Help configuring a NM-ESW-16

Unanswered Question
Dec 22nd, 2010

Hii all,

I have a problem with a NM-ESW-16 network module in a Cisco 2651XM router running Advanced Security IOS v12.4(25d).

Prior to upgrading to this version of IOS, the router was running IOS v12.4(8).  Switch ports 0-7 were configured to be in VLAN 2 and ports 8-15 were in VLAN 3 and it was working as expected, ie. the NM-ESW-16 was working as two 8-port switches.

The network config is set up for testing purposes only right now, so only 2 of the ports in VLAN 2 are used.  One port is connected to an existing switch as an uplink, and the other port goes off to a workstation.

The Problem: Once the upgrade completed and the router reloaded, I was no longer able to ping the IP address of the router's built-in FastEthernet 0/0 interface from the workstation, however I could ping anything else on the network.  This was not the behaviour before the IOS upgrade though, so I'm wondering if I need to configure something else now in order to get the packets flowing again?

I've spent quite a lot of time looking for a) simply how to configure the NM-ESW-16 as two port-based VLANs (finally got there) and (b) trying to figure out why the router is not forwarding packets over these VLANs when those packets are addressed to it, so I would appreciate any help/ideas.

The config for this router is about 20k, so if you need to see parts of it let me know.  I've included some parts that may be relevant below:

interface FastEthernet1/0
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/1
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/2
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/3
switchport access vlan 2
power inline never
spanning-tree portfast
!

interface FastEthernet1/4
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/5
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/6
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/7
switchport access vlan 2
power inline never
spanning-tree portfast
!
interface FastEthernet1/8
switchport access vlan 3
power inline never

spanning-tree portfast
!
interface FastEthernet1/9
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/10
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/11
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/12
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/13

switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/14
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface FastEthernet1/15
switchport access vlan 3
power inline never
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
no ip address
!



c2651xm#show vlan-switch


VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active   
2    DMZ                              active    Fa1/0, Fa1/1, Fa1/2, Fa1/3
                                                Fa1/4, Fa1/5, Fa1/6, Fa1/7
3    PUBLIC                           active    Fa1/8, Fa1/9, Fa1/10, Fa1/11
                                                Fa1/12, Fa1/13, Fa1/14, Fa1/15
1002 fddi-default                     active   
1003 token-ring-default               active   
1004 fddinet-default                  active   
1005 trnet-default                    active   


VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0  
3    enet  100003     1500  -      -      -        -    -        0      0  
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0  
1005 trnet 101005     1500  -      -      1        ibm  -        0      0  
c2651xm#

The next thing I was going to try was adding FastEthernet 0/0 into VLAN 2, not sure if it will let me or not, or what affects it might have on the network when I do it.

Thanks,

- Rob.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Cadet Alain Wed, 12/22/2010 - 01:38

Hi,

interface Vlan2
no ip address
!
interface Vlan3
no ip address

If you want intervlan routing between vlan3 and vlan2 then you must put an ip address for each vlan interface and put this address as default gateway for machines in this vlan.

Regards.

Alain.

beyonddisability Wed, 12/22/2010 - 01:45

Hi Alain,

I'm not trying to get interVLAN routing going or anything of that nature, all I'm trying to do is use the 16 switch ports as two 8-port "dumb" switches, nothing more than that.  They are working in this way at present but since the IOS upgrade I can't ping the router IPs from the workstation connected to VLAN2, even though there shouldn't be anything stopping it (packets should go in FastEthernet 1/1, then out FastEthernet 1/0 to the existing switch, and from there back to the Cisco switch (FastEthernet 0/0)

Thanks,

- Rob.

Cadet Alain Wed, 12/22/2010 - 02:06

Hi Rob,

I can't ping the router IPs from the workstation connected to VLAN2,

if int vlan 2 has no ip add it won't work.

Regards.

Alain.

beyonddisability Wed, 12/22/2010 - 02:19

Hi Alain,

Ok.  Thanks.

Why is it that I can ping anything else on the network though?

The setup is pretty simple, just in case I wasn't clear:

Cisco 2651XM has IP 10.92.184.1 on FastEthernet 0/0

Also has the NM-ESW-16 module installed (FastEthernet 1/0 - 15)

The ESW module is basically split in half, ie. ports Fa1/0 - 1/7 are in VLAN 1, the rest in VLAN 2 (VLAN 2 is currently unused).

A separate switch is connected to the Cisco 2651XM's FastEthernet 0/0 port and also FastEthernet 1/0.

A workstation is plugged into FastEthernet 1/1

The workstation can ping everything on the network except the IP of FastEthernet 0/0.

Is that what you would really expect, and if so, why?

Thanks,

- Rob.

Cadet Alain Wed, 12/22/2010 - 02:36

Hi,

A separate switch is connected to the Cisco 2651XM's FastEthernet 0/0 port and also FastEthernet 1/0

ok so the workstation is in vlan1 but on your router you have got no  int vlan1 ip address so it can't work

Because your router needs mac address of your machine to answer back and so to do arp requests you need a L3 interface as your machine is not directly connected to f0/0.

Why is it that I can ping anything else on the network though?

what do you mean by that ?

beyonddisability Wed, 12/22/2010 - 03:16

Hi Alain,

I'm not sure if you're understanding the problem I'm having here or not, so I've tried to describe how I think it should work.  Maybe you can tell me where I'm wrong, but please don't tell me its because I don't have an IP assigned to the vlan interface, because although that may be the problem, it doesn't make sense, because I'm not trying to ping an interface on the NM-ESW-16 module, or a VLAN associated with it.

What I mean by "Why is it that I can ping anything else on the network though?" is exactly that.  From the workstation I can ping various other machines on the network without a problem.

There is a path from the workstation to the rest of the network.  This is via VLAN 2, because VLAN 2 is connected to our main network switch via port FastEthernet 1/0.  Connected to the main switch is the routers FastEthernet 0/0, which has IP 10.92.184.1

I can, from the workstation, ping other IPs on our 10.92.184.xxx network, these machines are connected to the main network switch.

So, the path from the workstation (10.92.184.28) to the router's FastEthernet 0/0 interface (10.92.184.1) is:

1. Packet originates at workstation, goes to the NM-ESW-16 (FastEthernet 1/1).

2. (I think) The NM-ESW-16 should switch the packet, which should find its way out via FastEthernet 1/0.

3. The main network switch (an IBM switch) will now receive the packet on one of its ports, since the FastEthernet 1/0 port is plugged into a port on the IBM switch.

4. As the routers FastEthernet 0/0 port (10.92.184.1) is also connected to a port on the IBM switch, the IBM switch will send the packet to the router's FastEthernet 0/0 port.

5. The router will respond to the packet (eg. ICMP echo reply) and then whole process is repeated again in reverse to get the packet back to the sender (the workstation).

On the IBM switch there are various other servers and network gear.  There are servers on 10.92.184.2, .3 and .4.  I can ping any of those IPs from the workstation without a problem and from these servers I can ping the router (10.92.184.1) as well.

So, pinging 10.92.184.2 from the workstation works, this is the path the packets take:

Workstation -> NM-ESW-16 -> IBM Switch -> Server (10.92.184.2)

But this doesn't work:

Workstation -> NM-ESW-16 -> IBM Switch -> c2651xm FastEthernet 0/0 (10.92.184.1)

And that is my problem - I don't understand why this doesn't work.  The packet (or maybe ARP) is getting dropped somewhere.  Worse, it used to work as I expected on IOS 12.4(8)

Thanks,

- Rob.

Cadet Alain Wed, 12/22/2010 - 03:46

Hi Rob,

Maybe you can tell me where I'm wrong, but please don't tell me its because I don't have an IP assigned to the vlan interface, because although that may be the problem, it doesn't make sense, because I'm not trying to ping an interface on the NM-ESW-16 module, or a VLAN associated with it.

If you wanted to ping an interface on switch module you would have to put that port as a L3 with no switchport command and then assign ip address.

if you want to ping a stationA in vlan 1 from a stationB in vlan 1 then you are just doing L2 in your module,  station B replies to stationA arp requests.

