Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1879
Views
0
Helpful
2
Replies

Ping Issue into VRF

Xavillon
Level 1
Level 1

‎11-06-2016 07:17 AM - edited ‎03-08-2019 08:03 AM

Hello everybody,

I contact you concerning a LAN problem and more precisly it seems to be a VRF issue.

It concerns a new implementation with a VSS (2x4506-E) connected to different access switches (3560).

The new architecture contains 2 differents VRF ( PROD and LAB-WIFI-GUEST) and many VLAN on both VRF.

For the beginning I only activate 2 VLAN on VRF PROD: vlan 7 (ADMIN) and 16 (IT) and I've made an interconnexion with old architecture through a L2 link that only permit VLAN 16 actually (trunk + allowed vlan 16 + native vlan 16).

Technical information concerning the issue:

- 4506-E IP in VLAN 16: 172.16.16.2/24.

- Old core architecture in VLAN 16: 172.16.16.1/24.

- 4506-E IP in VLAN 7: 172.16.7.1/24.

- Computer connected to access switch through VLAN 7: 172.16.7.155/24.

- Another computer in old architecture.

The issue is the following:

- Work: From 176.16.7.155 (computer) I can ping 172.16.7.1 (gateway on 4506-E).

- Work: From 176.16.7.155 (computer) I can ping 172.16.16.2 (IP IT on 4506-E).

- Work: From 4506-E I can ping 172.16.16.2 (ping vrf PROD 172.16.16.2).

- Not work: From 4506-E I can't ping 172.16.7.155.

- Not work: From 172.16.7.155 I can't ping 172.16.16.1 (old core).

- Not work: From a computer on old architecture, I can't ping 172.16.16.2 (4506-E)

Concerning 172.16.7.155 it is very strange because I have good information on ARP table:
MCCORE#sho ip arp vrf PROD
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.7.1              -   0008.e3ff.fc28  ARPA   Vlan7
Internet  172.16.7.50            23   d42c.44f0.5c41  ARPA   Vlan7
Internet  172.16.7.155            0   68f7.289f.86cf  ARPA   Vlan7
Internet  172.16.16.1            34   04fe.7f75.814c  ARPA   Vlan16
Internet  172.16.16.2             -   0008.e3ff.fc28  ARPA   Vlan16
 but ping didn't work:
MCCORE#ping vrf PROD 172.16.7.155
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.7.155, timeout is 2 seconds:
.....


For me it's only Layer 2 flow therefore there is no specific configuration.
Could you help me to know if is in relation with a bug or a misconfiguration.

Thank you very much.

M.C.

Labels:
0 Helpful
2 Replies 2

Xavillon
Level 1
Level 1

‎11-06-2016 07:23 AM

Configuration is the following:

