cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
237
Views
0
Helpful
4
Replies

SG350 - intermittently drops one VLAN link

timb_
Level 1
Level 1

We have an SG350-28P as the core switch at one of our sites and intermittently, users connected to VLAN 7 (192.168.9.0/24) advise that they lose internet access. At the time of the issue, the switch cannot ping the router (Cisco 887VA, 10.1.9.1, VLAN7 192.168.9.1).

This has happened three times in the past fortnight and remains unresolved until the switch is powercycled.

There's one SF302-08PP behind, but this is just used for phones on VLAN 101, not using VLAN 7 at all.

There was an ACL attached to this VLAN, I have temporarily disabled that for troubleshooting purposes. Detailed in the config below, but not attached to the VLAN.

Feels like routing, but the default route is configured the same as our other sites. This config is virtually identical to that of other sites.

FW: 2.5.9.54 (current).

Recent changes:

  • This was sitting on 2.4.5.71 for a long time, but updated within the past month to improve security. I haven't seen this problem with any other sites upgraded to 2.5.9.54.
  • The SF302-08PP was reconfigured from an access VLAN 101 switch to L2 with VLAN 1/101 for manageability, but it's not used on VLAN 7.

Some assistance would be greatly appreciated.

I can't do a swap just yet, it's a 4 hour round trip and I don't have any spare SG350s to rule out hardware, and I don't have space in this rack to replace it with a CBS350 (deeper).

Config follows, business-identifying and other irrelevant data have been removed & port configs condensed.

config-file-header
sw-sitename-admin
v2.5.9.54 / RCBS3.1_930_871_120
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 7,55,101
exit
...
ip dhcp server
...
ip dhcp excluded-address 192.168.9.1 192.168.9.30
ip dhcp excluded-address 192.168.9.250 192.168.9.254
ip dhcp pool network BUSINESS-DHCP-POOL
address low 10.1.9.1 high 10.1.9.254 255.255.255.0
lease 7
domain-name domainname.com.au
default-router 10.1.9.1
dns-server 10.1.3.58 10.1.3.59 10.1.1.48 10.1.1.49
exit
ip dhcp pool network FREEWIFI-DHCP-POOL
address low 192.168.9.1 high 192.168.9.254 255.255.255.0
lease 7
domain-name freewifi.domainname.com.au
default-router 192.168.9.1
dns-server 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4
exit
...
no boot host auto-config
no boot host auto-update
bonjour interface range vlan 1
...
ip access-list extended ACL-IN-VLAN7
permit ip any 172.24.0.44 0.0.0.0 ace-priority 20
permit ip any 10.1.3.56 0.0.0.0 ace-priority 25
permit ip any 10.1.3.147 0.0.0.0 ace-priority 30
deny ip any 10.1.0.0 0.0.255.255 ace-priority 40
deny ip any 10.55.0.0 0.0.255.255 ace-priority 60
deny ip any 10.101.0.0 0.0.255.255 ace-priority 80
permit ip any any ace-priority 160
exit
...
ip domain name [removed]
ip name-server [removed]
ip domain polling-interval 8
!
interface vlan 1
ip address 10.1.9.254 255.255.255.0
no ip address dhcp
!
interface vlan 7
name PUBLIC_WIFI
ip address 192.168.9.254 255.255.255.0
!
...
interface range GigabitEthernet1-8, 11-19
power inline never
[these are access VLAN 1 ports]
!
interface range GigabitEthernet9-10,20-22
description TRUNK-TO-AP
switchport mode trunk
switchport trunk allowed vlan 1,7,55
!
interface GigabitEthernet23
switchport access vlan 101
power inline never
!
interface GigabitEthernet24
description LINK-TO-PHONE-SWITCH
ip dhcp snooping trust
switchport mode trunk
switchport trunk allowed vlan 1,101
power inline never
!
interface GigabitEthernet26
description LINK-TO-ROUTER
switchport mode trunk
switchport trunk allowed vlan 1,7,55,101
!
exit

ip dhcp snooping
ip dhcp snooping vlan 1
ip dhcp snooping vlan 7
ip dhcp snooping vlan 55
ip dhcp snooping vlan 101
ip route 0.0.0.0 /0 10.1.9.1 metric 1

 

1 Accepted Solution

Accepted Solutions

timb_
Level 1
Level 1

I seem to have inadvertently resolved the problem, not certain, but it's stable for longer than it has been in a while.

The trunk on the SF302-08PP was incorrectly configured, just as a trunk, but not explicitly adding in the voice VLAN. Once I corrected that and rebooted everything (72 hours ago), VLAN7 on the main switch has been stable.

View solution in original post

4 Replies 4

timb_
Level 1
Level 1

Update: Started monitoring the interface with PRTG, it lasted just over 24 hours after the last restoration, before failing yet again.

#ping 192.168.9.1 source 192.168.9.254 - failed

More troubleshooting steps taken:

  • I didn't reinstate the ACL after the last time it failed
  • Disabled and enabled the VLAN
  • Deleted and re-created the VLAN
  • Confirmed no port errors on any active port

I'm scratching my head here.

I don't feel confident to swap to the previous firmware version, in case it drops its config, I haven't got remote hands to restore the config at short notice, so it's sounding more and more like a CBS350 (though it won't fit in the rack) or a factory reset, drop back one fw version and reconfig.

Hello,

can you clear the arp cache (clear arp-cache) and check if that changes anything ?

No luck, unfortunately. Thanks for the idea though, Georg.

timb_
Level 1
Level 1

I seem to have inadvertently resolved the problem, not certain, but it's stable for longer than it has been in a while.

The trunk on the SF302-08PP was incorrectly configured, just as a trunk, but not explicitly adding in the voice VLAN. Once I corrected that and rebooted everything (72 hours ago), VLAN7 on the main switch has been stable.

Review Cisco Networking for a $25 gift card