Re: VLAN problem

H2Os · ‎05-14-2018

Hi to all

Hopefully all you geniuses out there will be able to help me...

I have inherited an infrastructure which is working ok, but we want to separate our wireless clients from wired ones with a new VLAN. I'm starting from the bottom and working up so this is just about our core switch - a 3560G - which already has several VLANs configured and running (1, 10, 20, 99 and 100) set up by someone who knows what they are doing - i.e. not me. I have created a new VLAN (40), however I am unable to ping the (external Windows) DHCP server from the new VLAN interface using "ping 192.168.2.10 source vlan40".

!
version 12.2
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname WheelersBarnCore2
!
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface Port-channel1
!
interface Port-channel19
 switchport access vlan 99
!
interface GigabitEthernet0/1
 description UKTSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
 description UKDEVSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
 description VPN Private
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
 description UKTSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
 description UKDEDSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 duplex full
 speed 1000
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
 description UKHSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
 description UKSRV05 exp
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
 description UKDEVSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
 description NAS on UKSRV05
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet0/12
 description UKHSTSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
 description UKBAKSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
 description TopSwitch port A
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust cos
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/15
 description UKEXCHSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
 description UKEXCHSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
 description UKBAKSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
 description PIX Ethernet 1
 switchport access vlan 20
!
interface GigabitEthernet0/19
 description CheckPoint WAN
 switchport access vlan 99
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 macro description cisco-wireless
 auto qos voip trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/22
 description VPN Public
 switchport access vlan 99
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/24
 description WheelersBarn2950
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/26
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/27
 description RutlandMezz
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
 description Rutland GS728TP
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.1.3 255.255.255.0
 standby version 2
 standby 10 ip 192.168.1.1
 standby 10 priority 90
 standby 10 preempt
!
interface Vlan20
 ip address 192.168.2.3 255.255.255.0
 ip access-group INCOMING in
 standby version 2
 standby 20 ip 192.168.2.1
 standby 20 priority 110
 standby 20 preempt
!
interface Vlan40
 ip address 192.168.4.3 255.255.255.0
 ip helper-address 192.168.2.10
 standby version 2
 standby 40 ip 192.168.4.1
 standby 40 priority 130
 standby 40 preempt
!
interface Vlan99
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.16.0 255.255.240.0 192.168.2.5
ip route 192.168.21.0 255.255.255.0 192.168.2.5
ip route 192.168.24.0 255.255.255.0 192.168.2.5
ip route 192.168.50.0 255.255.255.0 192.168.2.5
ip route 192.168.51.80 255.255.255.248 192.168.2.5
ip route 192.168.51.88 255.255.255.248 192.168.2.5
ip route 192.168.55.0 255.255.255.0 192.168.2.225
ip route 192.168.254.0 255.255.255.0 192.168.254.1
ip http server
ip http authentication local
!
!
!
ip access-list extended INCOMING
 deny   ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
!
ntp clock-period 36028716
ntp server 130.88.202.49
!
end

I have configured the DHCP with a new scope but from what I've read, it wont work until the switch does.

>>Edit: Forgot to mention than DHCP is 192.168.2.10, on GigabitEthernet0/9

Any help would be much appreciated...

Hulk8647 · ‎05-14-2018

Can you provide the following?

show int vl 40

show ip route

H2Os · ‎05-14-2018

I certainly can:

Vlan40 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.01d0.ad44 (bia 0012.01d0.ad44)
  Internet address is 192.168.4.3/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 01:18:47, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     653 packets input, 144100 bytes, 0 no buffer
     Received 0 broadcasts (118 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     6707 packets output, 656446 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.254 to network 0.0.0.0

S    192.168.24.0/24 [1/0] via 192.168.2.5
S    192.168.55.0/24 [1/0] via 192.168.2.225
C    192.168.4.0/24 is directly connected, Vlan40
S    192.168.21.0/24 [1/0] via 192.168.2.5
     192.168.51.0/29 is subnetted, 2 subnets
S       192.168.51.88 [1/0] via 192.168.2.5
S       192.168.51.80 [1/0] via 192.168.2.5
S    192.168.50.0/24 [1/0] via 192.168.2.5
C    192.168.1.0/24 is directly connected, Vlan10
C    192.168.2.0/24 is directly connected, Vlan20
S*   0.0.0.0/0 [1/0] via 192.168.1.254
S    192.168.16.0/20 [1/0] via 192.168.2.5

Hulk8647 · ‎05-14-2018

and you pinging its gateway at least?

ping 192.168.2.1 so vl 40

Also post this

show standby

H2Os · ‎05-14-2018

Yes - pings seem to work from everything to everything inside the switch, and from all other VLANs to the DHCP, just not vlan40...

