Cant see it

[oramacs]

Hello everyone,
Please be nice, this is my first post.


I am trying to telnet or http to a access point on the network and can't. I will try mt best to explain the situation.

PC -> 2960(K) (Building A) -> Core-4506 (Building B) -> (Building C) 2960(H) -> 2960(J) -> 1242 AP

K,H,J - are just identifiers for talking through the situation.

Building A is 10.1.23.xxx and building C is 10.1.15.xxx

~ The PC and the AP are on 2 different subnets that talk through the core. They are in different buildings.
~ when I do a tracert from the PC - I can get to A,H,J
~ when I do a tracert from the PC to the AP it fails at K
~ From the PC the AP does not respond to ping.

I think the problem is K doesn't know the route to the AP.

Thanks,
oramacs

 

[stubnski]

Hi,
I have a few questions to narrow down where the problem could be:

Is the AP working?
Can you ping any other device in the AP subnet from your PC - the AP subnet gateway, another AP...?
Can you ping the J switch?
Can you ping the AP from the core?
Do you have access to the core or J switch?


==>The PC and the AP are on 2 different subnets that talk through the core.

Is all routing done on the core?

==>I think the problem is K doesn't know the route to the AP.

If all your routing is done on your core then all K would need is a route to the core.

 

[oramacs]

Is the AP working? -- yes
Can you ping any other device in the AP subnet from your PC - the AP subnet gateway, another AP...? - no
Can you ping the J switch? - yes
Can you ping the AP from the core? - no
Do you have access to the core or J switch? - yes


==>The PC and the AP are on 2 different subnets that talk through the core.

Is all routing done on the core? - yes

==>I think the problem is K doesn't know the route to the AP.

If all your routing is done on your core then all K would need is a route to the core. - this is what I thought

 

[VinceWhirlwind]

K should be switching, so doesn't route anything?

Does your PC have a default GW? What is it? Where is it?

On that router (the PC's default GW) do a sh ip route and look for the subnet the AP is in. Otherwise it will go to that router's default route.
Go to that next hop and look for the AP's subnet. Etc....

 

[VinceWhirlwind]

In fact, when you say your traceroute "fails at K", K being a Layer2 switch, that looks like a problem to me - why would the traceroute end at K? You haven't set your switch management address as the default GW for your PC's subnet have you? Sounds a bit confused....

 

[chieftan]

Vince is right......

Why would a traceroute end at a layer 2 device?

It works on hop count, meaning layer 3 devices.....

 

[stubnski]

==> Can you ping the AP from the core? - no

==>Can you ping any other device in the AP subnet from your PC - the AP subnet gateway, another AP...? - no

It sounds like there is a configuration issue with that vlan or vlan interface. I would double check the vlan interface (maybe its shutdown), vlan config, VTP if you use it, and your trunks to J switch to make sure the vlan is allowed through.

 

[oramacs]

UPDATED - NOTICE the switch change for J

PC -> 2960(K) (Building A) -> Core-4506 (Building B) -> (Building C) 2960(H) -> 3560(J) -> 1242 AP

Is the AP working? - yes
Can you ping any other device in the AP subnet from your PC - the AP subnet gateway, another AP...? - yes
Can you ping the J switch? - yes
Can you ping the AP from the core? - no
Do you have access to the core or J switch? - yes to ping, yes to telnet,

~~~~~~~~~~~~
~ All the switches are using IP Default-gateway as .1 for the subnet they are assigned to or .1 of the "managment vlan" of the gateway.
~ All PC's are using .1 as the gateway for the subnet they are on.
~ The default gateway on my Pc is .1 of the subnet that it is on, - this is correct
~~~~~~~~~~~~~~~
Vince I am not sure I understand - You haven't set your switch management address as the default GW for your PC's subnet have you? Sounds a bit confused....

thanks everyone

 

[oramacs]

trunk port configuration.

150 is the managment vlan we are using.


Core
interface FastEthernet2/25
description *** ACCESS POINT ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 150
switchport trunk allowed vlan 126,150,200,210
switchport mode trunk

H
interface FastEthernet0/8
switchport access vlan 250
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

J
interface FastEthernet0/47
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/48
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/2
switchport mode trunk
switchport nonegotiate

 

[oramacs]

!
interface FastEthernet0/8
switchport access vlan 250
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!

~ Doesn't this mean this port will only pass traffic for vlan250 only, even though it is a trunk port?
~ Would I have to add the command " switchport trunk allowed vlan add 150" for example if I wanted to pass traffic from vlan 150?
~ If this switch is connected to a AP and I wanted to the connect to the BVI interface that is on .15 the 150 vlan, this port would have to be able to pass traffic for both vlans?!

