Can't ping switch in same VLAN 2

[Dbyte]

Problem: can't ping Cisco 3550 switch from PC. The PC can ping all other switches on the network except this 1. The 2 devices are connected via a Cisco 6509. If I telnet to the 6509 I can ping both devices. Both switches are on the same VLAN. Here's my layout:

Win2K PC (ip xxx.xxx.4.253)
|
6509 (f4/31) (ip yyy.yyy.1.2)
6509 (f3/45)
|
3550 (f0/24) (ip yyy.yyy.1.15)

Here are the ports' configs:
6509 (f4/31):
switchport
switchport access vlan 2
switchport mode access

6509 (f3/45):
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

3550 (f0/24):
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address

sh cdp nei det on both the 6509 & 3550 shows the same VTP management domain & same native VLAN.

If anyone has any thoughts on what may be causing this &/or further diags I could run on either the 3550 or the 6509 to help troubleshoot this I would greatly appreciate it.

 

[globalchicken]

My first question is, do you have the ip address on the port itself?

Also it looks that your pc is in a different subnet than the port that it is connected to. Is that the case?

You could take the ip off of port f4/31 still keeping the port part of vlan 2. Ensure that vlan 2 on the 6500 has an IP address.

Are you doing L3 routing on your switches?

I need some more config info from your 6500 and 3550. Do you have IPs on the vlans on these 2 switches?

 

[Dbyte]

No IPs on the ports themselves. The IPs I posted are config'd for VLAN1 on both Cisco devices like so:

on the 6509:
interface Vlan1
ip address 190.160.1.2 255.255.255.0
no ip redirects
no ip route-cache
no ip mroute-cache
standby ip 190.160.1.1
standby priority 150
standby preempt delay minimum 30

on the 3550:
interface Vlan1
ip address 190.160.1.15 255.255.255.0
no ip route-cache


Yes, the PC (170.10.4.253) is in a completely different subnet than any of our switches. But again, all other switches in the 190.160.1.x IP range are pingable from this PC so I'm not sure applying any specific IP to VLAN 2 on the 6509 will fix this issue. I'm also concerned that this may in fact affect communications to all of our other switches.

I believe that the 6509 is doing L3 routing but not the 3550. How would I confirm this?

I'm wondering if maybe the port on either switch is bad? I'll do a port swap to test that theory. Any other ideas for things I can look @?

 

[Dbyte]

DOH! I screwed up in my previous post. The 6509 already has the following config for VLAN2:

interface Vlan2
ip address 170.10.1.240 255.255.0.0
ip helper-address 170.10.100.2
no ip redirects
standby preempt
standby 2 ip 170.10.1.254
standby 2 priority 150
standby 2 preempt delay minimum 30

Sorry about that.

 

[globalchicken]

you are doing L3 routing on your switch when you put an ip on your SVIs on your L3 switch.

What you are trying to do is ping a device that is in vlan 1 from vlan 2. well your 6500 is doing L3 routing by having an ip address on both of your SVIs. What is your default gateway on your PC?

 

[Dbyte]

The default gateway on the PC is 170.10.1.254.

 

[ADB100]

Is the 3550 configured to route (i.e. ip routing in global config) or is it just a layer-2 device. If it's only a layer-2 device has it got a default gateway configured? What if you do an extended ping from the 6500 and use the VLAN 1 interface as the source, does this work?

Andy

 

[Dbyte]

ADB100, in response to your 1st 2 questions here is the config on the 3550:

version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname ***
!
enable secret 5 ***
!
username *** privilege 15 password 7 ***
ip subnet-zero
ip routing <-- ip routing is enabled
no ip domain-lookup
!
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
!
interface Vlan1
ip address 190.160.1.15 255.255.255.0
no ip route-cache
!
ip default-gateway 190.160.1.1
ip classless
no ip http server
!
!
snmp-server engineID local 800000090300000C85804B01
snmp-server community *** RO
snmp-server community *** RW
banner motd ^C


****************************************
****************************************
** **
** -++- This is a Private Domain -++- **
** **
** Unauthorized Access is Prohibitted **
** **
****************************************
****************************************

^C
!
line con 0
password 7 ***
login local
line vty 0 4
password 7 ***
login local
line vty 5 15
password 7 ***
login local
!
end

How do I run an extended ping from the 6509 using the VLAN 1 interface as the source? I already know that I can telnet to 190.160.1.2 & ping 190.160.1.15 successfully - is this what you mean?

 

[globalchicken]

type ping and then hit your enter key. This will give you more options with ping.


I have never seen before an PC using a default gateway that is outside of your own subnet. hmmm....Are you sure that HSRP is working properly?

