04-30-2008 12:18 PM - edited 03-05-2019 10:42 PM
Our School District has 25 buildings and each have it's own vlan assigned to it. Recently one of our building vlans, 111, just stopped communicating with another, 157, but does communicate with the remaining 23 vlans. Vlan 157 is not able to communicate with vlan 111 but can communicate with the other 23 vlans.
We have a 6509 sup720 running CatOS with 3500 series edge switches.
Any suggestions on where to start looking would be greatly appreciated.
Cathy Perry
WWCSD Tech Group
04-30-2008 12:21 PM
Cathy
Where are the L3 interfaces for the vlans - are they on the 6500 switch ?
The 3550 edge switches, do they have multiple vlans on each switch and are they connected back via trunks to the 6500.
Where are you trying to connect from / to ie. are you on a PC in vlan 111 trying to connect to a PC in vlan 157 and are these on different switches.
Jon
04-30-2008 05:39 PM
Jon,
The L3 interfaces for these vlans are on the 6500 switch. The edge switches for Vlan157 have multiple vlans and trunk back to the 6500. The edge switches for Vlan111 have been manually pruned with the assistance of Cisco TAC Support last summer and also trunk back to the 6500.
To answer your last question we actually tried to ping from a server in either Vlan to the server in the other Vlan. Pinging in either direction fails. Both servers are connected directly to the 6500 by trunk ports.
Thank you,
Cathy
05-01-2008 12:44 AM
Cathy
What exactly do you mean when you say servers are trunked. If you mean trunked as in cisco trunk then which vlans are they members of ?
Or do you mean trunked in the cisco etherchannel sense ?
If both servers are connected into the 6500 and the routing is done on the 6500 then we can probably rule out an issue with the access-layer switches.
Do you have any filtering with access-lists.
What are the IP address/subnet mask/default-gateway details for your 2 servers.
Jon
05-01-2008 07:48 AM
Jon,
Each server in our network has a dedicated port on the 6500 for it's individual Vlan.
You are correct, both servers connect directly to the 6500 and routing is done on the 6500.
This is the only access list filtering I have been able to locate on our router.
Extended IP access list 101
10 deny tcp any any eq 5554
20 deny tcp any any eq 9996
30 permit tcp any any eq www
40 deny tcp any any eq 445
Vlan 111 10.91.72.4 255.255.252.0 10.191.72.2
Vlan 157 10.91.48.4 255.255.252.0 10.191.48.2
Cathy
05-01-2008 09:06 AM
Cathy
Do you know if/where the access-list 101 is applied ?
Jon
05-01-2008 09:36 AM
Jon,
I believe this is what you are asking me:
The access-list 101 in my previous response came from the MSFC on the 6509. I ran the sho access-lists command to get it.
MSFC#sho access-lists
Extended IP access list 101
10 deny tcp any any eq 5554
20 deny tcp any any eq 9996
30 permit tcp any any eq www
40 deny tcp any any eq 445
Cathy
05-01-2008 09:37 AM
Sorry Cathy, i didn't explain myself very well.
Can you post the output of a
sh run int vlan 111
sh run int vlan 157
Jon
05-01-2008 10:53 AM
Jon,
Thank you for your patience with me.
Here it is:
MSFC#sho run int vlan 111
Building configuration...
Current configuration : 132 bytes
!
interface Vlan111
description Stev-Instr
ip address 10.91.72.2 255.255.252.0
no ip redirects
ip pim sparse-mode
ip cgmp
end
MSFC#sho run int vlan 157
Building configuration...
Current configuration : 132 bytes
!
interface Vlan157
description Adam-Instr
ip address 10.91.48.2 255.255.252.0
no ip redirects
ip pim sparse-mode
ip cgmp
end
This is as it has always been.
Cathy
05-01-2008 10:58 AM
Cathy
No problem, i just wanted to confirm the access-list wasn't applied to these vlan interfaces. Sometimes these problems can tke a while to sort out and can take quite a few questions.
The other thing - in a previous post you said servers ip addresses/subnet mask/DG were
Vlan 111 10.91.72.4 255.255.252.0 10.191.72.2
Vlan 157 10.91.48.4 255.255.252.0 10.191.48.2
Are the default-gateways typos ie.
10.191.72.2 should be 10.91.72.2
and
10.191.48.2 should be 10.91.48.2
Jon
05-01-2008 11:25 AM
Sorry Jon,
Yes, 10.91.72.2 and 10.91.48.2 are the appropriate gateways.
I was hopping in and out of switches and do this sometimes.
Cathy
05-01-2008 11:37 AM
Cathy
Okay can we try a few things
1) From the server in vlan 111 can you ping vlan 157 interface - result ?
2) From server in vlan 157 can you ping vlan 111 interface ?
3) From server in vlan 111 can you ping a server in a different vlan ?
4) Same as 3 for server in vlan 157.
5) Can you post a "sh ip route" from the 6500.
6) Can you post the interface vlan
Edit - which module(s) are the servers connected into and which IOS version are you running.
Apologies for requesting all this info but there is nothing obvious (at least to me ! )
Jon
05-02-2008 07:08 AM
Jon,
I agree there is nothing obvious, especially since there have been no configuration changes to the 6500 in at least a month.
1) From the server in vlan 111 can you ping vlan 157 interface - result ?
Yes
2) From server in vlan 157 can you ping vlan 111 interface ?
No
3) From server in vlan 111 can you ping a server in a different vlan ?
4) Same as 3 for server in vlan 157.
Yes, to both 3 & 4
5) Can you post a "sh ip route" from the 6500.
âsh ip routeâ did not give me the response I expected to see. What information
should I see when I run this for you?
6) Can you post the interface vlan
#module 9 : 16-port 1000BaseX Ethernet
set vlan 16 9/1-2,9/11
set vlan 109 9/3,9/5,9/16
set vlan 111 9/14 (Bldg Server)
set vlan 113 9/7
set vlan 115 9/15
set vlan 139 9/6
set vlan 141 9/4
set vlan 147 9/13
set vlan 153 9/12
set vlan 157 9/9-10 (IE filtering Server & Bldg Server)
set vlan 888 9/8
set port name 9/3 Nautilus
set port name 9/8 Lincoln-Vandenberg
set port name 9/16
set cdp disable 9/16
set udld enable 9/3
set trunk 9/3 on dot1q 1-4094
set trunk 9/4 on dot1q 1-4094
clear trunk 9/8 2-15,17-130,133-144,147-4094
set trunk 9/8 on dot1q 1,16,131-132,145-146
set trunk 9/9 off dot1q 1-4094 (this config questionable)
set spantree portfast 9/1-16 disable
Edit - which module(s) are the servers connected into
Server in Vlan 111 is connected to 9/14 - Building Server
Server in Vlan 157 is connected to 9/9 - IE Filtering Server 9/10 - Building Server
Which IOS version are you running.
Sup720 is running cat6000-sup720k8.8-5-9
MSFC "bootflash:c6msfc3-psv-mz.122-17d.SXB8"
MSFC3 Software (C6MSFC3-PSV-M), Version 12.2(17d)SXB8, RELEASE SOFTWARE (fc2)
05-02-2008 07:26 AM
Cathy
You ran the "sh ip route" on the supervisor but you are running in hybrid mode so you need to run it from the MSFC.
Can you
1) Post the output of a "sh module"
2) Log on to the MSFC and post the output of a "sh ip route"
3) On the MSFC post the output of the running config - "sh run"
Jon
05-02-2008 09:50 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: