Solved: L2 Switch to L3 Switch

jasongr33nway · ‎11-22-2017

I have two 3850s (Stacked) at our DR site. Everything is working fine from our OPS site to our DR site. There are a few more devices we need to add to our DR site and our 3850s are out of INTs. I visited yesterday and trunked a L2 (2960-s) switch to one of the 3850s. My issue is, I cannot pass any traffic from the L2 switch to any of the SVIs on the 3850 unless I create and SVI on the L2 switch for each SVI on the 3850. I thought I would be able to trunk the L2, add vlans and pass traffic over the trunk without creating SVIs on the L2 switch.

3850:
!
interface Vlan1
no ip address
shutdown
!
interface Vlan7
description DR-Hotsite vlan
ip address 10.7.254.1 255.255.0.0
ip helper-address 10.6.240.11
no ip proxy-arp
!
interface Vlan12
description dr-voice-vlan
ip address 10.12.254.1 255.255.0.0
no ip proxy-arp
!
interface Vlan57
description SJ RPA-WAN Vlan 57
ip address 10.5.7.254 255.255.255.0
no ip proxy-arp
!
interface Vlan108
description DR ISCSI Vlan 108
ip address 10.108.254.1 255.255.0.0
no ip proxy-arp
!
interface Vlan109
description DR ISCSI Vlan 109
ip address 10.109.254.1 255.255.0.0
no ip proxy-arp
!
interface Vlan252
description L2_MANAGEMENT_INT
ip address 10.8.252.1 255.255.255.0
!
interface Vlan614
ip address 172.16.188.2 255.255.255.252
no ip proxy-arp

C3850-STACK-DR-M0-1#sh int gi 2/0/23 switchport
Name: Gi2/0/23
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

C3850-STACK-DR-M0-1#sh int trunk

Port        Mode             Encapsulation Status        Native vlan
Gi1/0/14    on               802.1q         trunking      1
Gi1/0/18    on               802.1q         trunking      1
Gi1/0/20    on               802.1q         trunking      1
Gi2/0/19    on               802.1q         trunking      1
Gi2/0/23    on               802.1q         trunking      1
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/14    614
Gi1/0/18    7,12
Gi1/0/20    7,12,800
Gi2/0/19    7,12,800
Gi2/0/23    1-4094
Po1         7,12,800

Port        Vlans allowed and active in management domain
Gi1/0/14    614
Gi1/0/18    7,12
Gi1/0/20    7,12,800
Gi2/0/19    7,12,800
Gi2/0/23    1,7,10,12,57,108-109,614,800,900
Po1         7,12,800

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/14    614
Gi1/0/18    7,12
Gi1/0/20    7,12,800
Gi2/0/19    7,12,800
Gi2/0/23    1,7,10,12,57,108-109,614,800,900
Po1         7,12,800

2960:

DR_2960-S(config)#do sh int gi 1/0/47 switchport
Name: Gi1/0/47
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

DR_2960-S#sh int trunk

Port        Mode             Encapsulation Status        Native vlan
Gi1/0/47    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/47    1-4094

Port        Vlans allowed and active in management domain
Gi1/0/47    1,7,10,12,57,108-109,252,614,800,900

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/47    1,7,10,12,57,108-109,252,614,800,900

BradEast1 · ‎11-22-2017

Rather than using 10.7.254.4 as your default gateway (unsure what this device is), can you try using 10.7.254.1 (your 3850).

View solution in original post

BradEast1 · ‎11-22-2017

Interesting. Can you verify packets are being sourced from 10.7.254.252 on the 2960 and try again? What does "show ip route" look like from the other side of MPLS?

View solution in original post

Reza Sharifi · ‎11-22-2017

You should not need any IP (SVI) on the layer-2 switch (2960). Just a trunk port from 2960 to the 3850 with all vlans included should be sufficient. The only IP (SVI) you need on the layer-2 switch is a management IP so, you can reach the device. The output you posted looks all correct.

Can you post the output of "sh run int g2/0/3" and "sh run int g1/0/47"

Also, do you have a test device connected to a port on the 2960 and is the vlan configured on that port?

HTH

jasongr33nway · ‎11-22-2017

Reza,

Thanks for the response. That is exactly what I thought but, I am unable to ping any of the SVIs from the L2 switch unless I add an SVI to the L2 switch.

Im going to assume you meant gi 2/0/23

C3850-STACK-DR-M0-1#sh run int gi 2/0/23
Building configuration...

Current configuration : 154 bytes
!
interface GigabitEthernet2/0/23
description TX-AlertLogic-IDS-2 MANAGEMENT
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
end

DR_2960-S#sh run int gi 1/0/47
Building configuration...

Current configuration : 119 bytes
!
interface GigabitEthernet1/0/47
description TRUNK_TO_3750_STACK
switchport mode trunk
switchport nonegotiate
end

Reza Sharifi · ‎11-22-2017

Im going to assume you meant gi 2/0/23

Sorry, that is correct.

What vlan and IP is the end device you are testing with in?

not that this matter in this case, but you don't need "spanning-tree portfast" on a trunk port.

Can you also remove "switchport nonegotiate" from both sides and try again?

