06-01-2012 08:46 AM - edited 03-07-2019 07:01 AM
Please bear with me as I try to simply define my network and the issue I am suffering from (Actual IP addressing changed to protect the inocent).
I have 2960s switches stacked using the stacking modules and then interconnected using 10GB SFP modules. Each stack currently has a clearly defined role but we trunk VLAN's between stacks to allow the flexibility to have ports in any VLAN from any stack.
Workstation Stack
4 x switches interconnected on uplink ports. Native VLAN on all access ports VLAN5 (all gig ports are access ports). VLAN5 interface address 1923.168.5.240, VLAN2 interface 192.168.1.53
Trunk port carries VLAN's 2, 5 & 11 native VLAN2.
Default Gateway 192.168.1.240
Server Stack
2 x switches interconnected on uplink ports. Native VLAN on all access ports VLAN2, VLAN interface address 192.168.1.49.
Trunk port carries VLAN's 2, 5 & 11 native VLAN2.
Default Gateway 192.168.1.240
Coms Stack
Single switch interconnected on uplink ports. Native VLAN on all access ports VLAN2, VLAN interface address 192.168.1.240.
Trunk port carries VLAN's 2, 5 & 11 native VLAN2.
Default Gateway 192.168.1.1 (FW) provides access to Internet and DMZ.
VLAN2 subnet 192.168.1.0
VLAN5 subnet 192.168.5.0
VLAN11 subnet 192.168.11.0
The Problem is as follows:
from 3 of the switches in the workstation stack I can access all resources in VLANs 2, 5, 11 out to the DMZ and Internet. If I am connected to the switch that has the 10GB uplink port (lets call it SW1) I can only get to resources in VLANs 2 & 5, can't get to the Internet or DMZ or VLAN11. Why just this one switch?
Additional information:
If I configure a access port on SW1 to have a native VLAN 2, correctly configure my workstation in the 192.168.1.0 subnet I CAN gain access to all resources on my network, the DMZ and the Internet.
So I am thinking that for some reason the packets are not being tagged and when my access port is in VLAN5 the IP addressing is being allowed to bleed over subnets that the switches know about but that traffic is not getting back from resources beyond the firewall.
Help / suggestions much appreciated.
06-01-2012 08:58 AM
I don't see any of the switch hosting SVI 11 thus I assume another Layer3 device is.
Verify this L3 devices has a route for .1.0 and .5.0 subnets pointing to your 2960 switches.
06-01-2012 09:27 AM
Thanks for joining the discussion. There is indeed another stack of switches dealing with VLAN 11 and its subnet. I didn't include detail as I was trying to keep the description simple. Layer 3 routing is all in place and working as from 3 of the 4 switches in the workstation stack I can access all resources on the network and Internet. It is only from SW1 (the switch in the Workstation Stack that has the 10G uplink) that I can can not get beyond 192.168.1.0. We have moved a working PC between switches in the stack, this goes from having complete access to limited access (and back again) so we know that the IP configuration on the workstaiton is correct.
Hope this helps clarify.
Jonathan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide