Solved: Inter-vlan routing problems

Fabio Francisco · ‎03-07-2011

Hi all,

I setting up a new network for my company. It's a small network for 70 people.

For some reason inter-vlan routing is not behaving correctly. sometimes you can ping devices in other subnets other times you cannot. I checked memory, CPU, TCAM and they all seems all right.

I wonder if I made a mistake in the config. Please see below

aaa session-id common
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name xxxxxxx.com.au
!
ip dhcp snooping
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,40,50,60 priority 24576
!
vlan internal allocation policy ascending
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 172.16.1.31 255.255.255.0
ip helper-address 172.16.1.250
!
interface Vlan40
ip address 172.16.40.1 255.255.255.0
ip helper-address 172.16.1.250
ip helper-address 172.16.1.251
!
interface Vlan50
ip address 172.16.50.1 255.255.255.0
!
interface Vlan60
ip address 172.16.60.1 255.255.255.0
ip helper-address 172.16.1.251
ip helper-address 172.16.1.250
!
router eigrp 1
network 172.16.1.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 172.16.60.0 0.0.0.255
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.42
ip http server

Any help would be very appreciated.

Thanks,

Fabio

Richard Burts · ‎03-07-2011

Fabio

There are some things that you have not told us about your network and if we knew them we might be able to give better advice. For example in the config that you posted all the ports are in the default VLAN 1. But the config contains VLANs 40, 50, 60. What are these VLANs and where are they connected?

Also this config has configured router eigrp. Is there some connected device that is running eigrp?

In addition to explaining the details that I have identified it might be helpful if you would post the output of show ip route.

HTH

Rick

HTH

Rick

View solution in original post

martin_knorre · ‎03-08-2011

Hi Fabio,

can you show me a "show ip route" ???

without it I can't say anything reliable ;-)

rgds Martin

View solution in original post

cadet alain · ‎03-08-2011

Hi,

Can you post a diagram of your topology as well as explain what is not working more precisely.

How come you have no eigrp routes? is it normal?

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

martin_knorre · ‎03-08-2011

yes its normal, because he is on his layer 3 switch

with the local configured VLAN Interfaces so the vlan Interfaces for VLAN 20,30 etc is local connected.

Can you see the eigrp routes on the other neighbours?

have you configured to trunk all vlans to the other L2 switches?

Have you already the native vlan 1 active?

Rgds Martin

View solution in original post

cadet alain · ‎03-08-2011

Hi Martin,

yes its normal, because he is on his layer 3 switch

with the local configured VLAN Interfaces so the vlan Interfaces for VLAN 20,30 etc is local connected.

I know that but just wanted to know why we didn't see other eigrp routes.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Richard Burts · ‎03-08-2011

Fabio

Not having the interfaces configured as trunk would impact the ability to forward traffic to the access switches. As access ports the only vlan and subnet that the switch can get to is vlan 1 and subnet 172.16.1.0. The configured vlan interfaces tell the switch that other vlans and other subnets exist, but the switch does not know where they were or how to forward to them. It would have no ability to tag frame for vlan 40 or 50 or 60 and forward them.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-08-2011

Fabio

If it sometimes works and sometimes does not work then it seems to indicate that something in the network is fluctuating. I wonder if it could be a spanning tree issue? Are the access switches connected to both core01 and core02 switches? Is it possible that there is a loop in the network?

Perhaps you could post the output of show cdp neighbor from both core switches? It might also be helpful if you post the output of show interface trunk from both switches.

HTH

Rick

HTH

Rick

View solution in original post

Thiago Henriques · ‎03-08-2011

Fabio,

I was just reading your post here, would you be able to post your "sh int trunk"??? and also your "sh cdp neighbors"?? I want to check, if possible, if your vlans are going inside the trunk properly..as well which is your native vlan. Ohhh I almost forgot...also there is one more "sh int swi".

regards,

Thiago

View solution in original post

Thiago Henriques · ‎03-08-2011

Do you have vlans 30, 40, and 50 configured??if so, do you have switchports attached to

those vlans??I mean, whatever servers / end-users pcs connected to these switchports??

Regards,

Thiago Henriques

View solution in original post

Richard Burts · ‎03-08-2011

Fabio

I am glad that you got it working. I guess that this demonstrates that sometimes, especially with very strange problems, a reboot is a way to fix a problem and get things working.

Thanks for posting back to the forum indicating that you got it to work and what you did to get it to work. It makes the forum more useful when people can read about a problem and can also read what was done that resolved the problem.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-07-2011

Fabio

There are some things that you have not told us about your network and if we knew them we might be able to give better advice. For example in the config that you posted all the ports are in the default VLAN 1. But the config contains VLANs 40, 50, 60. What are these VLANs and where are they connected?

Also this config has configured router eigrp. Is there some connected device that is running eigrp?

In addition to explaining the details that I have identified it might be helpful if you would post the output of show ip route.

HTH

Rick

HTH

Rick

Fabio Francisco · ‎03-08-2011

Hi Rick,

Thanks for your reply.

1) ip route is:

Gateway of last resort is 172.16.1.42 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     172.16.0.0/24 is subnetted, 4 subnets
C       172.16.60.0 is directly connected, Vlan60
C       172.16.50.0 is directly connected, Vlan50
C       172.16.40.0 is directly connected, Vlan40
C       172.16.1.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 172.16.1.42

2) VLANS 40, 50 AND 60 are set on 3 2960's and 2 2950's

3) yes there 2 more devices currently running eigrp the other 3560 and a router ip add 172.16.1 42

BTW I just noticed that I set the interfaces to trunk only on the access switches.... I just fixed it now on the 3560's:

switchport trunk encapsulation dot1q

switchport mode trunk

I hope this wouldn't cause any problem to the inter-vlan routing.. I cannot se how anyway...

Thanks in advance.

Fabio

Richard Burts · ‎03-08-2011

Fabio

Not having the interfaces configured as trunk would impact the ability to forward traffic to the access switches. As access ports the only vlan and subnet that the switch can get to is vlan 1 and subnet 172.16.1.0. The configured vlan interfaces tell the switch that other vlans and other subnets exist, but the switch does not know where they were or how to forward to them. It would have no ability to tag frame for vlan 40 or 50 or 60 and forward them.

HTH

Rick

HTH

Rick

martin_knorre · ‎03-08-2011

Hi Fabio,

can you show me a "show ip route" ???

without it I can't say anything reliable ;-)

rgds Martin

cadet alain · ‎03-08-2011

Hi,

Can you post a diagram of your topology as well as explain what is not working more precisely.

How come you have no eigrp routes? is it normal?

Regards.

Alain.

Don't forget to rate helpful posts.

martin_knorre · ‎03-08-2011

yes its normal, because he is on his layer 3 switch

with the local configured VLAN Interfaces so the vlan Interfaces for VLAN 20,30 etc is local connected.

Can you see the eigrp routes on the other neighbours?

have you configured to trunk all vlans to the other L2 switches?

Have you already the native vlan 1 active?

Rgds Martin

cadet alain · ‎03-08-2011

Hi Martin,

yes its normal, because he is on his layer 3 switch

with the local configured VLAN Interfaces so the vlan Interfaces for VLAN 20,30 etc is local connected.

I know that but just wanted to know why we didn't see other eigrp routes.

Regards.

Alain.

Don't forget to rate helpful posts.

Fabio Francisco · ‎03-08-2011

Can you see the eigrp routes on the other neighbours?

yes

CORE01- sh ip eigrp neighbours

IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq Typ
e
                                            (sec)         (ms)       Cnt Num
4   172.16.1.42             Vl1               14 00:04:47    1 3000 0 23
3   172.16.1.33             Vl1               14 00:04:49    1 4500 0 50
2   172.16.60.3             Vl60              10 00:07:10    1   200 0 47
1   172.16.50.3             Vl50              13 00:07:21 554 3324 0 49
0   172.16.40.3             Vl40              11 00:07:32 344 2064 0 48

CORE02 - sh ip ei neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq Typ
e
                                            (sec)         (ms)       Cnt Num
5   172.16.1.32             Vl1               12 00:06:54 705 4230 0 55
3   172.16.60.2             Vl60              10 00:09:20 1530 5000 0 54
2   172.16.50.2             Vl50              13 00:09:31    1   200 0 52
0   172.16.40.2             Vl40              14 00:09:42    1   200 0 53
1   172.16.1.42             Vl1               12 00:30:39    1   200 0 22

have you configured to trunk all vlans to the other L2 switches?

yes

Have you already the native vlan 1 active?

As far as I know vlan 1 is the native vlan by default.... Is it what you were after?

Thank you very much for your reply...

Cheers,

Fabio

Fabio Francisco · ‎03-08-2011

Hi Guys,

Thank you very much for getting back to me. Below is the sh ip route command from the three devices running EIGRP

Router - sh ip route:

Gateway of last resort is 220.233.x.x to network 0.0.0.0

172.16.0.0/24 is subnetted, 4 subnets

D 172.16.60.0 [90/28416] via 172.16.1.31, 00:01:53, FastEthernet1/0

[90/28416] via 172.16.1.33, 00:01:53, FastEthernet1/0

D 172.16.50.0 [90/28416] via 172.16.1.33, 00:00:43, FastEthernet1/0

[90/28416] via 172.16.1.31, 00:00:43, FastEthernet1/0

D 172.16.40.0 [90/28416] via 172.16.1.31, 00:02:05, FastEthernet1/0

[90/28416] via 172.16.1.33, 00:02:05, FastEthernet1/0

C       172.16.1.0 is directly connected, FastEthernet1/0
     220.233.x.x/30 is subnetted, 1 subnets
C       220.233.x.x is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 220.233.x.x

SW core 01 - sh ip route:

Gateway of last resort is 172.16.1.42 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     172.16.0.0/24 is subnetted, 4 subnets
C       172.16.60.0 is directly connected, Vlan60
C       172.16.50.0 is directly connected, Vlan50
C       172.16.40.0 is directly connected, Vlan40
C       172.16.1.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 172.16.1.42

SW core 01 - running config

Building configuration...

Current configuration : 2834 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!

!
!
aaa new-model
aaa authentication login Users_Database local
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup

!
ip dhcp snooping
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,40,50,60 priority 24576
!
vlan internal allocation policy ascending
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 172.16.1.31 255.255.255.0
ip helper-address 172.16.1.250
!
interface Vlan40
ip address 172.16.40.1 255.255.255.0
ip helper-address 172.16.1.250
ip helper-address 172.16.1.251
!
interface Vlan50
ip address 172.16.50.1 255.255.255.0
!
interface Vlan60
ip address 172.16.60.1 255.255.255.0
ip helper-address 172.16.1.251
ip helper-address 172.16.1.250
!
router eigrp 1
network 172.16.1.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.60.0 0.0.0.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.42
ip http server
!
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
exec-timeout 60 0
logging synchronous
login authentication Users_Database
line vty 5 15
exec-timeout 60 0
logging synchronous
login authentication Users_Database
!
ntp server 172.16.1.59
end

SW core 02 - sh ip route

Gateway of last resort is 172.16.1.42 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 4 subnets
C       172.16.60.0 is directly connected, Vlan60
C       172.16.50.0 is directly connected, Vlan50
C       172.16.40.0 is directly connected, Vlan40
C       172.16.1.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 172.16.1.42

The thing that is doing my head in is the fact that it works for a minute and then it stops working again... eq if I am in VLAN 40 and have an ip 172.16.40.101 I can ping VLAN's 1 gateway 172.16.1.31 which tells me that traffic is being routed by the switch. Other times I cannot even ping 172.16.1.31.

