cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
0
Helpful
6
Replies

Cannot change VLAN

Stel Vlach
Level 1
Level 1

Hi all

I use an SG 500-52 and since I initially installed this switch the same issue tackles in again and again. I 've updated firmware/bootloader quite recent. In a previous ticket I opened when it was under technical warranty support the engineers said the configuration was fine. 

I use DHCP Snooping, IP Source Guard and DAI. Most port (including the one I try to change its access VLAN) have port security.

 

Nevertheless when I try to change a port's VLAN the endpoint connected to it gets an IP address but looses connectivity. I try to clear ip dhcp snooping database and secure mac address of the port but no luck. Then I try to disable port security, arp inspection, IP source guard and DHCP snooping but nothing changes. When I switch the switchport back to its previous VLAN it works.

6 Replies 6

Stel Vlach
Level 1
Level 1

Correction to the last sentence. It works when the switch is rebooted.

Hi Stel,

Can you post some logs from the actual test, best would be if captured via serial console during the testing.

Aleksandra

Hi Aleksandra 

Thanks for your reply. Shall I issue a specific debugging command ?

Hi Stel,

Basically when arp inspection blocks the packet you would have immediately logs showing in console.

You may compare blocked packets with dhcp snooping binding table. (show ip dhcp binding)

However it is also good to get show tech-support which has loads of other information which could give us an idea. Bear in mind that the output is extensive and may require adjusting terminal window size.

By design ARP inspection should refer to ARP static binding if there is one or ip dhcp snooping database.

IF the packet’s IP address was not found both in the ARP static binding and in the DHCP snooping then the packet is invalid.

 

Let's verify that this is related to your issue.

Aleksandra

 

 

Hi Aleksandra

 

Thanks for your kind reply. Here is the first log message I get when I change the VLAN. The message comes even with DAI deactivated. 

 

10-Aug-2014 18:03:16 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/1/27 with VLAN tag 16 and reason: packet verification failed

SRC MAC 00:3e:e1:c6:27:47 SRC IP 0.0.0.0 DST MAC 00:00:00:00:00:00 DST IP 172.17.16.18

 

Even I get this message the computer is able to get an IP address to the new VLAN. 

Any updates on this one ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X