Inter VLAN routing

rmcoombe · ‎04-09-2021

Hi guys

I am hoping someone with a bit more knowledge can help me out here.

I have two Cisco Catalyst 3850s which are used at work. It wasn't setup by me, just something I've inherited. It was setup by a previous employee who we don't have contact details for. I have some basic Cisco knowledge but not much.

We have several VLANs on there, the only two in question are VLAN500 and VLAN13. VLAN500 is our "main" VLAN. I cannot access resources on VLAN13 neither can I ping the VLAN interface. Below is my show run (minus the 96 ports as it is repetitive) and show vlan brief.

If I plug into the 3 ports in VLAN13 I can access the sources on that network, namely some IPTV sources. But I cannot from any other port.

If anyone can see something I'm missing I'd be hugely grateful. If you need any more information from me then let me know.

Thanks in advance

Ross

SHOW RUN

Current configuration : 18703 bytes
!
! Last configuration change at 18:47:43 UTC Thu Apr 8 2021
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname UK-rt-coresw-01
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5
!
no aaa new-model
switch 1 provision ws-c3850-48p
switch 2 provision ws-c3850-48p
!
!
!
!
ip routing
!
ip multicast-routing
ip dhcp excluded-address 172.16.10.0 172.16.10.50
!
ip dhcp pool VLAN500
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 172.16.10.250 172.16.4.30
domain-name bie-uk.com
lease 24
!
!
!
ip igmp snooping querier
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-458627640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-458627640
revocation-check none
rsakeypair TP-self-signed-458627640
!
!
crypto pki certificate chain TP-self-signed-458627640
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34353836 32373634 30301E17 0D313831 31303730 38313631
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 38363237
36343030 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 E4700D53 07BFD4E0 E78F76E5 8E70F7C9 BA60E167 4256EB46 D102E277
E215A2E5 A0A28802 CD60C8A1 1996D4E0 4374CC66 E27C6CBA 77AB95BB F963CE1F
E12410BC 2DDDBA08 6A73E090 05550FDB 492F54D1 44AD2DC8 9B842C12 CE15545A
FF813F0B FA6C2EA4 3EBACD96 757872AE A5FE5974 3488B093 4168F878 8853544F
0CCA77B9 41BAAA08 8BA31C8D 773128C1 ED5CF0E0 29C0A52C F30E8F12 025D7B8E
ABC5FDE9 852D3053 CFA4AE53 D3363914 06BD4023 B2756A96 4B999214 FC3ED61A
496018F5 FD7D8374 6890A9AC E9671577 2701FC1C F11604E1 436A3415 0320B25F
4C2DB56E 747F48F1 51BB6DF0 13CBA179 ECA6800A BF7D0272 6F913DAD EC2B8612
658A55B7 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 168014ED B6C38BBF 977C6E3C 5544271F 4C77C86C A392A530
1D060355 1D0E0416 0414EDB6 C38BBF97 7C6E3C55 44271F4C 77C86CA3 92A5300D
06092A86 4886F70D 01010505 00038201 0100039E 9FB77416 3C515755 A9BF1DEB
FBBABA2C F7036BA3 3E07ACE4 226F378D 635E4B79 4B900FA8 01B0B38F A4F50400
E9312B03 8005E90F 85A6AFB3 ECB800A0 829B7CD6 F92147D9 3BDBFE6B 64756202
22341532 7974038A 337D00EB 603F5EB8 B25080B5 958BAFFF 81F127BD 173CCA14
9DA6EE12 041EE6E5 CAC7BB6C AD87EB95 29E34DF5 CE068730 29DCD2C6 62DC6CDE
DBF7ACE0 6804E261 10A25103 46CEDC4B 6E44A66F 596BA137 16812F21 F347B34E
52F571DE E0FBF356 D3AF1DE8 9FE8F0B2 5DDB4FA5 DB5D0E2A 6626246B 355C0BEB
1620F87A BADC733F C0C231EC 3BCCB1FE 2FE36988 9DE18B81 F7038EB2 9F10D993
137F0D74 9330AF6F D24B4EE9 C0C39D94 2C27
quit
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!

