cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2633
Views
0
Helpful
11
Replies

VLAN doesn't work after replacing core switch and route

blin
Level 1
Level 1

We hired a consultant to replace PIX (default gateway) with ASA and 3650 switch (core) with 3570. The VLAN 1/private network works fine. However, all VLANs such as vlan 100, 200, and 300 and 400 don't work. Then the consultant tried many hours to make another switches to work. He said he didn't make any changes on the working switch. So he suggested us to reboot all switches.  We have tried to reboot the other switches, but that doesn't fix the problem. The consultant is out of ideas.

For a test, I configure a port in working switch to use vlan 300, my laptop get a good IP from the DHCP server that is located in the VLAN 200. If I use the same port configuration in the problematic switch, my laptop doesn't receive IP from the DHCP server. From the problematic switch, I can ping the DHCP server. The show vlan displays all VLAN in the problematic switch. What could be the problem?

11 Replies 11

sheldonscott
Level 1
Level 1

Try putting a static address on a computer on the problem switch for let's say vlan200 first instead of a pulling a DHCP address. Without looking at the configurations you may need the IP helper address to get the DHCP addresses for the host.

ericn8484_2
Level 1
Level 1

What does the configuration of the ASA firewall look like? Because you are using the ASA as your default gateway, the ASA is going to need a subinterface configured for every one of your VLAN's. Also, what model of ASA do you have and your license? That dictates how many VLAN's you are allowed.

example configuration:

http://www.networkfoo.org/cisco-articles/configuring-cisco-asa-8021q-vlan-trunk-extreme-summit-400-48t-network-switches

Forgot to mention. If I setup the two computers in VLAN 200 or 300, I can ping each other, but not DHCP and default gaeway.

Also, the default gateway is the core switch 10.0.0.2 (same Ip address of removed PIX) and core switch points to ASA (IP is 10.0.20.1 - old core siwtch IP address).

Ok so it sounds like you have a Cisco ASA firewall which connects into a Cisco 3560 which is your core switch which then connects to other switches in your environment. Is the Cisco 3560 series the switch that has all the VLAN's assigned and the default gateways or is it your ASA firewall?

Sorry, I gave incoroect information. The core switch and most new switches are 3750. Other are 3500 and 3600 switches. Also, when I do more tests. I found teh static settings works. If I assign static IP, DG and DNS, the VLAN 200/300 clients can access the Internet.

The most swicthes' DG is 10.0.0.2 - core switch. Some switches don't setup DG. Even the switches with correct DG 10.0.0.2, they don't work or VLAN 200/300 clients can't get IP.

OK, let's keep simple and focus on two switches only. Core 3750 switch 10.0.0.2 |                                      | non-work switch        work switch 10.0.20.12                  10.0.20.13 int G1/0/13                  int G3/0/11 Both ports are configured as same as shown below. switchport access vlan 300 switchport mode access no ip address no mdix auto spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable 10.0.20.13 port int G3/0/11works and 10.0.20.12 port int G1/0/13 doesn't. I also attached both running-config files.

blin@chicagobotanic.org

OK, let's keep simple and focus on two switches only. Core 3750 switch 10.0.0.2 |                                      | non-work switch        work switch 10.0.20.12                  10.0.20.13 int G1/0/13                  int G3/0/11 Both ports are configured as same as shown below. switchport access vlan 300 switchport mode access no ip address no mdix auto spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable 10.0.20.13 port int G3/0/11works and 10.0.20.12 port int G1/0/13 doesn't. I also attached both running-config files.

Can we clarify setup ?

You have 3750 switch as core switch which is routing for all vlans ie. vlan 1, 200, 300 - is this correct ?

You have other switches which are a mixture of 3550, 3560 3750s which are connected to 3750 via L2 trunks ?

You have an ASA firewall which is connected to the 3750 ?. On the 3750 you have a default-route pointing to the ASA inside interface.

You can access the internet from vlan 200/300 if you statically assign IPs instead of relying on DHCP ?

If the above is all correct can you

1) confirm what is the DHCP server and what it's IP address is

2) post the running config of the 3750 which is responsible for routing vlans 1,200,300

3) post the running config of one of the other switches where you are connecting a client in vlan 200 or 300 (you may already have attached this in your last post -   just let me know)

4) Can you post output of "sh vlan" from the both the above switches

5) post the output of "sh ip route" from the 3750 doing the inter-vlan routing

Apologies for asking for so much but it is needed.

Jon

Hello,

As per my understanding, you need to enable routing on L3 Switch by command

conf t

ip routing

this enables reachability between vlans defined on the L3 switch

so try enabling routing on all new switches.

I am sure that you have already enable ip routing command in all old switches.

Best Regards,

Jigar Dave

CSCO11167812
Level 1
Level 1

Hi,

Try with the "show interface trunk"
command to see if the vlan's are transported over the trunks.

Also look at spanning-tree for blocked vlans.

hth

Michel

I opened a case with Cisco. It seems to work now. I will post back with more details. Thank you for all help.

Solved: I found the problem is VTP password doesn't match. the similar case can be found here: New created VLAN doesn't work on some of switches - http://www.chicagotech.net/netforums/viewtopic.php?f=5&t=14236

Review Cisco Networking for a $25 gift card