FastEthernet 0/0, which has IP 10.92.184.1
I can, from the workstation, ping other IPs on our 10.92.184.xxx network, these machines are connected to the main network switch.
So, the path from the workstation (10.92.184.28) to the router's FastEthernet 0/0 interface (10.92.184.1) is:
1. Packet originates at workstation, goes to the NM-ESW-16 (FastEthernet 1/1).
2. (I think) The NM-ESW-16 should switch the packet, which should find its way out via FastEthernet 1/0.
3. The main network switch (an IBM switch) will now receive the packet on one of its ports, since the FastEthernet 1/0 port is plugged into a port on the IBM switch.
4. As the routers FastEthernet 0/0 port (10.92.184.1) is also connected to a port on the IBM switch, the IBM switch will send the packet to the router's FastEthernet 0/0 port.
5. The router will respond to the packet (eg. ICMP echo reply) and then whole process is repeated again in reverse to get the packet back to the sender (the workstation).
On the IBM switch there are various other servers and network gear. There are servers on 10.92.184.2, .3 and .4. I can ping any of those IPs from the workstation without a problem and from these servers I can ping the router (10.92.184.1) as well.
So, pinging 10.92.184.2 from the workstation works, this is the path the packets take:
Workstation -> NM-ESW-16 -> IBM Switch -> Server (10.92.184.2)
But this doesn't work:
Workstation -> NM-ESW-16 -> IBM Switch -> c2651xm FastEthernet 0/0 (10.92.184.1)
And that is my problem - I don't understand why this doesn't work. The packet (or maybe ARP) is getting dropped somewhere. Worse, it used to work as I expected on IOS 12.4(8)
Thanks,
- Rob.
12-22-2010 03:46 AM
Hi Rob,
Maybe you can tell me where I'm wrong, but please don't tell me its because I don't have an IP assigned to the vlan interface, because although that may be the problem, it doesn't make sense, because I'm not trying to ping an interface on the NM-ESW-16 module, or a VLAN associated with it.
If you wanted to ping an interface on switch module you would have to put that port as a L3 with no switchport command and then assign ip address.
if you want to ping a stationA in vlan 1 from a stationB in vlan 1 then you are just doing L2 in your module, station B replies to stationA arp requests.
But now I hadn't understood your topology, can you clarify things for me please.
your workstation 10.92.184.28 is on f1/1 which is in vlan 1? then f1/0 is an access port in vlan 2 connected to IBM switch port also in vlan2?
your machines .2 to .4 on IBM switch are in vlan2? and the port from IBM switch to f0/0 on router 10.92.184.1 is an access port in which vlan ?
Regards.
Alain.
12-22-2010 04:05 AM
Hi Alain,
If you wanted to ping an interface on switch module you would have to put that port as a L3 with no switchport command and then assign ip address.
if you want to ping a stationA in vlan 1 from a stationB in vlan 1 then you are just doing L2 in your module, station B replies to stationA arp requests.
In theory, thats right
But now I hadn't understood your topology, can you clarify things for me please.
Sure!
your workstation 10.92.184.28 is on f1/1 which is in vlan 1? then f1/0 is an access port in vlan 2 connected to IBM switch port also in vlan2?
Nope. The workstation is on f1/1 which is VLAN 2. This is how the
NM-ESW-16 is split up:
In the 2651xm, the NM-ESW-16 is FastEthernet 1/0 - 1/15
VLAN1 = Not used, forget about it.
VLAN2 = NM-ESW-16, ports 0 to 7.
VLAN3 = NM-ESW-16, ports 8 - 15 (these ports are not used, don't worry
about this vlan).
your machines .2 to .4 on IBM switch are in vlan2? and the port from IBM switch to f0/0 on router 10.92.184.1 is an access port in which vlan ?
The router port (f0/0) isn't in a VLAN.
I am only using port-based VLANs, not trying to use tagged VLANs. The
only place VLANs are used is on the NM-ESW-16, they are (I believe)
port-based VLANs, there is no VLAN tagging going on anywhere except
maybe in the NM-ESW-16 module. There are no VLANs on the IBM switch,
workstation or servers.
All I'm trying to do is use the NM-ESW-16 as if it were two 8-port
"dumb" switches - the $20 type you get at a normal computer shop.
Does that clarify things?
Thanks for your patience,
- Rob.
12-22-2010 04:16 AM
Hi,
ok it's clearer now.
Can you do a sh ip arp to see if your router has mapping for your workstation.
if not can you do debug arp as well as debug ip packet
if ARP unsuccessful and debug ip packet tells encapsulation failed then can you try again with giving int vlan 2 an ip address( i know you don't want to but
just to verify).
Regards.
Alain.
12-22-2010 04:29 AM
Hi Alain,
I will try these things as soon as I can.
Unfortunately I don't have physical access to this network without
getting permission first, so I'll request to go in and do some more
tests and report back. It could take a few days or more (thanks to
Christmas) for me to get back in there.
The idea of all of this is to get me happy that the switch module is
working like a couple of dumb switches, and once I'm happy with it I am
going to de-commission the IBM switch and use the NM-ESW instead. The
goal of this is to minimize the amount of equipment in the rack.
If assigning an IP to VLAN 2 works then I might just stop using the
routers built-in ethernet ports and use the switch ports only, which I
hope will work, and in that case I would assign an IP to VLAN 2.
Thanks very much for your help so far. This is the first time I've used
these forums and your help has been better and more helpful than even
Cisco's TAC (when I've used it in the past).
- Rob.
12-25-2010 09:28 PM
Hey Robert,
Apart from that there are a couple of things which you can do to make sure that the packet is actually making it to the router or not.. You can use IP Export to figure out the entry of the packet into the router port. Here is a reference link for the same (this is equivalent to SPAN on switches).
https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1051294
Alternatively you can also use an access list to debug the ICMP requests from the host towards the router.
thanks
PD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide