3750 VLAN Routing Issue

[Devry84]

I am installing two Cisco 3750 switches for the first time for the company that I work for. I have the switches configured for management vlan (1) and two production vlans (20 and 30). The problem that I am experiencing is that I can access vlan 30 from vlan 20 but I cannot access vlan 20 from vlan 30. As you can see in the config I have no access-list defined that would block the traffic.

What would cause this to occur.

Included are the switch configuration.
VLAN_Development#
Building configuration...

Current configuration : 4549 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname VLAN_Development
!
!
no aaa new-model
switch 1 provision ws-c3750-48p
switch 2 provision ws-c3750-48p
ip subnet-zero
ip routing
!
ip dhcp pool vlan20
network 10.10.0.0 255.255.255.0
default-router 10.10.0.254
lease 7
!
ip dhcp pool vlan30
network 192.168.80.0 255.255.255.0
default-router 192.168.80.2
lease 7
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
switchport access vlan 30
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface FastEthernet2/0/1
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
!
interface FastEthernet2/0/4
!
interface FastEthernet2/0/5
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
!
interface FastEthernet2/0/48
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address 172.16.0.100 255.255.255.0
!
interface Vlan20
ip address 10.10.0.254 255.255.255.0
!
interface Vlan30
ip address 192.168.80.2 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 192.168.80.0
auto-summary
eigrp stub connected summary
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end


TOP3750#sho run
Building configuration...

Current configuration : 2897 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TOP3750
!
!
no aaa new-model
switch 2 provision ws-c3750-48p
ip subnet-zero
ip routing
!
ip dhcp pool vlan20
network 10.10.0.0 255.255.255.0
default-router 10.10.0.253
lease 7
!
ip dhcp pool vlan30
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
lease 7
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet2/0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
switchport access vlan 30
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet2/0/4
!
interface FastEthernet2/0/5
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet2/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address 172.16.0.101 255.255.255.0
!
interface Vlan20
ip address 10.10.0.253 255.255.255.0
!
interface Vlan30
ip address 192.168.80.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 192.168.80.0
auto-summary
eigrp stub connected summary
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end

 

[Workingman1]

Check your default router ip address on both of your configs.

 

[Devry84]

I did consider that and I verified that both defaults routes were correct.

 

[VinceWhirlwind]

You have a basic design flaw: you have 2 routers (both switches are routing) and both of these routers have the same subnets on them, associated with the same VLANs.

Two routers should NOT have the same VLANs on them, except for the point-to-point link between them if the subnet on that link is configured on VLAN interfaces, in which case the single link VLAN should be on those connecting interfaces.

Two routers should NOT have the same subnets on them, except,
- on the point-to-point subnet that links them to each other
and
- when they are participating in HSRP together.

I don't know what your physical topology is like, but you need to fix this in one of 3 ways:

1/ Join the switches with stacking cables, thus merging the two routers into one.
2/ Configure HSRP between them
3/ Change the subnets so they don't clash

 

[Devry84]

I probably should have mentioned this earlier. When I first received the switches I configured just one of them and placed port 1 in vlan20 and port 3 in vlan30. I received the same results that I am getting when I had both switches connected via a trunk. I can ping from vlan 20 to vlan 30 but I cannot ping from vlan 30 to vlan 20.

 

[stubnski]

Are you pinging from a laptop to a laptop or are you pinging the SVI?

 

[Devry84]

I have a personal computer attached to a port assigned to VLAN 20 and 30.

 

[Devry84]

It appears that this problem may be related to an issue with the XP pro desktop that I am using. I did a debug on one of the switches yesterday and I see where the destination address captured is not what I specified.

I reversed the attachment of the computers that I was using and the problem followed the desktop computer. Before I could not ping for vlan30 to vlan20 and when I moved the computers I could not ping from vlan20 to vlan30.

Any ideas what might cause this to occur with a Windows XP computer?

I have also asked the question also in the Windows XP forum.

Thanks
Devry84

 

[Devry84]

I replaced the suspect computer this morning and I did not get any different results except that when I ran debug I did not see any packets with a destination of 172.16.1.X. So now I an real confused as to what could be causing this issue.

 

[stubnski]

Hi,
Do the following troubleshooting steps and let us know where it fails.

If possible disconnect one of the switches from the network, plug one of your test devices into vlan 20 and another test device into vlan 30
From device on vlan 20:

Open command prompt on XP machine and enter command ipconfig /all. Verify network settings
ping vlan 20 gateway
ping vlan 30 gateway
ping device on vlan 30

Repeat for vlan 30

 

[Devry84]

I was asked earlier to complete some testing on my VLAN issue.

When I disconnect one switch and connect my computers, one to each VLAN I get the following results.

From VLAN 30 I can ping VLAN 30 gateway and VLAN 20 gateway and the single IP address for the computer attached to VLAN 20.

From VLAN 20 I can ping VLAN 20 gateway and VLAN 30 gateway and the single IP address for the computer attached to VLAN 30.

 

[Devry84]

I just realized in reviewing my last post that I made an error.

From VLAN 20 I can ping VLAN 20 gateway and VLAN 30 gateway but I cannot ping IP address for the computer attached to VLAN 30.

 

[stubnski]

Hi,
The config on the switch seems fine since you can ping the other vlan's gw but another test to verify it is not the switch but the PC that has the issue - can you ping the pc in vlan 30 from the switch? Ping from both the vlan 30 gw and vlan 20 gw.

switchA# ping <vlan 30 PC>

switchA# ping
Protocol [ip]:
Target IP address: <vlan 30 pc>
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: <vlan 20 GW>
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:

 

[Devry84]

The issue that I have been working seems to be a anti-virus firewall issue. I brought in a LAPTOP from home and connected to the network and the symptoms did not change. Both laptops (and all desktops of my employer) being used have ESET node 32 installed. After I turned off ESET Node 32 on both laptops I was able to run pings in both directions.

 

[meneerB]

not sure if you are still reading this, just saw your question.
I agree with vince: choose one, this config is a bad idea

I hope you read this and reply.

If I may guess: did you connect switch 1 with 1/0/47 to switch 2 on 2/0/47
and 1/0/48 to 2/0/48?

'some' advice, altough I don't know your setup and plan
1- It looks like you provisioned 2 switches you don't have, but that should't hurt.
2- use a portchannel to 'trunk'/combine 47+48.
3- if you connect 47+48 you have a loop and high cpu util, because these ports don't have spanning tree enabled
4- remove all eigrp
5- remove the interface ip adresses of v20 and 30 on the 2nd switch and let the other switch route
6- remove dhcp on 2nd switch to avoid duplicate ip's
7- better: use 4 gigabit gbics to connects both switches
8- did you create:
vlan 20
name vlan20-or-so
etc on both switches?
(sh vlan)
9- if you only have 2 switches, running config is messy:
switch1: remove provisioned switch2
command: no switch 2 provision
switch2: reprovision switch 2 to 1
command: switch 2 renumber 1


again, let us know your actions!

 

[Devry84]

Thanks for the advice. I really appreciate it. I realized after some of the posts that I did have the config incorrect at one point. My last test was with only one switch with VLAN 20 assigned to one port and VLAN 30 to another port. I was unable to ping both ways. If you look at my previous post I believe my problem was due to ESET node 32 not letting the pings go both ways.

Once I disabled ESET on both laptops I was able to get the results I was looking for. I still have to get with ESET and find out why the product was blocking the traffic on VLAN's.

Vic