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname MCCORE
!
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.bin
boot system flash
license boot level entservices
boot-end-marker
!
!
vrf definition mgmtVrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
username exaprobe privilege 15 password 7 072A396C5E1B49071253
username algeco privilege 15 password 7 096D420E4A0647405B5D526B
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
switch virtual domain 10
 switch mode virtual
 switch 1 priority 110
 mac-address use-virtual
!
hw-module uplink select tengigabitethernet
!
!
!
!
!
!
ip vrf LAB-WIFI-GUEST
!
ip vrf PROD
!
no ip domain-lookup
ip domain-name algeco
!
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
mac access-list extended VSL-BPDU
 permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
 permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
 permit any any 0x888E
mac access-list extended VSL-GARP
 permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
 permit any host 0180.c200.000e
mac access-list extended VSL-MGMT
 permit any 0022.bdcd.d200 0000.0000.00ff
 permit 0022.bdcd.d200 0000.0000.00ff any
mac access-list extended VSL-SSTP
 permit any host 0100.0ccc.cccd
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-3,5,7-8,10,15-16,18,20,30,50 priority 4096
!
redundancy
 mode sso
!
vlan internal allocation policy ascending
!
vlan 2
 name SERVER1
!
vlan 3
 name INTERCO-ASR
!
vlan 5
 name USERS
!
vlan 7
 name ADMIN
!
vlan 8
 name VPN-SSL
!
vlan 10
 name INTERCO-DRP
!
vlan 15
 name WIFI-GUEST
!
vlan 16
 name IT
!
vlan 18
 name VMWARE-VMOTION
!
vlan 20
 name SERVER2
!
vlan 30
 name VLAN-ToIP
!
vlan 50
 name LAB
!
!
class-map match-any VSL-MGMT-PACKETS
 match access-group name VSL-MGMT
class-map match-any VSL-DATA-PACKETS
 match any
class-map match-any VSL-L2-CONTROL-PACKETS
 match access-group name VSL-DOT1x
 match access-group name VSL-BPDU
 match access-group name VSL-CDP
 match access-group name VSL-LLDP
 match access-group name VSL-SSTP
 match access-group name VSL-GARP
class-map match-any VSL-L3-CONTROL-PACKETS
 match access-group name VSL-IPV4-ROUTING
 match access-group name VSL-BFD
 match access-group name VSL-DHCP-CLIENT-TO-SERVER
 match access-group name VSL-DHCP-SERVER-TO-CLIENT
 match access-group name VSL-DHCP-SERVER-TO-SERVER
 match access-group name VSL-IPV6-ROUTING
class-map match-any VSL-MULTIMEDIA-TRAFFIC
 match dscp af41
 match dscp af42
 match dscp af43
 match dscp af31
 match dscp af32
 match dscp af33
 match dscp af21
 match dscp af22
 match dscp af23
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
 match dscp ef
 match dscp cs4
 match dscp cs5
class-map match-any VSL-SIGNALING-NETWORK-MGMT
 match dscp cs2
 match dscp cs3
 match dscp cs6
 match dscp cs7
!
policy-map VSL-Queuing-Policy
 class VSL-MGMT-PACKETS
  bandwidth percent 5
 class VSL-L2-CONTROL-PACKETS
  bandwidth percent 5
 class VSL-L3-CONTROL-PACKETS
  bandwidth percent 5
 class VSL-VOICE-VIDEO-TRAFFIC
  bandwidth percent 30
 class VSL-SIGNALING-NETWORK-MGMT
  bandwidth percent 10
 class VSL-MULTIMEDIA-TRAFFIC
  bandwidth percent 20
 class VSL-DATA-PACKETS
  bandwidth percent 20
 class class-default
  bandwidth percent 5
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
[...]
interface Port-channel51
 description MCSW1NON1
 switchport
 switchport mode trunk
 switchport nonegotiate
!
interface Port-channel52
 description MCSW1SERC
 switchport
 switchport mode trunk
 switchport nonegotiate
!
interface Port-channel53
 description MCSW1SEN1
 switchport
 switchport mode trunk
 switchport nonegotiate
!
interface Port-channel61
 description VSS_Link
 switchport
 switchport mode trunk
 switchport nonegotiate
 switch virtual link 1
!
interface Port-channel62
 switchport
 switchport mode trunk
 switchport nonegotiate
 switch virtual link 2
!
interface FastEthernet1
 vrf forwarding mgmtVrf
 no ip address
 speed auto
 duplex auto
!
interface TenGigabitEthernet1/1/1
 description VSS_Link
 switchport mode trunk
 switchport nonegotiate
 no lldp transmit
 no lldp receive
 channel-group 61 mode on
 service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/1/2
 description VSS_Link
 switchport mode trunk
 switchport nonegotiate
 no lldp transmit
 no lldp receive
 channel-group 61 mode on
 service-policy output VSL-Queuing-Policy
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface GigabitEthernet1/1/5
!
