Really surprised, I couldn't

Gonuguntla Gopi · ‎02-29-2016

Dear Friends,

Please help me soon.

I have two Cisco 4500 x Switches running on VSS

i have a stack connected on 1/1/4 , 2/1/4 port channel.

The 4500 X is connected to the fortinet firewall & have added the reverse routes too. ( FW inside IP : 10.18.1.10)

VSS IP : VLAN 10 : 10.18.1.7

Stack : VLAN 2: 10.18.2.0,

A client is connected on int gi1/0/1 of the stack with ip 10.18.2.100 & 2.1 as GW and it is not getting the internet.

But if i move the same interface to vlan 10 & ip as 10.18.1.160 & 7.1 as gateway, client is able to get the internet.

I am thinking that inter vlan routing is not working properly.

Below is the configuration :

nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#
nhsmvdlcoresw#sh run
Building configuration...

Current configuration : 8485 bytes
!
! Last configuration change at 03:02:21 UTC Sun Feb 7 2016
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname nhsmvdlcoresw
!
boot-start-marker
boot system flash bootflash:cat4500e-universal.SPA.03.07.02.E.152-3.E2.bin
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$lg08$pQEEmN/BWV5aOJmjqcIId.
!
username Admin secret 5 $1$vK2t$iii7DpYk033gbpwIZxV4z/
no aaa new-model
!
switch virtual domain 1
switch mode virtual
mac-address use-virtual
!
!
!
!
!
!
!
ip vrf Liin-vrf
!
ip dhcp excluded-address 10.8.2.0 10.18.2.25
ip dhcp excluded-address 10.8.3.0 10.18.3.25
ip dhcp excluded-address 10.8.4.0 10.18.4.25
ip dhcp excluded-address 10.8.5.0 10.18.5.25
ip dhcp excluded-address 10.8.6.0 10.18.6.25
!
ip dhcp pool GF-USER
network 10.18.2.0 255.255.255.0
default-router 10.18.2.1
dns-server 8.8.8.8
!
ip dhcp pool 1F-USER
network 10.18.3.0 255.255.255.0
default-router 10.18.3.1
dns-server 8.8.8.8
!
ip dhcp pool 2F-USER
network 10.18.4.0 255.255.255.0
default-router 10.18.4.1
dns-server 8.8.8.8
!
ip dhcp pool 3F-USER
network 10.18.5.0 255.255.255.0
default-router 10.18.5.1
dns-server 8.8.8.8
!
ip dhcp pool IT
network 10.18.6.0 255.255.255.0
default-router 10.18.6.1
dns-server 8.8.8.8
!
!
vtp mode transparent
!
power redundancy-mode redundant
!
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-MGMT
permit any 0022.bdcd.d200 0000.0000.00ff
permit 0022.bdcd.d200 0000.0000.00ff any
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
vlan internal allocation policy ascending
!
vlan 2-6,10
!
!
class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT
class-map match-any VSL-DATA-PACKETS
match any
class-map match-any VSL-L2-CONTROL-PACKETS
match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP
class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING
class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5
class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7
!
policy-map VSL-Queuing-Policy
class VSL-MGMT-PACKETS
bandwidth percent 5
class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
class VSL-DATA-PACKETS
bandwidth percent 20
class class-default
bandwidth percent 5
!
!
!
!
!
!
!
interface Port-channel1
description uplink-stack1
switchport
switchport mode trunk
!
interface Port-channel2
description uplink-stack2
switchport
switchport mode trunk
!
interface Port-channel3
description uplink-stack3
switchport
switchport mode trunk
!
interface Port-channel4
description uplink-stack4
switchport
switchport mode trunk
!
interface Port-channel5
description uplink-stack5
switchport
switchport mode trunk
!
interface Port-channel6
description uplink-stack6
switchport
switchport mode trunk
!
interface Port-channel7
description uplink-stack7
switchport
switchport mode trunk
!
interface Port-channel8
description uplink-stack8
switchport
switchport mode trunk
!
interface Port-channel9
description uplink-stack9
switchport
switchport mode trunk
!
interface Port-channel100
switchport
switch virtual link 1
!
interface Port-channel101
switchport
switch virtual link 2
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface TenGigabitEthernet1/1/1
channel-group 1 mode on
!
interface TenGigabitEthernet1/1/2
channel-group 2 mode on
!
interface TenGigabitEthernet1/1/3
channel-group 3 mode on
!
interface TenGigabitEthernet1/1/4
channel-group 4 mode on
!
interface TenGigabitEthernet1/1/5
channel-group 5 mode on
!
interface TenGigabitEthernet1/1/6
channel-group 6 mode on
!
interface TenGigabitEthernet1/1/7
channel-group 7 mode on
!
interface TenGigabitEthernet1/1/8
channel-group 8 mode on
!
interface TenGigabitEthernet1/1/9
channel-group 9 mode on
!
interface TenGigabitEthernet1/1/10
description uplink-stack10
switchport mode trunk
!
interface TenGigabitEthernet1/1/11
description nhsmvdIPDGF2
switchport mode trunk
!
interface TenGigabitEthernet1/1/12
description uplink-wlc
switchport mode trunk
!
interface TenGigabitEthernet1/1/13
switchport access vlan 10
switchport mode access
!
interface TenGigabitEthernet1/1/14
switchport access vlan 10
switchport mode access
!
interface TenGigabitEthernet1/1/15
no lldp transmit
no lldp receive
channel-group 100 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/1/16
no lldp transmit
no lldp receive
channel-group 100 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/1/1
channel-group 1 mode on
!
interface TenGigabitEthernet2/1/2
channel-group 2 mode on
!
interface TenGigabitEthernet2/1/3
channel-group 3 mode on
!
interface TenGigabitEthernet2/1/4
channel-group 4 mode on
!
interface TenGigabitEthernet2/1/5
channel-group 5 mode on
!
interface TenGigabitEthernet2/1/6
channel-group 6 mode on
!
interface TenGigabitEthernet2/1/7
channel-group 7 mode on
!
interface TenGigabitEthernet2/1/8
channel-group 8 mode on
!
interface TenGigabitEthernet2/1/9
channel-group 9 mode on
!
interface TenGigabitEthernet2/1/10
description nhsmvdIPDSF2
switchport mode trunk
!
interface TenGigabitEthernet2/1/11
description nhsmvdIOPDSF2
switchport mode trunk
!
interface TenGigabitEthernet2/1/12
description nhsmvdIOPDFF2
switchport mode trunk
!
interface TenGigabitEthernet2/1/13
switchport access vlan 10
switchport mode access
!
interface TenGigabitEthernet2/1/14
switchport access vlan 10
switchport mode access
!
interface TenGigabitEthernet2/1/15
no lldp transmit
no lldp receive
channel-group 101 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/1/16
no lldp transmit
no lldp receive
channel-group 101 mode on
service-policy output VSL-Queuing-Policy
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.18.2.1 255.255.255.0
!
interface Vlan3
ip address 10.18.3.1 255.255.255.0
!
interface Vlan4
ip address 10.18.4.1 255.255.255.0
!
interface Vlan5
ip address 10.18.5.1 255.255.255.0
!
interface Vlan6
ip address 10.18.6.1 255.255.255.0
!
interface Vlan10
ip address 10.18.1.7 255.255.255.0
!
ip forward-protocol nd
no ip http server
!
ip route 0.0.0.0 0.0.0.0 10.18.1.9
!
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
!
!
!
!
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124
!
!
line con 0
stopbits 1
line vty 0 4
login local
transport input all
!
!
module provision switch 1
chassis-type 70 base-mac CC46.D6F3.3780
slot 1 slot-type 401 base-mac CC46.D6F3.3780
!
module provision switch 2
chassis-type 70 base-mac CC46.D6F3.4D00
slot 1 slot-type 401 base-mac CC46.D6F3.4D00

!

!
end

nhsmvdlcoresw#

Gonuguntla Gopi · ‎02-29-2016

Really surprised, I couldn't able to find the ip routing command...in the configuration file.

nhsmvdlcoresw#sh license detail
Index: 1 Feature: entservices Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index: 2 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
Store Index: 0
Store Name: Dynamic Evaluation License Storage
Index: 3 Feature: entservices Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 1
Store Name: Dynamic Evaluation License Storage
Index: 4 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Store Index: 2
Store Name: Dynamic Evaluation License Storage
Index: 5 Feature: ipbase Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 3
Store Name: Dynamic Evaluation License Storage
Index: 6 Feature: lanbase Version: 1.0
License Type: PermanentRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
Store Index: 4
Store Name: Dynamic Evaluation License Storage

nhsmvdlcoresw#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet1 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
Te1/1/3 unassigned YES unset down down
Te1/1/4 unassigned YES unset up up
Te1/1/5 unassigned YES unset up up
Te1/1/6 unassigned YES unset down down
Te1/1/7 unassigned YES unset down down
Te1/1/8 unassigned YES unset down down
Te1/1/9 unassigned YES unset down down
Te1/1/10 unassigned YES unset down down
Te1/1/11 unassigned YES unset down down
Te1/1/12 unassigned YES unset down down
Te1/1/13 unassigned YES unset down down
Te1/1/14 unassigned YES unset up up
Te1/1/15 unassigned YES unset down down
Te1/1/16 unassigned YES unset down down
Te2/1/1 unassigned YES unset down down
Te2/1/2 unassigned YES unset down down
Te2/1/3 unassigned YES unset down down
Te2/1/4 unassigned YES unset down down
Te2/1/5 unassigned YES unset down down
Te2/1/6 unassigned YES unset down down
Te2/1/7 unassigned YES unset down down
Te2/1/8 unassigned YES unset down down
Te2/1/9 unassigned YES unset down down
Te2/1/10 unassigned YES unset down down
Te2/1/11 unassigned YES unset down down
Te2/1/12 unassigned YES unset down down
Te2/1/13 unassigned YES unset down down
Te2/1/14 unassigned YES unset down down
Te2/1/15 unassigned YES unset down down
Te2/1/16 unassigned YES unset down down
Port-channel1 unassigned YES unset down down
Port-channel2 unassigned YES unset down down
Port-channel3 unassigned YES unset down down
Port-channel4 unassigned YES unset up up
Port-channel5 unassigned YES unset up up
Port-channel6 unassigned YES unset down down
Port-channel7 unassigned YES unset down down
Port-channel8 unassigned YES unset down down
Port-channel9 unassigned YES unset down down
Port-channel100 unassigned YES unset down down
Port-channel101 unassigned YES unset down down
Vlan1 unassigned YES unset up up
Vlan2 10.18.2.1 YES NVRAM up up
Vlan3 10.18.3.1 YES NVRAM up up
Vlan4 10.18.4.1 YES NVRAM up up
Vlan5 10.18.5.1 YES NVRAM up up
Vlan6 10.18.6.1 YES NVRAM up up
Vlan10 10.18.1.7 YES NVRAM up up

Jon Marshall · ‎02-29-2016

What route did you enter on the firewall ?

Have you setup NAT on the firewall for that subnet ?

Jon

Gonuguntla Gopi · ‎02-29-2016

I have addded reverse routes on firewall to the internal networks pointing to their gateways

10.18.1.0/24 pointing to 10.18.1.7

10.18.2.0/24 pointing to 10.18.2.1

10.18.3.0/24 pointing to 10.18.3.1

10.18.4.0/24 pointing to 10.18.4.1

10.18.5.0/24 pointing to 10.18.5.1

10.18.6.0/24 pointing to 10.18.6.1

Gonuguntla Gopi · ‎02-29-2016

yes NAT is done for all the subnets......I am not able to find ip routing command on the switch configuration mentioned above.

Jon Marshall · ‎03-01-2016

With a 4500 routing is enabled by default.

The routes you have added to the firewall are wrong.

All the routes should have 10.18.1.7 as the next hop IP because that is the subnet the firewall is on.

Jon

Gonuguntla Gopi · ‎03-02-2016

Dear Jon,

All the issues were solved....the issue was with the reverse route...

But now another issue was arised:

the core switch is not able to release the IPfrom the DHCP pool configured.

But I configured the pool on the stack connected to this core switch & it's able to release the IP...I am thinking as it is a IOS bug...

Can you let me know what might be the other reason.

Thanks in advnace

Regards,

Gopi G

Inter vlan routing issue on 4500 x Switch