 

[Dbyte]

Thanks for the ping info. I'm off for the weekend (yahoo!), but I'll check it out Monday AM & let you know what results I get.

 

[Dbyte]

Here is my ping on the 6509:

***#ping
Protocol [ip]:
Target IP address: 190.160.1.15
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.160.1.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Did lots of Googling/reading/head scratching over the weekend; still no idea what's causing this. How do I verify that HSRP is working correctly w/out affecting switching &/or routing across the network?

 

[globalchicken]

use your sh standby commands to verify HSRP functionality.

From your PC traceroute the path to the destination and see where you error out.

 

[globalchicken]

Also you are only showing one switch in your topology, are you even utilizing HSRP?

 

[globalchicken]

I would source the ping from vlan 2 This would ensure that you are routing properly.

 

[Dbyte]

Ping 190.160.1.15 from VLAN 2 output:
***#ping
Protocol [ip]:
Target IP address: 190.160.1.15
Repeat count [5]: 5
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.160.1.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

No dice. Let's try 190.160.1.14 (another 3550) via VLAN 2 on the 6509:
***#ping
Protocol [ip]:
Target IP address: 190.160.1.14
Repeat count [5]: 5
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.160.1.14, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Success!(?) Hmmm....

sh standby for VLANs 1 & 2:
***#sh standby
Vlan1 - Group 0
Local state is Standby, priority 150, may preempt
Preemption delayed for at least 30 secs
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.748
Virtual IP address is 190.160.1.1 configured
Active router is 190.160.1.3, priority 150 expires in 8.336
Standby router is local
4 state changes, last state change 4w2d
IP redundancy name is "hsrp-Vl1-0" (default)
Vlan2 - Group 2
Local state is Standby, priority 150, may preempt
Preemption delayed for at least 30 secs
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.448
Virtual IP address is 170.10.1.254 configured
Active router is 170.10.1.250, priority 150 expires in 8.804
Standby router is local
4 state changes, last state change 4w2d
IP redundancy name is "hsrp-Vl2-2" (default)

Traceroute to 3550 from PC:
C:\>tracert 190.160.1.15

Tracing route to *** [190.160.1.15]
over a maximum of 30 hops:

1 <10ms <10ms <10ms 170.10.1.250
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
...

Traceroute to the other IP (from above):
C:\>tracert 190.160.1.14

Tracing route to *** [190.160.1.14]
over a maximum of 30 hops:

1 <10ms <10ms <10ms 170.10.1.250
2. <10ms <10ms <10ms *** [190.160.1.14]

Trace complete.

Other 190.160.*.* devices on our network are pingable & traceroutable from the PC, & they all traceroute via 170.10.1.250. WTF???

 

[globalchicken]

from your standby output:

Active router is 170.10.1.250, priority 150 expires in 8.804
Standby router is local

Who is 1.250? Check to see if 1.250 has connectivity to 1.15. Your active HSRP router is not the 6509 that you did the sho standby commands from.

maybe last resort, change your default gateway on your pc to the actual vlan2 interface IP of 1.240, I would think this should work.

 

[Dbyte]

1.250 is our other 6509, which is apparently set up as the HSRP primary. I did not bring it up initially because both the PC & the 3550 are connected directly to 190.160.1.2 so I guessed (wrongly it seems) that the other 6509 never got involved in pinging/routing these packets.

Here is the output for extended ping from .1.250:
***#ping
Protocol [ip]:
Target IP address: 190.160.1.15
Repeat count [5]: 5
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.160.1.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I am able to ping 190.160.1.15 via VLAN 1 but not VLAN 2; basically the outcomes are the same on both 6509s. I also changed the default gateway on the PC to .1.240 - still unable to ping the switch.

We recently upgraded from CatOS to Cisco IOS on both of our core routers. This upgrade was done by a consultant (a CCIE). This problem started after the upgrade, but the consultant insists that the problem is on the 3550, not the 6509s. 1 aspect of this upgrade that may relate to this issue is that we had to use different IPs in our VLAN configs on each router. W/ CatOs we had the same IP config'd for all VLANs on both routers.

BTW, I really appreciate all your help w/ this. This is exactly the kind of stuff that books/DVDs/labs don't teach. Thanks for your assistance.

 

[globalchicken]

What are your outputs on sh ip route on all devices? 6509s and the 3550 in question?

 

[globalchicken]

It is now sounding like a routing issue.

 

[globalchicken]

Have you compared the working 3550 to the 3550 that is 1.15? Maybe adding a default route to the 6509 could wrap this up. It looks to me that you need to start working on your HSRP documentation so that you know exactly how data is flowing in your network.