HTH

jasongr33nway · ‎11-22-2017

DR_2960-S(config)#no int vlan 12
DR_2960-S(config)#^Z
DR_2960-S#
DR_2960-S#ping
Protocol [ip]:
Target IP address: 10.12.254.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.7.254.252
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.12.254.1, timeout is 2 seconds:
Packet sent with a source address of 10.7.254.252
.....
Success rate is 0 percent (0/5)
DR_2960-S#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DR_2960-S(config)#int vlan 12
DR_2960-S(config-if)#ip address 10.12.254.252 255.255.0.0
DR_2960-S(config-if)#do pin
Protocol [ip]:
Target IP address: 10.12.254.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.7.254.252
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.12.254.1, timeout is 2 seconds:
Packet sent with a source address of 10.7.254.252
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/204/1001 ms
DR_2960-S(config-if)#

BradEast1 · ‎11-22-2017

Do you have a default gateway or default route set on the 2960?

jasongr33nway · ‎11-22-2017

Yes, I can ping internet IPs. I just can't pass any traffic to our internal network. None of the SVIs on the 3850 unless I add that SVI to the 2960 and no access across our MPLS network via the 2960 but, the 3850 has no issue going across our MPLS network.

BradEast1 · ‎11-22-2017

Could you post the entire "show run" output from the 2960?

jasongr33nway · ‎11-22-2017

DR_2960-S#sh run
Building configuration...

Current configuration : 5013 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DR_2960-S
!
boot-start-marker
boot-end-marker
!

no aaa new-model
switch 1 provision ws-c2960s-48fps-l
!
!
ip domain-name
!
!
crypto pki trustpoint TP-self-signed-1919529216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1919529216
revocation-check none
rsakeypair TP-self-signed-1919529216
!
!
crypto pki certificate chain TP-self-signed-1919529216
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393139 35323932 3136301E 170D3131 30333330 30313239
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313935
32393231 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C317 876BCF92 C65915A2 48E1C438 680D815A AA0887B8 3B9232DC 5A7B169C
36180ACF A690ADD6 BA10A7DB 48E652A7 DEE3859A DFA993C6 847E0CEA C52CD8BB
0591CBA4 28B7FB72 2AB6198E A0C5D109 975AEA46 4CB91472 E3D3B8C0 F2339F27
ABE021ED 205124BE 6D29E4A3 C68751A8 6151E3E8 518E2D19 92129F39 30502CCA
4B310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B44C65 1F884BC2 550BDABB 7444461E 7AA53ECD 21301D06
03551D0E 04160414 B44C651F 884BC255 0BDABB74 44461E7A A53ECD21 300D0609
2A864886 F70D0101 05050003 818100BF 71A08880 E95754C2 68CEBF9B FBE9426F
2EA81744 EBC1B158 C6362EAD 7863DC3D 4D8FA436 F8918E55 1E3B5ABA B75E2E4C
8116275D 353ABDAE EDC5504E 7082A3FB 526C12E3 B8DA7C60 909FC412 26069969
2E08891C 4C737DAA F39255D5 8BF9543E E1B618EB EE2EE7C4 B9ABF234 7E3EC9BD
2A97B79A CEDD134D 52F3B7FB DAFBB0
quit
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,7,10,12,57,108-109,614,800,900 priority 36864
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
description ESX-DR2-ILO
switchport access vlan 7
!
interface GigabitEthernet1/0/2
description ESX-DR2-MANAGEMENT
switchport access vlan 7
shutdown
!
interface GigabitEthernet1/0/3
description ALERTLOGIC-MANAGEMENT
switchport access vlan 7
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
switchport access vlan 7
!
interface GigabitEthernet1/0/47
description TRUNK_TO_3750_STACK
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
!
interface Vlan7
ip address 10.7.254.252 255.255.0.0
!
interface Vlan12
description DR_VOICE_VLAN
ip address 10.12.254.252 255.255.0.0
!
ip default-gateway 10.7.254.4
ip http server
ip http secure-server
!
!
!
!
line con 0
login local
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end

BradEast1 · ‎11-22-2017

Rather than using 10.7.254.4 as your default gateway (unsure what this device is), can you try using 10.7.254.1 (your 3850).

jasongr33nway · ‎11-22-2017

Hey that worked! I can now ping the SVIs on the 3850 however, I am not able to pass traffic over the MPLS.

DR_2960-S#ping 172.16.188.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.188.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms
DR_2960-S#ping 172.16.188.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.188.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

BradEast1 · ‎11-22-2017

Can you ping that address from your 3850 when sourcing packets from 10.7.254.1?

jasongr33nway · ‎11-22-2017

Yes I can.

C3850-STACK-DR-M0-1#ping
Protocol [ip]:
Target IP address: 172.16.188.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.7.254.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.188.1, timeout is 2 seconds:
Packet sent with a source address of 10.7.254.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

BradEast1 · ‎11-22-2017

Interesting. Can you verify packets are being sourced from 10.7.254.252 on the 2960 and try again? What does "show ip route" look like from the other side of MPLS?

jasongr33nway · ‎11-22-2017

DR_2960-S#ping
Protocol [ip]:
Target IP address: 172.16.188.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.7.254.252
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.188.1, timeout is 2 seconds:
Packet sent with a source address of 10.7.254.252
.....
Success rate is 0 percent (0/5)
DR_2960-S#ping
Protocol [ip]:
Target IP address: 172.16.188.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.7.254.252
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.188.2, timeout is 2 seconds:
Packet sent with a source address of 10.7.254.252
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/10 ms

From our 4500 stack

B 10.7.0.0/16 [20/0] via 12.x.x.x, 6w3d

172.16.0.0/30 is subnetted, 1 subnets
B 172.16.188.0 [20/0] via 12.x.x.x, 6w3d

From our 3850 stack

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.188.0/30 is directly connected, Vlan614
L 172.16.188.2/32 is directly connected, Vlan614