 

[unclerico]

I think you are misinterpreting the results of your traceroute. When it dies I'll bet it is actually dying on the SVI configured for the PC VLAN between Bldg A and the core. Your problem lies between the Core and the AP itself. If you have switchport mode trunk configured on all trunk ports between the core and the AP then you need to double check the BVI config on the AP. Without any extra config all VLANs that have an STP instance and are forwarding will be permitted over every trunk link... period. You can verify by issuing sh int trunk end to end to verify. Post the AP config.

Also, if you have a static trunk config then remove the access port config from it. All it does is confuse you and clutter things up.

 

[oramacs]

it looks like vlan150 is being trunked all the way to J

K

Port Vlans allowed and active in management domain
Fa0/42 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/45 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/46 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/47 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/48 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/2 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Port Vlans in spanning tree forwarding state and not pruned
Fa0/42 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/45 1,210,654
Fa0/46 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/47 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/48 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 none
Gi0/2 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

~~~~~~~~~~~~~~~~~~~~~
Core

Port Vlans allowed and active in management domain
Fa2/25 126,150,200,210
Gi3/47 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/2 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/4 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/5 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/6 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/7 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/8 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/9 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Po5 591
Po10 110,300

Port Vlans in spanning tree forwarding state and not pruned
Fa2/25 126,150,200,210
Gi3/47 1,120,580
Gi5/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/2 1
Gi5/4 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999

Port Vlans in spanning tree forwarding state and not pruned
Gi5/5 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/6 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/7 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Gi5/8 1
Gi5/9 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,6
02,650,654-655,999
Po5 591
Po10 110,300
~~~~~~~~~~~~~~~~~~~~~
H

Port Vlans allowed and active in management domain
Fa0/39 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/47 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/48 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/2 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Port Vlans in spanning tree forwarding state and not pruned
Fa0/39 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/47 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/48 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/2 none
~~~~~~~~~~~~~~~~~~~~~~
J
Port Vlans allowed and active in management domain
Fa0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/3 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/4 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/5 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/6 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/3 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/4 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/5 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Fa0/6 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999
Gi0/1 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

 

[unclerico]

ok, now post the AP config when you get a chance.

 

[VinceWhirlwind]

Yeah, a trunk port config looks like this:

switchport trunk encapsulation dot1q
switchport trunk native vlan 150
switchport trunk allowed vlan 126,150,200,210
switchport mode trunk

The port it is patched to has to be identical.

If you don't configure sw tr native, then it defaults to sw tr native vlan 1

If you don't configure sw tr allowed vlan, then it defaults to sw tr allowed vlan all (& doesn't show the line in config).

Apologies if I've skimmed over it, but you haven't explained what ports patch to what ports?

From the config snippets above, I am assuming it's:

CORE F2/25 <----> F0/8 H G0/1 <----> G0/1 J F0/47 <----> AP

If so, then VLAN 150 is not trunked through as you have a native vlan mismatch on the Core<---->H link. Or maybe it's just a typo.
Do a "Show logg" on each of Core and H.

Do a show vlan & a show int vlan 150 on each of CORE, H, J.

A couple of things: don't use a native VLAN, for anything.
Always put in a VLAN allowed config line to specify (& prune) the VLANs your design calls for on the link.
So when configuring a trunk, make sure all your active VLANs are tagged, and allowed.

And if your links really are as I've interpreted:
CORE<--100Mb-->H<--1Gb-->J
Then fix it!!!!!! You must absolutely never ever allow yourself to be responsible for a design like that!!!!!Never!

 

[oramacs]

This may help a bit.

BTW, I inheartiated this network couple weeks ago.

2960(K) (Building A) L1=G0/1-G5/8 ,L2 = G0/2-G5/7 -> Core-4506 (Building B) L1 = G5/1-G/01, L2 = G5/2-G0/2 -> (Building C) 2960(H) F0/48-G0/1 -> 2960(J)F0/1-? 1242 AP

~~~ To me it looks like 1) My trunk ports are not configured the same 2) My secondary links are not configured to pass any vlans. 3) vlan 150 is not being trunked to the AP from switch F 4) I have gig ports trunking to fast ethernet ports, but they are neoigationg ~~~~~~

