Solved: VLAN connection issue

Hartmann.J · ‎09-07-2016

Hello,

i created a VLAN für test purposes.

I want to secure this VLAN with ACLs lateron.

(havent added any ACLs yet)

since a lot of productive Systems are running in the Network i didn't want to try around too much on the core Switch at the moemnt.

I'm sure i only forgot something minor.

Problem:

My Client with the IP Address 10.14.68.145 can't connect to other Networks / Internet. (I cant even Ping the Gateway of the VLAN)

Config:

VLAN 24
Bereich             10.14.68.144 / 28     to: 10.14.68.159
Mask                 255.255.255.240
Gateway           10.14.68.158
free                10.14.68.145            to: 10.14.68.157

------------------------------------------------------------------------

Client PC config:

Ip 10.14.68.145
Sm 255.255.255.240
Gateway 10.14.68.158

DNS: 10.14.42.71 (our DNS)

------------------------------------------------------------------------

Config on Core-Switch:

sh run int vlan 24

interface Vlan24
ip address 10.14.68.158 255.255.255.240
end

-

interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
ip dhcp snooping trust
end

-

Member of the Portchannel:

interface TenGigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
channel-group 1 mode desirable
ip dhcp snooping trust
end

interface TenGigabitEthernet1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
channel-group 1 mode desirable
ip dhcp snooping trust
end

-

The Client is connected over 2 Switches These are the Port configs of the trunks / the port

(link to first switch)
interface TenGigabitEthernet6/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
ip dhcp snooping trust
end

(link to 2nd switch)
interface GigabitEthernet1/0/37
switchport mode trunk
ip arp inspection trust
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 30 0 0 0
priority-queue out
mls qos trust dscp
ip dhcp snooping trust
end

(Port on 2nd Switch)
interface GigabitEthernet0/5
switchport access vlan 24
switchport mode access
spanning-tree portfast
end

-----------------------------------------

VLAN is up and active:

Sh ip int brief

Vlan24 10.14.68.158 YES manual up up

Sh ip route

Gateway of last resort is 10.14.0.250 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 22 subnets, 8 masks

C 10.14.68.144/28 is directly connected, Vlan24
S* 0.0.0.0/0 [1/0] via 10.14.0.250

------------------------------------------------------------------------------------------

CoreSwitch: show arp | i Vlan24

Internet 10.14.68.158 - 0013.5fec.6c00 ARPA Vlan24

Client:

Arp -a

Schnittstelle: 10.14.68.145 --- 0xb
Internetadresse     Physische Adresse   Typ
10.14.68.158         00-14-1b-ec-00-00    Dynamisch
10.14.68.159         Ff-ff-ff-ff-ff-ff               Statisch
224.0.0.22             01-00-5e-00-00-16    Statisch
224.0.0.251           01-00-5e-00-00-fb     Statisch
224.0.0.252           01-00-5e-00-00-fc     Statisch
255.255.255.255   Ff-ff-ff-ff-ff-ff              Statisch

Extended Ping from Core Switch with source ip of the VLAN:

ping
Protocol [ip]:
Target IP address: 10.14.0.250
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.14.68.158
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.14.0.250, timeout is 2 seconds:
Packet sent with a source address of 10.14.68.158
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 MS

Thank you for your help!

ahmedshoaib · ‎09-07-2016

Hi;

To modify the VTP version you need to convert vtp mode as transparent / server your access switch (switch-1 & Switch-2).

Initially as per the old output the VTP domain was different on Core switch & Access switches which was modified.

Now your scenario become interested if vtp domain is same on all the network, vlan exists then on switches & vlan is allowed on trunk then there is no reason for client (vlan 24) packet not reach / ping the gateway.

Thanks & Best regards;

View solution in original post

Georg Pauwen · ‎09-07-2016

Hello,

if you do a 'sh int TenGigabitEthernet1/1 trunk' and 'sh int TenGigabitEthernet1/2 trunk',
is Vlan 24 listed as an allowed Vlan?

Hartmann.J · ‎09-07-2016

Hello,

yes the VLan is listed as allowed on both ports:

sh int tenGigabitEthernet 1/1 trunk

Port          Mode         Encapsulation Status        Native vlan
Te1/1         on           802.1q         trunk-inbndl 1
                                      (Po1)

Port Vlans allowed on trunk
Te1/1 2-24,30,90,101,104

Port Vlans allowed and active in management domain
Te1/1 2,4-24,90,101,104

Port Vlans in spanning tree forwarding state and not pruned
Te1/1 2,4-24,90,101,104

sh int tenGigabitEthernet 1/2 trunk

Port          Mode         Encapsulation Status        Native vlan
Te1/2         on           802.1q         trunk-inbndl 1
                                      (Po1)

Port Vlans allowed on trunk
Te1/2 2-24,30,90,101,104

Port Vlans allowed and active in management domain
Te1/2 2,4-24,90,101,104

Port Vlans in spanning tree forwarding state and not pruned
Te1/2 2,4-24,90,101,104

Georg Pauwen · ‎09-07-2016

The trunks look ok. Try and reenable 'ip routing' globally on the core switches where you have Vlan 24 configured, that sometimes helps...

Hartmann.J · ‎09-07-2016

Thanks for the tip,

i dont want to try that nw incasue something goes wrong, and there are a lot of productive Systems on the netweork at the Moment.

I have to wait untill People stop working for this i guess

ahmedshoaib · ‎09-07-2016

Hi;

I have following question after seeing the configuration:

1. Po1 (T1/1 & T1/2) is connected to which switch?
2. As you mentioned Client is connected to 2 switch, will client configure as Active/Standby teaming?
3. Can you verify client switch have vlan 24 via show vlan brief command?
4. Can you also verify trunk interface on client switch (First & Second switch)?

Thanks & Best regards;

Hartmann.J · ‎09-07-2016

Hello,

1. Po1 (T1/1 & T1/2) is connected to which switch?

Po1 is the Connection to the 2nd core-Switch

2. As you mentioned Client is connected to 2 switch, will client configure as Active/Standby teaming?

I'm not exactly sure what you mean

3. Can you verify client switch have vlan 24 via show vlan brief command?

Yes both other Switch have VLAN 24

4. Can you also verify trunk interface on client switch (First & Second switch)?

from core to 1st Switch :

sh int te6/4 trunk

Port Mode Encapsulation Status Native vlan
Te6/4 on 802.1q trunking 1

Port Vlans allowed on trunk
Te6/4 1-4094

Port Vlans allowed and active in management domain
Te6/4 1-2,4-24,90,101,104,900

Port Vlans in spanning tree forwarding state and not pruned
Te6/4 1-2,4-24,90,101,104,900

from 1st to 2nd Switch :

sh int gi1/0/37 trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/37 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/37 1-4094

Port Vlans allowed and active in management domain
Gi1/0/37 1-2,4-24,90,101,104,900

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/37 1-2,4-24,90,101,104,900

ahmedshoaib · ‎09-07-2016

Hi;

Can you explain me below statement:

"The Client is connected over 2 Switches These are the Port configs of the trunks / the port"

And also describe the client connectivity.

Thanks & Best regards;

Hartmann.J · ‎09-07-2016

It Looks like this:

Core-Switch1<-----Po1(trunk) ------>Core-Switch2

| int te6/4 (trunk)

|

| int te2/0/1 (trunk)

Switch 1

| int gi1/0/37 (trunk)

|

| int gi0/10 (trunk)

Switch 2 -int gi0/5-----------------> Client

On the Client Pc i cannot reach anything, i cant even ping my Gateway on VLAN 24 wich is 10.14.68.158

when i did a arp -a eralier today the result was

Client:

Arp -a

Schnittstelle: 10.14.68.145 --- 0xb
Internetadresse     Physische Adresse   Typ
10.14.68.158         00-14-1b-ec-00-00    Dynamisch
10.14.68.159         Ff-ff-ff-ff-ff-ff               Statisch
224.0.0.22             01-00-5e-00-00-16    Statisch
224.0.0.251           01-00-5e-00-00-fb     Statisch
224.0.0.252           01-00-5e-00-00-fc     Statisch
255.255.255.255   Ff-ff-ff-ff-ff-ff              Statisch

when i did it again now the result was

Client:

Arp -a

Schnittstelle: 10.14.68.145 --- 0xb
Internetadresse     Physische Adresse   Typ
10.14.68.159         Ff-ff-ff-ff-ff-ff               Statisch
224.0.0.22             01-00-5e-00-00-16    Statisch
224.0.0.251           01-00-5e-00-00-fb     Statisch
224.0.0.252           01-00-5e-00-00-fc     Statisch

first and last line missing.

ahmedshoaib · ‎09-07-2016

Hi;

Now my doubt is going on 2 things:

1 - Switch-1 (middle switch) either vlan 24 is not created (verify via show vlan brief).

