VLAN1 will not take an IP address

[ksas025]

I have a 2950 24 port switch and I am trying to assign an IP to vlan1 for management purposes. To do so I did the follwoing:

config t
interface vlan 1
ip address 10.24.64.5 255.255.255.0
no shut

When I attempt to ping something on the local LAN (10.24.64.110 for example) it fails. When I issue a sh ip arp command it shows the IP address I just attempted to ping with a hardware address of Incomplete.

Why wont my Switch communicate on the local LAN?. My config is as follows:

Current configuration : 5414 bytes
!
! No configuration change since last restart
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname swA
!
no logging console
enable secret xxxxxxxx
enable password 7 xxxxxxxx
!
clock timezone CST -6
clock summer-time CST recurring 1 Sun Apr 1:00 last Sun Oct 2:00
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
!
!
interface Port-channel1
 switchport mode trunk
 flowcontrol send off
!
interface FastEthernet0/1
 description VLAN1 - DMZ Lan Segment A - 10.24.64.0 - Port 1
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/2
 description VLAN1 - DMZ Lan Segment A - 10.24.64.0 - Port 2
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/3
 description VLAN1 - DMZ Lan Segment A - 10.24.64.0 - Port 3
 duplex full
 speed 100
 spanning-tree portfast
!

.............
...Edited for space
.............


!
interface FastEthernet0/20

 switchport access vlan 4
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/21

 switchport access vlan 4
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/22

 switchport access vlan 4
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/23
 description Trunk to other switch - Port 23
 switchport mode trunk
 channel-group 1 mode on
!
interface FastEthernet0/24
 description Trunk to other switch - Port 24
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 description VLAN1 Primary Lan Segment (10.24.64.0).
 ip address 10.24.64.5 255.255.255.0
 no ip route-cache
!
interface Vlan2
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan3
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan4
 ip address 10.24.11.6 255.255.255.0
 no ip route-cache
 shutdown
!
ip http server
logging trap debugging
logging facility local5
logging 10.24.99.75
access-list 20 permit 10.24.11.0 0.0.0.255
access-list 20 permit 10.24.12.0 0.0.0.255
access-list 20 permit 10.24.13.0 0.0.0.255
access-list 20 permit 10.24.14.0 0.0.0.255
access-list 20 permit 10.24.15.0 0.0.0.255
access-list 20 permit 161.134.120.0 0.0.0.255

!
line con 0
 exec-timeout 0 0
 transport input none
 stopbits 1
line vty 0 4
 access-class 20 in
 password 7 xxxx
 login
line vty 5 15
 access-class 20 in
 password 7 xxxxx
 login
!

end

I also captured traffic on the local LAN and found that the switch was sending out an arp request but never seeing a reply. Since its on the local (layer 2) lan I would think the default gateway is irrelevant. Furthermore, the destination node has the correct Arp entry in its local table for the switch. It seems that the switch is filtering or unwilling to processes arp requests from the local lan. Any Ideas?

 

[wabob]

Try this. Go into interface config mode and then into interface vlan 4. Then type no ip address. Even though the interface is shut down, the fact that it has an IP address may be what is keeping your vlan 1 interface from working.

 

[vipergg]

Get rid of all the other SVI's you can only use one and you have chosen vlan 1 , conf t no int vlan 2 , no int vlan 3 and no int vlan 4 , this will leave vlan 1 as the lone SVI to manage the switch which is all that interface is used for . At least one port in vlan 1 has to active for the SVI to come active . PS I think you are crazy for shutting off spanning tree .

 

[ksas025]

Thanks for the replies!

I tried both ideas and I still cannot ping a node on the local LAN. A sh arp still shows a hadware address of incomplete for the remote machine I try to reach.

What I did: (;=Carriage Return)

1. config t;int vlan4;no ip address;
2. Tried to ping machine on local LAN. No dice.
3. config t;no int vlan2;no int vlan3;no int vlan4
4. Tried to ping machine on local LAN. No dice.



More Ideas would be much Apreciated!

A.

 

[vipergg]

think you have to post some configs . Maybe you can post a "show vlan " , show interface status and a "show ip int brief" might help .

 

[ksas025]

Ok, here they are:

Show Vlan:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/23
                                                Fa0/24, Gi0/1, Gi0/2
2    VLAN0002                         active    
3    VLAN0003                         active    
4    VLAN0004                         active    Fa0/20, Fa0/21, Fa0/22
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0   
3    enet  100003     1500  -      -      -        -    -        0      0   
4    enet  100004     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0   
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

sh int status:

Port    Name               Status       Vlan       Duplex  Speed Type
Fa0/1   VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/2   VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/3   VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/4   VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/5   VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/6   VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/7   VLAN1 - DMZ Lan Se connected    1            half    100 10/100BaseTX
Fa0/8   VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/9   VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/10  VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/11  VLAN1 - DMZ Lan Se notconnect   1            half    100 10/100BaseTX
Fa0/12  VLAN1 - DMZ Lan Se connected    1            full    100 10/100BaseTX
Fa0/13  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/14  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/15  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/16  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/17  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/18  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/19  VLAN1 - DMZ Lan Se notconnect   1            full    100 10/100BaseTX
Fa0/20  VLAN4 - Firewall G notconnect   4            full    100 10/100BaseTX
Fa0/21  VLAN4 - Firewall G notconnect   4            full    100 10/100BaseTX
Fa0/22  VLAN4 - Firewall G notconnect   4            full    100 10/100BaseTX
Fa0/23  Trunk to other swi notconnect   1            auto   auto 10/100BaseTX
Fa0/24  Trunk to other swi connected    1          a-full  a-100 10/100BaseTX
Gi0/1                      notconnect   1            auto   auto unknown
Gi0/2                      notconnect   1            auto   auto unknown
Po1                        notconnect   1            auto   auto

sh ip int brief

Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      10.24.64.5      YES NVRAM  up                    up      
FastEthernet0/1            unassigned      YES unset  down                  down    
FastEthernet0/2            unassigned      YES unset  up                    up      
FastEthernet0/3            unassigned      YES unset  up                    down    
FastEthernet0/4            unassigned      YES unset  up                    up      
FastEthernet0/5            unassigned      YES unset  up                    up      
FastEthernet0/6            unassigned      YES unset  up                    down    
FastEthernet0/7            unassigned      YES unset  up                    up      
FastEthernet0/8            unassigned      YES unset  up                    up      
FastEthernet0/9            unassigned      YES unset  up                    up      
FastEthernet0/10           unassigned      YES unset  up                    up      
FastEthernet0/11           unassigned      YES unset  up                    down    
FastEthernet0/12           unassigned      YES unset  up                    up      
FastEthernet0/13           unassigned      YES unset  up                    down    
FastEthernet0/14           unassigned      YES unset  up                    down    
FastEthernet0/15           unassigned      YES unset  up                    down    
FastEthernet0/16           unassigned      YES unset  up                    down    
FastEthernet0/17           unassigned      YES unset  up                    down    
FastEthernet0/18           unassigned      YES unset  up                    down    
FastEthernet0/19           unassigned      YES unset  up                    down    
FastEthernet0/20           unassigned      YES unset  up                    down    
FastEthernet0/21           unassigned      YES unset  up                    down    
FastEthernet0/22           unassigned      YES unset  up                    down    
FastEthernet0/23           unassigned      YES unset  up                    down    
FastEthernet0/24           unassigned      YES unset  up                    up      
GigabitEthernet0/1         unassigned      YES unset  up                    down    
GigabitEthernet0/2         unassigned      YES unset  up                    down    
Port-channel1              unassigned      YES unset  up                    down

 

[vipergg]

It looks ok to tell you the truth , the only thing I can say is to check the users address and gateway and see if it matches the address range on the switch . When you ping are plugged into the back of the switch or telnetted in from soemwhere ?

 

[lerdalt]

Might also help to display the output from your ping.

 

[helpdeskdan]

Also, do you know how to use wireshark? Sometimes the answer is simple when you look at the actual packets.

 

[ksas025]

Wow! thanks for all the replies.

vipergg: The remote machine's default route is to a PIX device and that could be dropping the ICMP traffic, but both devices are on the same switch/vlan/network; shouldnt the default route of both devices be irrelevant?

I have verified both masks are 255.255.255.0 and both network IPs are 10.24.64.x addresses and both devices are connect to the same switch.

