VLANs, Routing & DHCP Issues

Unanswered Question
Oct 12th, 2007

Here's a wierd one...

I'm in the process of renumbering the LAN.

I've got two VLANs that can talk to each other.

I have 3 3725 switches (stackwise) with about 5 2960 switches uplinking to the 3725s.

These 2960s connect to ports on the 3725 that are in VLAN10, the new network, lets say.

Below the 2960s I have many old Netgear switches uplinking to the 3725s.

These Netgears connect to ports on the 3725 that are in VLAN128, the old network.

I've been adding 2960s to VLAN10 ports and just repatching the user pcs from the old Netgears to the new 2960s.

Thus, anyone connecting to VLAN10 will be on the new network(AD) with a new IP, and this has been working just fine.

But this week, I repached a whole Netgear into a new 2960 and EVERYTHING went wrong.

It affected various PCs, not just the ones taht I moved to the Cisco 2960. Specifically, all pcs on the old network.

E.G. a PC connected to an old Netgear suddenly had an IP coming from the new network, but it's physically connected to VLAN128 and not VLAN10!

I did a sh ip arp<IP address of PC> on the 3725, it came up saying it was in Interface: VLAN10, but it's in VLAN 128...

Does anyone have any clue or idea as to what I can do to get this right?

At the moment, I'm giving the problem pcs a static IP in of the old IP range until I repatch them into the new 2960s.

I'm out of ideas...please help..anyone?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paul.matthews Fri, 10/12/2007 - 00:51

Most likely something is bridging between the two VLANs - remember XP can bridge.

From that ARP you did, track where the device is conected using sh mac-a

Paul.

csc010854800 Fri, 10/12/2007 - 02:12

Hi,

First, port on 3750 switch should not be in vlan 128 ,it should be in trunking mode.

you have mentioned that netgear switches are below cisco switches,does that mean that are in vlan 10.PLease clarify what is your DHCP ip address and where it is connected ???

george.georgiou1 Fri, 10/12/2007 - 03:02

Thanks for your advice,

I've got the uplinks from the Netgears and Cisco 2960s in trunking mode to the 3750.

The Netgears are currently all connecting to VLAN128, the old stuff, it's the new Cisco 2960 that I connect to VLAN10.

My IP is 10.xxx.xxx.xxx and i'm going into a 2960 which in turn connects to VLAN10 in the 3750.

We've got 2 DHCP ranges: one is 172.16.xxx.xxx coming from the old, soon to be retired DHCP server which is on VLAN128.

The second DHCP server is giving 10.xxx.xxx.xxx IPs and that's on the new VLAN10.

As I mentioned, all was fine with me repatching users until this week, when it just didn't like it.

PCs on the VLAN128 were getting 10.x.x.x IPs for some reason. They should've been getting the 172.16.x.x IP.

george.georgiou1 Fri, 10/12/2007 - 02:39

Thanks, Paul,

I did the sh mac-a, it comes up saying it's part of VLAN10, the new VLAN, but the PC connects into a Netgear and that connects into VLAN128, the old VLAN.

But, I'm hearing that certain servers are not responding as quickly since the problems started, uh oh!

There might be a PC with bridged connections, but the users probably won't know how to get to there, plus we've got about 250 PCs and that would take ages to go round each one.

Is there anything else you can think of that I could try?

What a week!

paul.matthews Fri, 10/12/2007 - 03:45

Unfortunately this is likely to be donkey work, and could be an example of where cheap switches may be a false economy.

What you can start doing is look at the mac addresses of devices thet get the wrong address and where they are on the switches - you may be able to see them on both VLANs if you have them inadvertantly bridged together.

It may be possible to just look at the mac table on the 2960s and scan down for interfaces that appear more often - ie multiple mac addresses on the interface.

Servers responding more slowly could fit - if a device is now going via a PC or server as part of the bridge link it would be a little slower than into a pure switched environment.

If you do know of any devices that are dual homed, it would be worth checking them first.

The good news is that if you do have a bridge link between them, spanning tree has done its job and prevented a major loop!

george.georgiou1 Fri, 10/12/2007 - 06:33

Thanks for all your help, looks like do have some donkey work to do!

I think the quicker I migrate the PCs to the new Ciscos the better and be done with the old legacy domain and IPs.

Thanks again for all your advise.

paul.matthews Fri, 10/12/2007 - 06:51

There is always that option. As a thought, if you temporaroly disable the old DHCP server, would a PC get an address on the new network? If they can, it does rather suggest you have something bridging.

If a device outside your control is bridging, you do need to find it. Ideally you nee to do something painful to the culprit.

What may also help is the use of port security - set max address to one and violate action to shutdown and then as soon as a second address is seen anywhere, the port is shut down. Then see who complains This is potentially risky - if your servers are running multiple mac addresses they would trigger this!

Actions

This Discussion