11-06-2016 07:17 AM - edited 03-08-2019 08:03 AM
Hello everybody,
I contact you concerning a LAN problem and more precisly it seems to be a VRF issue.
It concerns a new implementation with a VSS (2x4506-E) connected to different access switches (3560).
The new architecture contains 2 differents VRF ( PROD and LAB-WIFI-GUEST) and many VLAN on both VRF.
For the beginning I only activate 2 VLAN on VRF PROD: vlan 7 (ADMIN) and 16 (IT) and I've made an interconnexion with old architecture through a L2 link that only permit VLAN 16 actually (trunk + allowed vlan 16 + native vlan 16).
Technical information concerning the issue:
- 4506-E IP in VLAN 16: 172.16.16.2/24.
- Old core architecture in VLAN 16: 172.16.16.1/24.
- 4506-E IP in VLAN 7: 172.16.7.1/24.
- Computer connected to access switch through VLAN 7: 172.16.7.155/24.
- Another computer in old architecture.
The issue is the following:
- Work: From 176.16.7.155 (computer) I can ping 172.16.7.1 (gateway on 4506-E).
- Work: From 176.16.7.155 (computer) I can ping 172.16.16.2 (IP IT on 4506-E).
- Work: From 4506-E I can ping 172.16.16.2 (ping vrf PROD 172.16.16.2).
- Not work: From 4506-E I can't ping 172.16.7.155.
- Not work: From 172.16.7.155 I can't ping 172.16.16.1 (old core).
- Not work: From a computer on old architecture, I can't ping 172.16.16.2 (4506-E)
Concerning 172.16.7.155 it is very strange because I have good information on ARP table:
MCCORE#sho ip arp vrf PROD
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.7.1 - 0008.e3ff.fc28 ARPA Vlan7
Internet 172.16.7.50 23 d42c.44f0.5c41 ARPA Vlan7
Internet 172.16.7.155 0 68f7.289f.86cf ARPA Vlan7
Internet 172.16.16.1 34 04fe.7f75.814c ARPA Vlan16
Internet 172.16.16.2 - 0008.e3ff.fc28 ARPA Vlan16
but ping didn't work:
MCCORE#ping vrf PROD 172.16.7.155
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.7.155, timeout is 2 seconds:
.....
For me it's only Layer 2 flow therefore there is no specific configuration.
Could you help me to know if is in relation with a bug or a misconfiguration.
Thank you very much.
M.C.
11-06-2016 07:23 AM
Configuration is the following:
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname MCCORE
!
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.bin
boot system flash
license boot level entservices
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username exaprobe privilege 15 password 7 072A396C5E1B49071253
username algeco privilege 15 password 7 096D420E4A0647405B5D526B
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
switch virtual domain 10
switch mode virtual
switch 1 priority 110
mac-address use-virtual
!
hw-module uplink select tengigabitethernet
!
!
!
!
!
!
ip vrf LAB-WIFI-GUEST
!
ip vrf PROD
!
no ip domain-lookup
ip domain-name algeco
!
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-MGMT
permit any 0022.bdcd.d200 0000.0000.00ff
permit 0022.bdcd.d200 0000.0000.00ff any
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-3,5,7-8,10,15-16,18,20,30,50 priority 4096
!
redundancy
mode sso
!
vlan internal allocation policy ascending
!
vlan 2
name SERVER1
!
vlan 3
name INTERCO-ASR
!
vlan 5
name USERS
!
vlan 7
name ADMIN
!
vlan 8
name VPN-SSL
!
vlan 10
name INTERCO-DRP
!
vlan 15
name WIFI-GUEST
!
vlan 16
name IT
!
vlan 18
name VMWARE-VMOTION
!
vlan 20
name SERVER2
!
vlan 30
name VLAN-ToIP
!
vlan 50
name LAB
!