The same applies with devices in VLAN 1 and 40 (I'm only testing those two VLANs for the moment).

Please help.

Richard Burts · ‎03-08-2011

Fabio

If it sometimes works and sometimes does not work then it seems to indicate that something in the network is fluctuating. I wonder if it could be a spanning tree issue? Are the access switches connected to both core01 and core02 switches? Is it possible that there is a loop in the network?

Perhaps you could post the output of show cdp neighbor from both core switches? It might also be helpful if you post the output of show interface trunk from both switches.

HTH

Rick

HTH

Rick

Fabio Francisco · ‎03-08-2011

Hi Rick,

Thank you very much for your reply. I have set all switches with RSTP. I just turned CORE02 off and now I can assure you that there isn't any loops....

CORE01 - sh cdp neig

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability Platform Port ID
NTCACC01         Gig 0/2           120           S I      WS-C2960- Gig 0/4
NTCACC02         Gig 0/1           120           S I      WS-C2960- Gig 0/4
NTCACC03         Gig 0/22          120           S I      WS-C2960- Gig 0/4
NTCROUTER01      Gig 0/24          127            R       3640      Fas 1/0

CORE01 - sh interfaces trunk

Port        Mode         Encapsulation Status        Native vlan
Gi0/1       on           802.1q         trunking      1
Gi0/2       on           802.1q         trunking      1
Gi0/22      on           802.1q         trunking      1
Gi0/24      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094
Gi0/2       1-4094
Gi0/22      1-4094
Gi0/24      1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,40,50,60
Gi0/2       1,40,50,60
Gi0/22      1,40,50,60
Gi0/24      1,40,50,60

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,40,50,60
Gi0/2       1,40,50,60
Gi0/22      1,40,50,60
Gi0/24      1,40,50,60

CORE01 - sh ver

Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEAS
E SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 18:15 by nachen
Image text-base: 0x00003000, data-base: 0x01100000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWA
RE (fc1)

NTCCORE01 uptime is 10 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE
5.bin"

cisco WS-C3560G-24TS (PowerPC405) processor (revision D0) with 122880K/8184K byt
es of memory.
Processor board ID FOC1238W1CP
Last reset from power-on
4 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
--More--

I'll keep CORE02 down to keep things simple for the moment.

Could be something wrong with the IOS image?

I'm right now on VLAN 40. I can ping VLAN 1 gateway 172.16.1.31

C:\Users\fabiof>ping 172.16.1.31

Pinging 172.16.1.31 with 32 bytes of data:
Reply from 172.16.1.31: bytes=32 time=18ms TTL=255
Reply from 172.16.1.31: bytes=32 time=1ms TTL=255
Reply from 172.16.1.31: bytes=32 time=1ms TTL=255
Reply from 172.16.1.31: bytes=32 time=1ms TTL=255

However I cannot ping a server IP address 172.16.1.200 from my machine. it times out...

But now from CORE01 it works

NTCCORE01#ping 172.16.1.200

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.200, timeout is 2 seconds:
!!!!!

Thanks in advace for your help!

Cheers,

Fabio

Thiago Henriques · ‎03-08-2011

Fabio,

I was just reading your post here, would you be able to post your "sh int trunk"??? and also your "sh cdp neighbors"?? I want to check, if possible, if your vlans are going inside the trunk properly..as well which is your native vlan. Ohhh I almost forgot...also there is one more "sh int swi".

regards,

Thiago

Fabio Francisco · ‎03-08-2011

Hi Thiago,

Thank you very much for your reply. I posted above sh cdp and sh int trunk.

I'm not too sure if thisis the command that you were after. the Gig 0/1 int connect to one of the access switches.

NTCCORE01#sh interfaces gigabitEthernet 0/1 swi
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Cheers,

Fabio

Thiago Henriques · ‎03-08-2011

Do you have vlans 30, 40, and 50 configured??if so, do you have switchports attached to

those vlans??I mean, whatever servers / end-users pcs connected to these switchports??

Regards,

Thiago Henriques