Burleyman,

first let me thank you for taking your time to be looking into this.

Relevant Parts of the VTP Server cfg - omitted ifnterface enumeration output @ readability.

ip name-server 192.168.20.211
vtp interface GigabitEThernet0/2

!

spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 spanning-tree portfast

!

interface GigabitEthernet0/1
 switchport access vlan 3
 switchport mode trunk
!
interface GigabitEthernet0/2
 description Core
!
interface Vlan1
 ip address 192.168.20.254 255.255.255.0
 no ip route-cache
!

Relevant parts of the VTP client:

vtp interface Gi0/1
!
!
ip name-server 192.168.20.211
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/19
 switchport access vlan 3
!
interface FastEthernet0/20
 switchport access vlan 3
!
!
interface GigabitEthernet0/1
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport access vlan 3
!
interface Vlan1
 ip address 192.168.20.249 255.255.255.0
 no ip route-cache
!

Can you draw a quick diagram showing all the devices.

If the vlans are on each switch with a "sh vlan brief" then forget about VTP, it probably isn't the issue.

Edit - if vlan 3 hangs off a router as you say where are the L3 gateways for the other two vlans ?

Jon

Hi Jon,

the vlans are alive and showing on each and every switch. It seems to be a "routing" problem of some kind.

I can ping within the new VLAN3 as long as its ports are on the same piece o' hardware.

Of course I sorted out the usual suspects, and yes, the sourcing stations do in fact have "their" gateway.

I cannot ping if I put some port on another (!) switch into VLAN3, connect a host there and try to ping hosts connected to the other switch (the one I can ping in ). All neighboring if/s are either dynamic with the peer set to trunk or trunk/trunk on either side.

L3 setup

RTR gi0 -> 192.168.20.2/24 (main production,default VLAN) -> gi0 on core /w Default VLAN, works across all switches.

RTR gi1 -> 172.16.1.1/16 (DMZ) -> gi1 on VTP server switch with VLAN1 membership for a few ports -> works as long as port is on THIS switch, others won't (same problem on gi2), but these again can ping within their ports belonging to the DMZ VLAN.

RTR gi2 -> 192.168.5.1/24 (new VLAN) -> gi0 on one distro switch set as VLAN3. Can ping within there, works as long as port is on THIS switch, others won't, but these again can ping within their ports belonging to VLAN3.

Speaking about the Router - I did not setup any VLAN there.

HTH & Thanks,

Dan

Dan

If you can't ping hosts within the same vlan when connected to different switches it is not a routing problem.

On the switch that you cannot ping from can you do a quick schematic as to how it is connected to the switch you can ping in.

Can you also check all the interconnects between the non working switch and the switch that works ie. if they are trunk links make sure vlan 3 is allowed and if they are access ports make sure both ends are in vlan 3.

Jon

Hi Jon,

thanks for this. I will sketch it out and come back on Monday.

Dan

Whilst drawing, I found something strange.

Some of the interfaces involved in VLAN 2 and 3 are GBIC (via Copper) and these are not showing up in the list (show VLAN). Only non-GBIC ports are listed.

Dan

Drawing attached.

I should add that 0 and 1 are 2950's, 2 and 3 are 2960's, the core is a 3550. (Couldn't find the right visio stencils.)

All switches running the latest available IOS (core Version 12.2(44)SE6; Access 0,1 Version 12.1(22)EA14, access2,3 Version 12.2(50)SE4.

All IP Base Image.

Dan

The diagram shows the links between switches and the 3550 and router as belong to specific vlans but your configuration shows the uplinks configured as trunks.

If you go off the diagram then it's clear why it doesn't work but I suspect there is more to it than that.

From each of the switches, including the 3550, can you post a "sh int trunk".

Jon

Jon,

(output below) As per my understanding, any switch/switch connection carrying vlan info should be configured as trunk as to 1) have VTP propagating via its dedicated propagator interface on the VTP server and 2) to have the switches carry the traffic for the desired VLAN. Is there something wrong in my thinking ?