!
class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT
class-map match-any VSL-DATA-PACKETS
match any
class-map match-any VSL-L2-CONTROL-PACKETS
match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP
class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING
class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5
class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7
!
policy-map VSL-Queuing-Policy
class VSL-MGMT-PACKETS
bandwidth percent 5
class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
class VSL-DATA-PACKETS
bandwidth percent 20
class class-default
bandwidth percent 5
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
[...]
interface Port-channel51
description MCSW1NON1
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel52
description MCSW1SERC
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel53
description MCSW1SEN1
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel61
description VSS_Link
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
!
interface Port-channel62
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 2
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface TenGigabitEthernet1/1/1
description VSS_Link
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 61 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/1/2
description VSS_Link
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 61 mode on
service-policy output VSL-Queuing-Policy
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface GigabitEthernet1/1/5
!
interface GigabitEthernet1/1/6
!
interface GigabitEthernet1/2/1
description MCSW1NORC/1
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 50 mode active
spanning-tree guard root
[...]
interface GigabitEthernet1/4/47
description L2-OLD-CORE
switchport trunk native vlan 16
switchport trunk allowed vlan 16
switchport mode trunk
[...]
interface Vlan1
description Users
ip vrf forwarding PROD
ip address 172.16.5.1 255.255.255.0
shutdown
!
interface Vlan2
description Server1
ip vrf forwarding PROD
ip address 172.16.1.8 255.255.255.0
shutdown
!
interface Vlan3
description Interco-ASR
ip vrf forwarding PROD
ip address 172.16.10.1 255.255.255.0
shutdown
!
interface Vlan7
description Admin
ip vrf forwarding PROD
ip address 172.16.7.1 255.255.255.0
!
interface Vlan8
description VPN-SSL
ip vrf forwarding PROD
ip address 172.16.2.1 255.255.255.0
shutdown
!
interface Vlan10
description Interco-DRP
ip vrf forwarding PROD
ip address 10.2.1.254 255.255.255.0
shutdown
!
interface Vlan15
description WIFI-GUEST
ip vrf forwarding LAB-WIFI-GUEST
no ip address
shutdown
!
interface Vlan16
description IT
ip vrf forwarding PROD
ip address 172.16.16.2 255.255.255.0
!
interface Vlan18
description VMware-VMotion
ip vrf forwarding PROD
ip address 192.168.100.254 255.255.255.0
shutdown
!
interface Vlan20
description Server2
ip vrf forwarding PROD
ip address 172.16.254.1 255.255.255.0
shutdown
!
interface Vlan30
description Vlan-ToIP
ip vrf forwarding PROD
ip address 172.30.1.1 255.255.255.0
shutdown
!
interface Vlan50
description LAB
ip vrf forwarding LAB-WIFI-GUEST
ip address 172.16.50.1 255.255.255.0
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
!
!
!
!
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124
!
banner login ^CCC
********************************************************
Authorized access only
This system is the property of XXX
Disconnect IMMEDIATELY as you are not an authorized user!
Contact <administrator email address> <administrator phone number>.
********************************************************
^C
!
line con 0
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
module provision switch 1
chassis-type 51 base-mac 0062.EC5D.ABC0
slot 1 slot-type 394 base-mac 0062.EC5D.ABC0
slot 2 slot-type 406 base-mac 0081.C412.A080
slot 3 slot-type 369 base-mac 00F6.6318.5182
slot 4 slot-type 369 base-mac 0062.EC03.DD84
!
module provision switch 2
chassis-type 51 base-mac 0062.EC5D.AE00
slot 1 slot-type 394 base-mac 0062.EC5D.AE00
slot 2 slot-type 406 base-mac 0081.C412.A08C
slot 3 slot-type 369 base-mac 0062.EC04.13EA
slot 4 slot-type 369 base-mac 00F6.6318.5062
! !
and the show version:
------------------ show version ------------------
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 02-Jun-16 04:02 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: 15.0(1r)SG10
MCCORE uptime is 1 day, 1 hour, 59 minutes
Uptime for this control processor is 1 day, 2 hours, 1 minute
System returned to ROM by power-on
System restarted at 15:25:42 CEST Mon Oct 3 2016
System image file is "bootflash:cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.bin"
Jawa Revision 7, Winter Revision 0x0.0x41
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Information for 'WS-X45-SUP7L-E'
License Level: entservices Type: Permanent
Next reboot license Level: entservices
cisco WS-C4506-E (MPC8572) processor (revision 6) with 2097152K bytes of physical memory.
Processor board ID SPE203001Q2
MPC8572 CPU at 1.5GHz, Supervisor 7L-E
Last reset from PowerUp
12 Virtual Ethernet interfaces
224 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2102
Thank you for the helpl
11-08-2016 12:40 AM
I'll try to pass the VSS to stand-alone on order to see if the problem is here but same problem...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide