VLAN problem - Page 2

H2Os · ‎05-14-2018

Hi to all

Hopefully all you geniuses out there will be able to help me...

I have inherited an infrastructure which is working ok, but we want to separate our wireless clients from wired ones with a new VLAN. I'm starting from the bottom and working up so this is just about our core switch - a 3560G - which already has several VLANs configured and running (1, 10, 20, 99 and 100) set up by someone who knows what they are doing - i.e. not me. I have created a new VLAN (40), however I am unable to ping the (external Windows) DHCP server from the new VLAN interface using "ping 192.168.2.10 source vlan40".

!
version 12.2
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname WheelersBarnCore2
!
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface Port-channel1
!
interface Port-channel19
 switchport access vlan 99
!
interface GigabitEthernet0/1
 description UKTSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
 description UKDEVSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
 description VPN Private
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
 description UKTSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
 description UKDEDSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 duplex full
 speed 1000
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
 description UKHSTSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
 description UKSRV05 exp
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
 description UKDEVSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
 description NAS on UKSRV05
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet0/12
 description UKHSTSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
 description UKBAKSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
 description TopSwitch port A
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust cos
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/15
 description UKEXCHSRV01 NIC 2
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
 description UKEXCHSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
 description UKBAKSRV01 NIC 1
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
 description PIX Ethernet 1
 switchport access vlan 20
!
interface GigabitEthernet0/19
 description CheckPoint WAN
 switchport access vlan 99
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 macro description cisco-wireless
 auto qos voip trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/22
 description VPN Public
 switchport access vlan 99
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/24
 description WheelersBarn2950
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/26
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/27
 description RutlandMezz
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
 description Rutland GS728TP
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.1.3 255.255.255.0
 standby version 2
 standby 10 ip 192.168.1.1
 standby 10 priority 90
 standby 10 preempt
!
interface Vlan20
 ip address 192.168.2.3 255.255.255.0
 ip access-group INCOMING in
 standby version 2
 standby 20 ip 192.168.2.1
 standby 20 priority 110
 standby 20 preempt
!
interface Vlan40
 ip address 192.168.4.3 255.255.255.0
 ip helper-address 192.168.2.10
 standby version 2
 standby 40 ip 192.168.4.1
 standby 40 priority 130
 standby 40 preempt
!
interface Vlan99
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.16.0 255.255.240.0 192.168.2.5
ip route 192.168.21.0 255.255.255.0 192.168.2.5
ip route 192.168.24.0 255.255.255.0 192.168.2.5
ip route 192.168.50.0 255.255.255.0 192.168.2.5
ip route 192.168.51.80 255.255.255.248 192.168.2.5
ip route 192.168.51.88 255.255.255.248 192.168.2.5
ip route 192.168.55.0 255.255.255.0 192.168.2.225
ip route 192.168.254.0 255.255.255.0 192.168.254.1
ip http server
ip http authentication local
!
!
!
ip access-list extended INCOMING
 deny   ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
!
ntp clock-period 36028716
ntp server 130.88.202.49
!
end

I have configured the DHCP with a new scope but from what I've read, it wont work until the switch does.

>>Edit: Forgot to mention than DHCP is 192.168.2.10, on GigabitEthernet0/9

Any help would be much appreciated...

H2Os · ‎05-15-2018

1. That's correct
2. There are and I cannot ping them either
3. Yes, but it has not been reached

paul driver · ‎05-15-2018

Hello

Okay nw -

Just to confirm do you have the correct scope on the dhcp server for vlan 40

Is the L2 vlan40 created in the vtp D/B

Is vlan 40 allowed to traverse the switch trunks?
Are the clients assigned to vlan40 on the access ports ?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

H2Os · ‎05-15-2018

Hi Paul - Thanks for helping and I will try to answer your questions...

1. I think so, the scope is 192.168.4.100 - 192.168.4.199 (255.255.255.0)

2. How do I check this?

3. As far as I know the trunks will allow all vlans won't they? But this is all on one switch so will it matter?

4. Only one port (gig0/3) assigned to vlan40 - I get a 169.254 IP when I plug a PC in to it.

Sorry for the vagueness but I really don't know what I'm doing...

Hulk8647 · ‎05-15-2018

Why dont you statically configure the PC with vlan40 IP address (any in the subnet) and then try your pings.Once you configure that, ping 192.168.2.10 (your DHCP helper address you configured.)

Doesn't look like your VLAN40 scope is not defined correctly.

paul driver · ‎05-15-2018

Hello

@H2Os wrote:

Hi Paul - Thanks for helping and I will try to answer your questions...