Core:

----------------------

Port        Mode             Encapsulation  Status        Native vlan
Gi0/7       desirable        n-802.1q       trunking      1
Gi0/8       desirable        n-802.1q       trunking      1
Gi0/11      desirable        n-802.1q       trunking      1
Gi0/12      desirable        n-802.1q       trunking      1

Port        Vlans allowed on trunk
Gi0/7       1-4094
Gi0/8       1-4094
Gi0/11      1-4094
Gi0/12      1-4094

Port        Vlans allowed and active in management domain
Gi0/7       1-3
Gi0/8       1-3
Gi0/11      1-3
Gi0/12      1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/7       1,3
Gi0/8       1-3
Gi0/11      1-3
Gi0/12      1-3

Access 0

----------------------

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1
Gi0/2       desirable    802.1q         trunking      1

Port      Vlans allowed on trunk
Gi0/1       1-4094
Gi0/2       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1-3
Gi0/2       1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1-3
Gi0/2       1-3

Access 1

----------------------

Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1
Fa0/27      on           802.1q         trunking      1
Gi0/2       desirable    802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/1       1-4094
Fa0/27      1-4094
Gi0/2       1-4094

Port        Vlans allowed and active in management domain
Fa0/1       1-3
Fa0/27      1-3
Gi0/2       1-3

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1-3
Fa0/27      1-3
Gi0/2       1-3

Access 2

----------------------

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1
Gi0/2       auto             802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094
Gi0/2       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1-3
Gi0/2       1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1-3
Gi0/2       1-3

ACCESS3

----------------------

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1-3

Dan

No, there is nothing wrong with your thinking.

Can you do this test -

1) on one of your switches on a client in vlan 3 ping it's default gateway and then on the core switch look at the mac address table and see what port the clients mac address is learned.

2) pick another switch and do the same ie. client in vlan 3 and pinging it's default gateway.

Then try pinging between those clients.

Jon

Jon,

ACCESS3

Notebook 192.168.5.2 connected to FaE0/47, showing:

   3    54ee.752c.6904    DYNAMIC     Fa0/47

CORE0 to check if it's there:

Notebook hits the switch and shows the MAC on Gi0/7:

   3    54ee.752c.6904    DYNAMIC     Gi0/7

PING Test

Ping Test 1 (Notebook to its Gate 192.168.5.1 )

Ping 192.168.5.2 <-> 192.168.5.1 (gateway) timeout -> FAIL

Ping Test 2 (Notebook to Printer in VLAN3, both units @ ACCESS3)

Ping 192.168.5.2 <-> 192.168.5.254 (printer) -> SUCCESS

Ping Test 3

Unplugged the Notebook from ACCESS3.

(Verfied MAC Table is clear now.)

Hooked the Notebook onto ACCESS2, reconfigured FaE0/23 as VLAN3. This port is the only port belonging to VLAN3 on this box.

Ping 192.168.5.2 -> 192.168.5.1 FAIL

Ping 192.168.5.2 -> 192.168.5.254 SUCCESS

I went on to see if there is still something wrong with the trunk config on the various interfaces. Forced ACCESS0,1,2,3 to switchport enc dot1q, did the same on 0 and 1 (2950 would only accept switchport mode trunk) . Same job done on core0, reconfiguring all ports connecting to switches there. Verified each and every port is in ON state and dot1q trunking mode across the entire cascade, verified OK as seen on ACCESS3 here:

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

RESULTS:

VLAN3 will ping internally inside and across any switch, but won't reach it's gateway.

VLAN3 won't ping into all other VLANs.

Now, I checked if there's something wrong with the router whose mac for VLAN3 is 3c08.f6e1.11f2. The mac hits every switch, here on ACCESS3:

access3#sho mac address-table | inc 11f2
   1    3c08.f6e1.11f2    DYNAMIC     Gi0/1

I'm really out of my wits now.

Dan

Yikes, that did the trick.

192.168.20.0 (VLAN1) -> any other [OK]

172.16.0.0 (VLAN2) -> any other [OK]

192.168.5.0 (VLAN3) -> almost, that is - can ping anything but 192.168.5.1 (gateway ip in the router which won't respond. I am guessing it's an ICMP permit issue.

Damnit.......access mode.