interface GigabitEthernet1/1/6
!
interface GigabitEthernet1/2/1
 description MCSW1NORC/1
 switchport mode trunk
 switchport nonegotiate
 logging event link-status
 channel-group 50 mode active
 spanning-tree guard root
[...]
interface GigabitEthernet1/4/47
 description L2-OLD-CORE
 switchport trunk native vlan 16
 switchport trunk allowed vlan 16
 switchport mode trunk
[...]
interface Vlan1
 description Users
 ip vrf forwarding PROD
 ip address 172.16.5.1 255.255.255.0
 shutdown
!
interface Vlan2
 description Server1
 ip vrf forwarding PROD
 ip address 172.16.1.8 255.255.255.0
 shutdown
!
interface Vlan3
 description Interco-ASR
 ip vrf forwarding PROD
 ip address 172.16.10.1 255.255.255.0
 shutdown
!
interface Vlan7
 description Admin
 ip vrf forwarding PROD
 ip address 172.16.7.1 255.255.255.0
!
interface Vlan8
 description VPN-SSL
 ip vrf forwarding PROD
 ip address 172.16.2.1 255.255.255.0
 shutdown
!
interface Vlan10
 description Interco-DRP
 ip vrf forwarding PROD
 ip address 10.2.1.254 255.255.255.0
 shutdown
!
interface Vlan15
 description WIFI-GUEST
 ip vrf forwarding LAB-WIFI-GUEST
 no ip address
 shutdown
!
interface Vlan16
 description IT
 ip vrf forwarding PROD
 ip address 172.16.16.2 255.255.255.0
!
interface Vlan18
 description VMware-VMotion
 ip vrf forwarding PROD
 ip address 192.168.100.254 255.255.255.0
 shutdown
!
interface Vlan20
 description Server2
 ip vrf forwarding PROD
 ip address 172.16.254.1 255.255.255.0
 shutdown
!
interface Vlan30
 description Vlan-ToIP
 ip vrf forwarding PROD
 ip address 172.30.1.1 255.255.255.0
 shutdown
!
interface Vlan50
 description LAB
 ip vrf forwarding LAB-WIFI-GUEST
 ip address 172.16.50.1 255.255.255.0
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip access-list extended VSL-BFD
 permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
 permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
 permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
 permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
 permit ip any 224.0.0.0 0.0.0.255
!
!
!
!
ipv6 access-list VSL-IPV6-ROUTING
 permit ipv6 any FF02::/124
!
banner login ^CCC
********************************************************
Authorized access only
This system is the property of XXX
Disconnect IMMEDIATELY as you are not an authorized user!
Contact <administrator email address> <administrator phone number>.
********************************************************
^C
!
line con 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!
!
module provision switch 1
 chassis-type 51 base-mac 0062.EC5D.ABC0
 slot 1 slot-type 394 base-mac 0062.EC5D.ABC0
 slot 2 slot-type 406 base-mac 0081.C412.A080
 slot 3 slot-type 369 base-mac 00F6.6318.5182
 slot 4 slot-type 369 base-mac 0062.EC03.DD84
 !
module provision switch 2
 chassis-type 51 base-mac 0062.EC5D.AE00
 slot 1 slot-type 394 base-mac 0062.EC5D.AE00
 slot 2 slot-type 406 base-mac 0081.C412.A08C
 slot 3 slot-type 369 base-mac 0062.EC04.13EA
 slot 4 slot-type 369 base-mac 00F6.6318.5062

! !

and the show version:

------------------ show version ------------------

Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch  Software (cat4500e-UNIVERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 02-Jun-16 04:02 by prod_rel_team



Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.



ROM: 15.0(1r)SG10
MCCORE uptime is 1 day, 1 hour, 59 minutes
Uptime for this control processor is 1 day, 2 hours, 1 minute
System returned to ROM by power-on
System restarted at 15:25:42 CEST Mon Oct 3 2016
System image file is "bootflash:cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.bin"
Jawa Revision 7, Winter Revision 0x0.0x41

Last reload reason: power-on



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


License Information for 'WS-X45-SUP7L-E'
    License Level: entservices   Type: Permanent
    Next reboot license Level: entservices

cisco WS-C4506-E (MPC8572) processor (revision 6) with 2097152K bytes of physical memory.
Processor board ID SPE203001Q2
MPC8572 CPU at 1.5GHz, Supervisor 7L-E
Last reset from PowerUp
12 Virtual Ethernet interfaces
224 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

Thank you for the helpl

0 Helpful

Xavillon
Level 1
Level 1
In response to Xavillon

‎11-08-2016 12:40 AM

I'll try to pass the VSS to stand-alone on order to see if the problem is here but same problem...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card