I am plugged into the switches console port since I cannot access it any other way

------------------------

Lerdalt: The out put from the ping from the switch is the standard "....." 100% packet loss response. Ive heard of different symbols returned during a ping can aide in the troubleshooting but my pings return dots ".".

-------------------------

helpdeskdan: Yes, I use wireshark and I did capture traffic (my first post notes this) but I did not use a SPAN port so I only received broadcast traffic. I should try again using a SPAN port. When I did capture the broadcast traffic I did see the switch attempt an ARP broadcast which never did get a reply. Ill try to capture again and let you know the results. Furthermore, I am attempting to ping a UNIX device which as a utility to capture traffic (tcpdump). Ill try that too; thanks for the idea.

Thanks for all your help. I would like to add a little more information which may or may not help but I did have a valid IP on this switch a few months ago on a different VLAN (vlan4). Since then VLAN4 has been disbanded and now I would like to move the management SVI to VLAN1. As you can see I am not having much luck.

It would be easier to convey the information to the community if I could attach screen shots. Is this possible on this forum?

A.

 

[vipergg]

If the devices are attached to the same switch in the same vlan then yes the client default gateway is irrelevant and is only needed when traffic needs to be routed off their own vlan , they should be able to ping directly . They should also be able to ping the switch vlan 1 address if they are all truly in vlan 1 . Anyone in ports f0/1 -19 ,f0/24,g0/1-2 should be able to ping each other and the switches management address . The devices on f0/21-23 would not be able to ping devices in vlan1 without a layer 3 device routing those vlans .

 

[aletoledo]

have you received an answer yet or figured out the solution?

I suggest applying "switchport access vlan 1" to whatever port you're trying to ping to.

 

[ksas025]

The port I am trying to ping from is a vlan interface on the switch, see my running config post above. When I enter the vlan config mode (ie config t; interface vlan1) switchport access vlan 1 is not a valid command.

Thanks for the idea though.

 

[aletoledo]

don't try to put the command on the vlan interface, but go to physical interface that the other server is plugged into. I'm wondering if the vlan tagging isn't getting inserted into the frame. when you described the arp table as not getting a response, that sounds like a vlan problem to me.

therefore...
conf t
interface FastEthernet0/2
switchport mode access
switchport access vlan 1

 

[ksas025]

Did it and still no dice. I entered the commands you suggested and I am still unable to ping either way.

You brought up an intersting point about the vlan tagging. I though I could capture some traffic and try to inspect the vlan tag (I wasnt sure if this was possible, I think I found it is not). here is what I did:

1. From host x I started ethereal
2. From the switch I attempted to ping host x

Ethereal on host x shows an ARP "who is host x Tell switch". Immediately after it shows another ARP frame stating "host x at <mac of host x>". The destination mac of that frame is the correct mac of the VLAN1 interface of my switch. This tells me that ARP is doing its job of communicating layer 2 hardware addresses on the local LAN but the switch will not accept the reply and therefore communication fails.

Now why wont my switch accept ARP replies? Maybe for testing's sake I will change move one port on the switch to a different vlan and create another SVI for that vlan. I let you know.

 

[aletoledo]

Interesting problem...while you're testing, try putting a static arp into your switch and see if it works.

also remove that no ip route-cache statement....I'm not even sure what it does on a SVI

 

[vipergg]

I am a little fuzzy here , you are trying to ping the vlan 1 interface address from a couple of pcs on a ports ? What ports are the pc's on that you are trying to ping the switch SVI from ???? Hopefully they aren't on f0/20,21 or 22 , if they are you won't be able to ping . If you are moving things around while testing make sure to clear arp and clear mac-address before testing .

 

[ksas025]

Just to clear things up. All my connected hosts are on ports fa0/1 -13. There exists no connections from fa0/14 -22.

Will I lose any connectivity by clearing the mac-table?

 

[aletoledo]

when you clear the table, you clear dynamic addresses and then they are immediately repopulated as frames are transmitted.

 

[voltron1011]

Where is your 'IP default gateway' command? All newer switches need to have this put in now (it's turned off by default). We had the same problem a few months ago when we got some new 4000's and couldn't do anything with them.