But now I hadn't understood your topology, can you clarify things for me please.

your workstation 10.92.184.28 is on f1/1 which is in vlan 1? then f1/0 is an access port in vlan 2 connected to IBM switch port also in vlan2?

your machines .2 to .4 on IBM switch are in vlan2? and the port from IBM switch to f0/0 on router 10.92.184.1 is an access port in which vlan ?

Regards.

Alain.

beyonddisability Wed, 12/22/2010 - 04:05

Hi Alain,

If you wanted to ping an interface on switch module you would have to put that port as a L3 with no switchport command and then assign ip address.

if you want to ping a stationA in vlan 1 from a stationB in vlan 1 then you are just doing L2 in your module, station B replies to stationA arp requests.

In theory, thats right

But now I hadn't understood your topology, can you clarify things for me please.

Sure!

your workstation 10.92.184.28 is on f1/1 which is in vlan 1? then f1/0 is an access port in vlan 2 connected to IBM switch port also in vlan2?

Nope. The workstation is on f1/1 which is VLAN 2. This is how the

NM-ESW-16 is split up:

In the 2651xm, the NM-ESW-16 is FastEthernet 1/0 - 1/15

VLAN1 = Not used, forget about it.

VLAN2 = NM-ESW-16, ports 0 to 7.

VLAN3 = NM-ESW-16, ports 8 - 15 (these ports are not used, don't worry

about this vlan).

your machines .2 to .4 on IBM switch are in vlan2? and the port from IBM switch to f0/0 on router 10.92.184.1 is an access port in which vlan ?

The router port (f0/0) isn't in a VLAN.

I am only using port-based VLANs, not trying to use tagged VLANs. The

only place VLANs are used is on the NM-ESW-16, they are (I believe)

port-based VLANs, there is no VLAN tagging going on anywhere except

maybe in the NM-ESW-16 module. There are no VLANs on the IBM switch,

workstation or servers.

All I'm trying to do is use the NM-ESW-16 as if it were two 8-port

"dumb" switches - the $20 type you get at a normal computer shop.

Does that clarify things?

Thanks for your patience,

- Rob.

Cadet Alain Wed, 12/22/2010 - 04:16

Hi,

ok it's clearer now.

Can you do a sh ip arp to see if your router has mapping for your workstation.

if not can you do debug arp  as well as debug ip packet on router when pinging from router to workstation.

if ARP unsuccessful and debug ip packet tells encapsulation failed then can you try again with giving int vlan 2 an ip address( i know you don't want to but

just to verify).

Regards.

Alain.

beyonddisability Wed, 12/22/2010 - 04:29

Hi Alain,

I will try these things as soon as I can.

Unfortunately I don't have physical access to this network without

getting permission first, so I'll request to go in and do some more

tests and report back. It could take a few days or more (thanks to

Christmas) for me to get back in there.

The idea of all of this is to get me happy that the switch module is

working like a couple of dumb switches, and once I'm happy with it I am

going to de-commission the IBM switch and use the NM-ESW instead. The

goal of this is to minimize the amount of equipment in the rack.

If assigning an IP to VLAN 2 works then I might just stop using the

routers built-in ethernet ports and use the switch ports only, which I

hope will work, and in that case I would assign an IP to VLAN 2.

Thanks very much for your help so far. This is the first time I've used

these forums and your help has been better and more helpful than even

Cisco's TAC (when I've used it in the past).

- Rob.

prongupt Sat, 12/25/2010 - 21:28

Hey Robert,

Apart from that there are a couple of things which you can do to make sure that the packet is actually making it to the router or not.. You can use IP Export to figure out the entry of the packet into the router port. Here is a reference link for the same (this is equivalent to SPAN on switches).

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1051294

Alternatively you can also use an access list to debug the ICMP requests from the host towards the router.

thanks

PD

Actions

Login or Register to take actions

This Discussion

Posted December 22, 2010 at 1:21 AM
Stats:
Replies:11 Avg. Rating:5
Views:1582 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50