VLANS bleeding over on 3750

Unanswered Question
Mar 21st, 2008
User Badges:

All, I need help here. I have 3 Cisco 3750's in a triangle configuration, with one switch at each point of my triangle. There are 2 fiber lines that connect each switch. 1 for normal communications, and the other for a backup purpose. I have about 9 different VLANS on each switch.


If i use Windows 2000 Network monitor, to view the traffice on, say VLAN 1. I can see ipaddress that are supposed to be only on VLAN 2-9. I call this VLAN bleeding. Not sure if its the correct term or not.


Anyways. Hows does one go about troubleshooting this type of problem? I have ruled out the physical hardware to be the cause and now im trying to find an answer in the 3750's.


Please advise.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaye15394 Fri, 03/21/2008 - 06:23
User Badges:

Can you please post the 'show run' for all three switches?

djbowling Fri, 03/21/2008 - 06:28
User Badges:

Sure. But that needs to be done via the IOS command line right? Im not too savy on the IOS syntax. How exactly do i provide that output?


Could i do this using the Network Assistant?

jaye15394 Fri, 03/21/2008 - 06:31
User Badges:

You can, but not sure about the details of CNA. Just look for options to retrieve the 'running config' from the switches.


From the CLI, just enter the command "show run." copy that output to a text file.

djbowling Fri, 03/21/2008 - 06:33
User Badges:

figured it out.. to get the text ouput to a file, i simply copy/paste right?

jaye15394 Fri, 03/21/2008 - 07:16
User Badges:

Where is your network monitor station plugged into? Which switch and which port?


Please also attach the configuration of the router 200.0.3.1.


Thanks,

Jason

djbowling Fri, 03/21/2008 - 07:26
User Badges:

200.0.3.1 is on of my domain controllers. That is what im using to monitor the network traffice. It is plugged into switch HH-CISCO-3560 port 1 (VLAN1)


IP Config of 200.0.3.1

IP 200.0.3.1

Subnet: 255.255.255.0

Gateway: (NONE)

DNS: 200.0.3.1

DNS: 200.0.3.2


Uses TCP/IP v4 protocol

jaye15394 Fri, 03/21/2008 - 07:34
User Badges:

Interesting. I had assumed 200.0.3.1 was a router since there is an 'ip default gateway' command pointing that IP address one of the switches.


You don't have any routing enabled so no VLANs should be able to communicate with one another.


When you say, you see IP's from other vlans, what do you mean? Please describe exactly what you are seeing and a description of the IP Addresses you see in NetMonitor.


Do the machines in each of your vlans have different subnets assigned?


djbowling Fri, 03/21/2008 - 07:47
User Badges:

All VLANs have different subnets and IP address. I.E.


VLAN1 - 200.0.3.X

VLAN2 - 192.168.1.X

VLAN3 - 151.151.X.X


I do not have routing enable, as this is a purley switched network, and not routing should be taking place..


Let me clarify something that i just learned. This problem seems to be related to the native VLAN1 only. I was working from information from a different tech, and he says that ALL the VLANS were beeding over, but that is not the case. Its just VLAN1.


If i am on my domain controller (200.0.3.1) and use the Windows 2000 Network Monitor to sniff the data on the network over VLAN1 (200.0.3.X) i will see ip's from VLAN2 and VLAN3 of 192.168.1.X and 151.151.X.X. (maybe more, but thats all i have seen as of now. Running a new test now to determine that info.)


I only expect to see the 200.0.3.X subnet on VLAN1 via the network monitor. I should not see any other VLAN IP address/subnets on VLAN1 right?


If i use the Windows 2000 network monitor on VLAN2 192.168.1.X subnet, i only see traffic from the 192.168.X subnet. This is how things should be. Same with VLAN3. (I have not yet tested the other VLANS for this problem)


So to summarize it all, on VLAN1 i see traffice from other VLAN subnets, when in fact, i should only see the VLAN1 subnet of 200.0.3.X. This is what i have described as VLAN bleeding.

jaye15394 Fri, 03/21/2008 - 07:52
User Badges:

While VLAN 1 is used to distribute information between switches such as CDP, VTP, and STP management protocols, you may see IP addresses of the other switches/devices running those protocols. I'm sure Cisco uses VLAN 1 for other purposes as well.


My recommendation is never to use VLAN 1 for users/servers. By doing this, you will minimize the use of VLAN 1 and not risk network management protocols interfering with your data traffic.


HTH,

Jason

djbowling Fri, 03/21/2008 - 07:56
User Badges:

I do see data from the other Cisco switches on VLAN1, such as BPDU packets.


However, I should not see IP addresses of my WORKSTATIONS that are configured on VLAN2/3 showing up on VLAN1..


I dont think CDP, VTP or STP protocols are my problem here... What other advise can you provide for this problem?

jaye15394 Fri, 03/21/2008 - 08:26
User Badges:

You can try to configure VACLs on each VLAN to log traffic and try and see what's going on.


While this is not what you want to hear, please see the following link:


http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39042


It outlines best practices for VLAN 1 use re-iterating what I said earlier. Start at "control plane" in the link.


You always need to make sure best practices are implemented first before taking further. However, I do agree it's strange you're seeing IP's from other vlans, BUT VLAN1 is sometimes a mystery. You are working in small environment and a migration from vlan1 to X wouldn't be simple. NO ip's need to change on the servers at all.


If this doesn't satisfy you, my apologies, and would recommend you open a TAC case with Cisco or contact your AM/SE.


Regards,

Jason

Stephen Berk Fri, 03/21/2008 - 13:48
User Badges:

Check the port configuration of the suspect IP addresses to make sure you have assigned it to a vlan; an empty config will put those frames on vlan 1.


I'm also curious how you could have a switched only network. Anytime your hosts try to get to an address off their subnet, those packets will go out the default gateway, which in your case in on vlan 1. Look at the sniffed packets and check the destination IP address and port/protocol. The destination is probably not the same as the source, and that's why it's being "routed" to vlan 1.


If the suspect IP has the correct vlan assignment, and the source and destination IP's are on the same subnet and in the same vlan and they're still being seen on vlan 1, I'd open a Cisco TAC case.

Actions

This Discussion