WheelersBarnCore2#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
WheelersBarnCore2#ping 192.168.2.1 source vlan40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

WheelersBarnCore2#show standby
Vlan10 - Group 10 (version 2)
  State is Active
    2 state changes, last state change 43w3d
  Virtual IP address is 192.168.1.1
  Active virtual MAC address is 0000.0c9f.f00a
    Local virtual MAC address is 0000.0c9f.f00a (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.391 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 90 (configured 90)
  IP redundancy name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20 (version 2)
  State is Active
    2 state changes, last state change 43w3d
  Virtual IP address is 192.168.2.1
  Active virtual MAC address is 0000.0c9f.f014
    Local virtual MAC address is 0000.0c9f.f014 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.382 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Vl20-20" (default)
Vlan40 - Group 40 (version 2)
  State is Active
    2 state changes, last state change 05:45:17
  Virtual IP address is 192.168.4.1
  Active virtual MAC address is 0000.0c9f.f028
    Local virtual MAC address is 0000.0c9f.f028 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.765 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 130 (configured 130)
  IP redundancy name is "hsrp-Vl40-40" (default)

Hulk8647 · ‎05-14-2018

Sorry, looks like you missed my update, can you actually source the ping from vlan 40?
ping 192.168.2.1 so vl 40

H2Os · ‎05-14-2018

WheelersBarnCore2#ping 192.168.2.1 so vl 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

BradEast1 · ‎05-14-2018

Are you plugging into the same switch and failing to get DHCP (which interface?) or is it failing from a downstream switch? I don't see any interfaces assigned to VLAN 40 and we'll want to verify that VLAN 40 exists on other switches and verify trunking if its the latter.

H2Os · ‎05-14-2018

We have a 1231 WAP attached to GigabitEthernet0/21, which ultimately will have two SSIDs - one for employees (VLAN 20) and one for guests (VLAN 40).

There won't be any other physical ports on VLAN 40, however tomorrow morning (GMT) I will assign one of the spare ports and plug a PC in to see what happens...

H2Os · ‎05-15-2018

Reconfigured GigabitEthernet0/3:

interface GigabitEthernet0/3
 switchport access vlan 40
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
end

PC directly connected to this port defaults IP to 169.254.x.x

paul driver · ‎05-15-2018

Hello

DHCP server = 192.169.2.10

Helper address 192.168.2.10 ( note: helper address is the address of the dhcp server)

You have the server attached to gig0/9 on vlan 20 ?

Vlan 20 - 192.168.2.0/24

Vlan10 - 192.168.1.0/24 -default route vlan

vlan 40 - 192.168.4.0 /24 - new vlan

So if this DHCP server isnt in the same vlan as vlan 20 why is it attach to vlan 20, Because if it is off the network it should be on vlan40 and the SVI vlan 40 should have a secondary address in 192.169.2.x/24

int gig0/9
switchport access vlan 40

int vlan 40
ip address 192.169.2.4 255.255.255.0 secondary

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

H2Os · ‎05-15-2018

Sorry Paul - that was a typo; should be 168 - have corrected it.

cofee · ‎05-15-2018

Can you verify if the DHCP server is directly connected to the switch where you configured SVI for vlan 40 or is it connected to some other switch?

H2Os · ‎05-15-2018

DHCP is directly connected to gig0/9 on the 3560G - have spent time in the server room tracing cables to make sure...

cofee · ‎05-15-2018

And as I understand all other SVI interfaces are able to ping the DHCP server other than vlan 40? Is there any other machine on the same subnet as the DHCP server that you can try to ping from vlan 40?

One last thing is there a dhcp scope for vlan 40 on the dhcp server?