Core
G5/2
Sho int trunk
Gi5/2 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

sho run
interface GigabitEthernet5/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
macro description cisco-switch
spanning-tree link-type point-to-point

~~~~~~~~~~~~~~~~~
G5/1
Sho int trunk
Gi5/1 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
macro description cisco-switch
spanning-tree link-type point-to-point


G5/7

Sho int trunk
Gi5/7 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface GigabitEthernet5/7
switchport mode trunk
switchport nonegotiate
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
priority high
shape percent 33
macro description cisco-switch
spanning-tree link-type point-to-point


G5/8

Sho int trunk
Gi5/8 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface GigabitEthernet5/8
description 1654 port2
switchport mode trunk
switchport nonegotiate
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
priority high
shape percent 33
macro description cisco-switch
spanning-tree link-type point-to-point




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
K Switch

G0/1
Sho int trunk
Gi0/1 none

Sho run
interface GigabitEthernet0/1
description Link-1
switchport mode trunk
switchport nonegotiate

G0/2
Sho int trunk
Gi0/2 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface GigabitEthernet0/2
description Link-2
switchport mode trunk
switchport nonegotiate

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

H Switch

G0/1

Sho run
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate

Sho int trunk
Gi0/1 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

G0/2
Sho run
interface GigabitEthernet0/2
switchport mode trunk
switchport nonegotiate


Sho int trunk
Gi0/2 none

F0/48

Sho int trunk
Fa0/48 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface FastEthernet0/48
switchport mode trunk
switchport nonegotiate

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
J Switch

G0/1

Sho int trunk
Gi0/1 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999


Sho run
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

F0/1

Sho int trunk
Fa0/1 = 1-3,15,97,100,110,120,126,140,150,186,200,210,250,300,580-582,590-591,600-6
02,650,654-655,999

Sho run
interface FastEthernet0/1
switchport access vlan 250
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

 

[VinceWhirlwind]

Do you actually use that many VLANs?

I'd do a design if I were you - figure out what the requirements are and then design it.

Then do a survey of the current config and compare the two. Change as required.

With VLANs, the rules are:
- as few VLANs as possible on each Access switch (1 DATA VLAN and 1 VOICE VLAN)
- each VLAN is trunked from the core to only one access switch/stack

 

[oramacs]

In some instances vlan 150 is present on the switch, but does not have a IP address assigent to it on the .15 subnet. there is a .15 address assigned to vlan1 which is not reachable. I removed the .15 address from vlan 1 and assigend it to vlan150, this seems to now make the switch reachable from .15 (mangement netowrk) on the .15 subnet.

Are there any pitfalls to this? makeing this change does not see to have a impact to anyone connected to the switch.

 

[VinceWhirlwind]

That's good - have a VLAN dedicated to your management - only the switch IP addresses should be on this VLAN.

Changing the IP address of the switch has no effect on the switching it does for your users: The hosts send frames to the switch, the switch uses its MAC-address table to forward the frame out an interface. IP addresses do not come into it.

 

[oramacs]

Thanks Vince,

I am trying to accomplish this.

My thought is to get all my Switches and WAP's on a single subnet, using a single vlan for all managment, for example.

Vlan190 - 10.1.1.33.xxx = This is the vlan I want to extend out to all my swithces and WAP's ( wireless access point). On the switch vlan190 would be assigned a IP address on the .33 network, that I would be able to telnet \ ssh to for managment functions and also my network monitoring software would talk on \ to. The BVI interface on the WAP's would also be on this .33 subnet with the same intention.

I notice a lot of the trunk ports are setup like this. It is a little confusing to me, does this mean it is passing every vlan that is present on the switch?

interface GigabitEthernet0/1
description trunk
switchport mode trunk
switchport nonegotiate
~~~~~~~~~~~~~~~~~~~~~~~~
I thought trunk ports were supposed to have the 1) vlan allowed command - to only pass only the vlan you want through the trunks 2)The encapuslation dot1q command 3) The naitve vlan command - as a default for the tagging for traffic on that trunk.
~~~~~~~~~~~~~~~~~~~~~~~~~~
It seems like we are just passing every vlan on the core out to all the swithces, no matter what, I want to change that so only the management vlan and the production vlan pass.

 

[VinceWhirlwind]

1) Unless you configure the "VLAN ALLOWED" it defaults to "ALLOW ALL" and does not display it in the config. (Other vendors tend default to "ALLOW NONE", requiring you to specify required VLANs explicitly".

2) You must have the "ENCAPSULATION" command. (Other vendors default to dot1q so configuring a "trunk" is all you need)

3) If you don't configure a NATIVE VLAN explicitly is defaults to NATIVE VLAN 1 and doesn't show it in the config. (Other vendors mostly don't have a default native VLAN, but you can specify an UNTAGGED VLAN (= NATIVE) if you want one).

Your idea to restrict trunking of VLANs to only where they are needed is almost certainly a very good idea.

I assume all your switches are set to VTP MODE TRANSPARENT?
Originally, I used VTP and had no problems with it. Since then I have become used to the idea of not using it as I have become convinced it's not even useful let alone worth the risks.