2 - please verify the vtp domain on all 3 switches (Core, Switch-1 & Switch-2)

Thanks & Best regards;

Hartmann.J · ‎09-07-2016

Hello,

1 - Switch-1 (middle switch) either vlan 24 is not created (verify via show vlan brief).

The VLAN is active on Switch 1 & Switch 2

Switch1: sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------

24 TestVLAN24 active

Switch2: sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------

24 TestVLAN24 active Gi0/5

2 - please verify the vtp domain on all 3 switches (Core, Switch-1 & Switch-2)

Core Switch: sh vtp status
VTP Version                                                     : 2
Configuration Revision                                    : 56
Maximum VLANs supported locally                 : 1005
Number of existing VLANs                              : 31
VTP Operating Mode                                      : Server
VTP Domain Name                                          : Domainname
VTP Pruning Mode                                           : Disabled
VTP V2 Mode                                                  : Disabled
VTP Traps Generation                                     : Enabled
MD5 digest                                                       : 0xF8 0x59 0xAB 0x49 0x07 0x72 0xEE 0x34
Configuration last modified by 10.14.31.254 at 9-1-16 12:25:44
Local updater ID is 10.14.31.254 on interface Vl2 (lowest numbered VLAN interface found)

Switch1:sh vtp status

VTP Version capable             : 1 to 3
VTP version running              : 1
VTP Domain Name                : Domainname
VTP Pruning Mode                 : Disabled
VTP Traps Generation            : Enabled
Device ID                                 : 0008.3036.3e00
Configuration last modified by 10.14.31.254 at 9-1-16 12:25:44

Feature VLAN:
--------------
VTP Operating Mode                         : Client
Maximum VLANs supported locally   : 255
Number of existing VLANs                : 31
Configuration Revision                     : 56
MD5 digest                                        : 0xF8 0x59 0xAB 0x49 0x07 0x72 0xEE 0x34
                                    0xBD 0x31 0x74 0x52 0x5A 0x57 0x58 0x89

Switch2:

sh vtp status
VTP Version capable              : 1 to 3
VTP version running              : 1
VTP Domain Name                 : Domainname
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Enabled
Device ID                                 : f09e.6384.c900
Configuration last modified by 10.14.31.254 at 9-1-16 12:25:44

Feature VLAN:
--------------
VTP Operating Mode                        : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs               : 31
Configuration Revision                       : 56
MD5 digest                                         : 0xF8 0x59 0xAB 0x49 0x07 0x72 0xEE 0x34
                                    0xBD 0x31 0x74 0x52 0x5A 0x57 0x58 0x89

ahmedshoaib · ‎09-07-2016

Hi;

Now here the issue is with reference to VTP domain;

Please change the VTP domain name to Domainname & VTP Version 2 on both Switch-1 & Switch-2.

Thanks & Best regards;

Hartmann.J · ‎09-07-2016

the Name was the same on all them, i forgot to edit the others.

When i try to Change the VTP Version on Switch2 i get:

vtp version 2
Cannot modify version in VTP client mode unless the system is in VTP version 3

ahmedshoaib · ‎09-07-2016

Hi;

To modify the VTP version you need to convert vtp mode as transparent / server your access switch (switch-1 & Switch-2).

Initially as per the old output the VTP domain was different on Core switch & Access switches which was modified.

Now your scenario become interested if vtp domain is same on all the network, vlan exists then on switches & vlan is allowed on trunk then there is no reason for client (vlan 24) packet not reach / ping the gateway.

Thanks & Best regards;

Hartmann.J · ‎09-07-2016

Hello,

i changed the VTP Version to 2 and at the same time i noticed i'm getting

%SW_DAI-4-DHCP_SNOOPING_DENY:

on the port in which my Client is connected.

I added

dhcp snooping trust

arp inspection trust

on the port and it's working now.

Thanks for your help!