1. I think so, the scope is 192.168.4.100 - 192.168.4.199 (255.255.255.0)

2. How do I check this? -- On the dhcp server

3. As far as I know the trunks will allow all vlans won't they? But this is all on one switch so will it matter? - not applicable then

4. Only one port (gig0/3) assigned to vlan40 - I get a 169.254 IP when I plug a PC in to it.

Looking at your OP it seems gig/0/3 is on vlan 20 not vlan 40

sh int gig0/3 status
sh port-security interface gig0/3
sh vlans

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cofee · ‎05-15-2018

Hi,

If possible please do the following to narrow the issue:

* Please connect a desktop/laptop/server to any available interface on the switch and assign it to vlan 20 with a clean configuration ( no port security or macros) and assign any available static address to this machine in vlan 20 - 192.168.2.x

- int xx

switchport mode access

switchport access vlan 20

spanning-tree portfast

!

Once you have this configuration in place try to ping that address in vlan 20 from vlan 40 SVI. I just want to rule out any issues by security and macros configuration on the interface.

H2Os · ‎05-15-2018

Hi Hulk/Paul/Cofee

Again, thanks for taking time to look at this for me - I am relocating to server room with a coat...

Hulk:

Laptop connected to gi0/3 - vlan 40 - static ip 192.168.4.100

xxxx#sh run int gi0/3
interface GigabitEthernet0/3
 switchport access vlan 40
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Laptop can ping 192.168.4.1 (vlan40) and 192.168.2.1 (vlan20), but cannot ping 192.168.2.x (timeout)

3560G can ping 192.168.4.100 through both int vlan20 and vlan40

xxxx#ping 192.168.4.100 source vlan20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

xxxx#ping 192.168.4.100 source vlan40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

DHCP server cannot ping laptop

----

Paul:

xxxx#sh int gi0/3 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/3                        connected    40         a-full a-1000 10/100/1000BaseTX

xxxx#sh port-security interface gi0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : a4ba.db9e.f721:40
Security Violation Count   : 0

xxxx#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/25, Gi0/26
10   Sxxxxxxxxx                       active
20   Hxxxxxxxxx                       active    Gi0/1, Gi0/2, Gi0/4, Gi0/5
                                                Gi0/6, Gi0/7, Gi0/8, Gi0/9
                                                Gi0/10, Gi0/11, Gi0/12, Gi0/13
                                                Gi0/15, Gi0/16, Gi0/17, Gi0/18
                                                Gi0/20, Gi0/23
40   Axxxxxxxxx                       active    Gi0/3
99   Internet                         active    Gi0/19, Gi0/22
100  Axxxxxxxxx                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
40   enet  100040     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
100  enet  100100     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

----

Cofee:

Laptop connected to gi0/4 - vlan 20 - dhcp assigned ip 192.168.2.129

xxxx#sh run int gi0/4
interface GigabitEthernet0/4
 switchport access vlan 20
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Laptop can ping any valid 192.168.2.x address
Laptop can ping VLAN40 interface (192.168.4.1)

3560G can ping 192.168.4.100 through both int vlan20 and vlan40

xxxx#ping 192.168.2.129 source vlan20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
xxxx#ping 192.168.2.129 source vlan40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

DHCP server can ping laptop

----

If the 3560G can ping 192.168.2.129 from vlan40 but can't ping 192.168.2.10, what does this mean?

(FYI: there is no firewall on 192.168.2.10)

Thanks again guys...

cofee · ‎05-15-2018

Did you look at the event logs on dhcp server and look for any errors that would point to machine in vlan 40 not receiving ip address from the dhcp server?

You can now remove the static IP from the machine in vlan 40 and configure it so it will attempt to reach dhcp server for an ip address and while that happens please run this command to debug dhcp packets "debug dhcp detail".

H2Os · ‎05-15-2018

Can't see anything untoward in the DHCP log, and no references to 192.168.4.x either...

This is all I can see from monitor:

001739: .May 15 16:00:28.918 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
001740: .May 15 16:00:29.925 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
001741: .May 15 16:01:34.349 UTC: DHCPD: checking for expired leases.
001742: .May 15 16:03:34.357 UTC: DHCPD: checking for expired leases.
001742: .May 15 16:05:34.364 UTC: DHCPD: checking for expired leases.

I'm guessing if there was going to be anything else, it would have happened by now...?

Hulk8647 · ‎05-15-2018

but even when you statically assigned vlan40 address to a PC, you still couldn't ping the DHCP server with it right?

cofee · ‎05-15-2018

With all the troubleshooting steps you have taken so far and looking at the results, now it appears to be a DHCP issue and not an inter-vlan routing issue.