!
redundancy
mode sso
!
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
interface Vlan1
no ip address
shutdown
!
interface Vlan13
description 'IPTV'
ip address 10.105.170.253 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan14
description NewIPTV
ip address 10.105.172.253 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan120
ip address 192.168.20.1 255.255.255.0
!
interface Vlan130
ip address 192.168.30.1 255.255.255.0
!
interface Vlan500
ip address 172.16.10.2 255.255.255.0
ip helper-address 172.16.10.2
ip pim sparse-dense-mode
!
ip default-gateway 172.16.10.2
ip forward-protocol nd
ip pim rp-address 10.105.170.253
ip pim autorp listener
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
!
ip access-list standard acl_iptv
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password
login local
line vty 5 15
password
login local
!
!
mac address-table notification mac-move
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Show VLAN Brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/17, Gi1/0/47, Gi2/0/47
10 Mar active Gi1/0/1, Gi1/0/2, Gi2/0/1
Gi2/0/2
11 MAT active Gi1/0/3, Gi1/0/4, Gi2/0/3
Gi2/0/4
12 IC active Gi1/0/35, Gi1/0/36, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi2/0/35, Gi2/0/36, Gi2/0/37
Gi2/0/38, Gi2/0/39, Gi2/0/40
Gi2/0/41, Gi2/0/42, Gi2/0/43
Gi2/0/44, Gi2/0/45, Gi2/0/46
13 VLAN0013 active Gi1/0/11, Gi1/0/12, Gi1/0/13
148 VLAN0148 active
500 VLAN0500 active Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/21, Gi1/0/22, Gi1/0/23
Gi1/0/24, Gi1/0/25, Gi1/0/26
Gi1/0/27, Gi1/0/28, Gi1/0/29
Gi1/0/30, Gi1/0/31, Gi1/0/32
Gi1/0/33, Gi1/0/34, Gi2/0/5

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Gi2/0/24, Gi2/0/25, Gi2/0/26
Gi2/0/27, Gi2/0/28, Gi2/0/29
Gi2/0/30, Gi2/0/31, Gi2/0/32
Gi2/0/33, Gi2/0/34
510 VLAN0510 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Giuseppe Larosa · ‎04-09-2021

Hello @rmcoombe,

I don't see anything in the provided configuration that can block traffic to or from VLAN 13.

What is ACL

>>ip access-list standard acl_iptv

How it is configured and where is it applied ?

My first guess was that VLAN 13 could be in a separate VRF / routing table but it is not so.

If you have ACL applied to interface vlan 13 or interface vlan 500 you should provide them.

You have a stack made of two Cat3850 .

Be aware that

show vlan brief wil show the access ports on each VLAN

to have a complete scenario you need also

show interface trunk

to see what interfaces are trunk and what VLANS are allowed and in STP forwarding state in each of them

Note:

the command

>> ip igmp snooping querier

it is not needed as your device is running PIM and multicast routing on several VLANs this can be removed

conf t

no ip igmp snooping querier

Hope to help

Giuseppe

rmcoombe · ‎04-09-2021

Hi Giuseppe

Thanks for your quick response and your detailed help. I really appreciate it.

This is the result of show interface trunk....

Port Mode Encapsulation Status Native vlan
Gi1/0/48 on 802.1q trunking 1
Gi2/0/48 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/48 1-4094
Gi2/0/48 1-4094

Port Vlans allowed and active in management domain
Gi1/0/48 1,10-13,148,500,510
Gi2/0/48 1,10-13,148,500,510

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/48 1,10-13,148,500,510
Gi2/0/48 1,10-13,148,500,510

Is there a command I can run to show where the ACL is applied and what it is doing/blocking?

Thanks again

Ross

Giuseppe Larosa · ‎04-09-2021

Hello,

if you don't see a line like

ip access-group <number or name> in ( or out)

under

show run int vlan 13

show run int vlan 500

I think there are no ACLs involved

Hope to help

Giuseppe