Solved: Re: Enabling VLAN Bridging for IPX across a 3750 Switch

JohnHumphrey · ‎12-17-2006

Situation: Our organization was pushed ahead of schedule to implement switching and routing in a building that was not supposed to be ready for a while. We are setting up a new WAN that will only run IP across four counties. Since this building was ready earlier than anticipated, we are pushed to implement IPX on Cisco Catalyst 2950(4) and 3750(1) Switches that we had already purchased for the new network. The 3750 is a Distribution Switch that connects via Fiber to a Bay Networks router on the County MetroNet. The 2950s are connected to the 3750 via fiber converters to individual VLANs.

Status So Far: The 2950s should be able to process L2 as normal. IP has been flowing correctly for several days through our 3750. Users can connect to most of their servers. We have two legacy Novell networks; one is Novell 4 and the other is 6.5. Both networks still use IPX for management. One of my Engineers for our developing network recommended using VLAN Bridging and sent me a short PDF on how to implement it (Chap 42, Configuring Fallback Bridging). I have followed his steps, and now it is the weekend and no one is available.

Gotchas: After enabling Fallback Bridging on the port connected to the IPX Network in question, I have completely lost IP Connectivity for their users. Was this supposed to be done on the VLAN versus the port? I tried to go back and use the NO BRIDGE and NO BRIDGE-GROUP commands in their respective configuration locations, and IP will not come back. The specific error response is "Fa1/0/5 is not a Switching port". I even tried BRIDGE CRB, so I could transfer both IPX and IP across the same port. It did not help. I was using "SWITCHPORT MODE ACCESS" and "SWITCHPORT ACCESS VLAN 201" to bring it back to original configuration. To make it all more interesting, the building is completely locked up for the weekend, and I have to administer through VPN and Telnet, so I can not just activate another port and move them to it at this moment.

HELP: How can I get the switch back to a Switching Port to return IP Access to that network? What did I miss to correctly enable IPX Passthrough to the routers on the MetroNet? Three other networks are IP Only so I cannot make the entire switch IPX Passthrough. One more network coming up Monday is going to require IPX; it is the older of the two Novell networks. The ideal situation is to provide IP to everyone with the established VLANs and to allow IPX Bridging (passthrough) on two ports while still allowing IP Traffic, which is 90% of the activity. What else do I need to provide the community, to more accurately assist me in this endeavor?

glen.grant · ‎12-17-2006

You can use "show ipx route" and show ipx server" to see other ipx devices on the network . Did you get the bridgeing to work or did you configure ipx routing on the 3750 ? If using bridgeing then use the "show bridge " command.

View solution in original post

JohnHumphrey · ‎12-17-2006

SH VER Results:

I am using the following System Image File:

c3750-ipservices-mz.122-25.SEE2

JohnHumphrey · ‎12-17-2006

Switch#sh ver

Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1

)

Compiled Fri 28-Jul-06 08:46 by yenanh

Image text-base: 0x00003000, data-base: 0x010CE290

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEB, RELEASE SOFTWARE (fc)

Switch uptime is 1 hour, 19 minutes

System returned to ROM by power-on

System image file is "flash:c3750-ipservices-mz.122-25.SEE2"

cisco WS-C3750-24TS (PowerPC405) processor (revision K0) with 118784K/12280K bytes of memory.

Processor board ID CAT0922N26R

Last reset from power-on

7 Virtual Ethernet interfaces

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : XXXXXX

Motherboard assembly number : 73-9677-08

Power supply part number : 341-0034-01

Motherboard serial number : CAT092301LQ

Power supply serial number : DAB091404LU

Model revision number : K0

Motherboard revision number : B0

Model number : WS-C3750-24TS-S

System serial number : CAT0922N26R

Top Assembly Part Number : 800-25857-02

Top Assembly Revision Number : A0

Version ID : V05

CLEI Code Number : CNMV100CRE

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C3750-24TS 12.2(25)SEE2 C3750-IPSERVICES-M

Configuration register is 0xF

Switch#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#int fa1/0/5

Switch(config-if)#switchport mode access

Command rejected: Fa1/0/5 not a switching port.

Switch(config-if)#

scottmac · ‎12-17-2006

Do you have access to the other side of the link(s)? It's possible that something in one of your interim configs has caused the other side of the link to shut down the port on the other side (errdisable).

Do you have access to / can you insert a "sniffer" to see what the actual traffic flow is?

Check your access list(s)

Verify the IP addresses and mask(s) for the VLAN / IRB bridge group. Also check to see that the routes are proper (Default Gateway, Statics, etc)

That's all that comes to mind for now, I'm sure others will have some other suggestions.

Good Luck

Scott

JohnHumphrey · ‎12-17-2006

This is a testament to the VALUE of the Cisco Forums. I did not expect to get a reply within 6 minutes on a Sunday morning. Thank you. I will provide as much detail as I can...

I am fairly new to this side of Networking. All my background is in Novell and Microsoft, with a little Security for balance.

To answer your questions:

I do not have a Sniffer that I can deploy though I just downloaded the 30 day version of SolarWinds for help. Is there a Sniffer in there? I am looking at the moment.

I have access to all the 2950s, except the one on the 3750 port that I just disabled. I do not have access to the Bay Networks Router as it belongs to the county. They won't be back until Monday.

I have no access lists enabled. I will forward a "cleaned" copy of my config that you can look at. Unless there is an IPX filter on the core router that I am not aware of, there should not be any. Up until three days ago, IPX and IP flowed freely through the core routers from their earlier building about a half mile away on the same fiber MetroNet. The routers should support IPX data traffic as they have for many years. The networks in question have every desire to switch to pure IP but this early move caught everyone, including the county experts, unprepared. I am learning a lot very fast on the fly. :-)

JohnHumphrey · ‎12-17-2006

Switch#show runn

Building configuration...

Current configuration : 2773 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

!

hostname Switch

!

no aaa new-model

clock timezone CST -5

switch 1 provision ws-c3750-24ts

ip subnet-zero

ip routing

ip name-server 172.20.0.7

ip name-server 172.20.0.10

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

bridge crb

!

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

!

interface FastEthernet1/0/2

!

interface FastEthernet1/0/3

!

interface FastEthernet1/0/4

!

interface FastEthernet1/0/5

description Org1 ! NOTE: Port I disabled with VLAN BRIDGE command

no switchport

no ip address

speed 100

duplex full

!

interface FastEthernet1/0/6

!

interface FastEthernet1/0/7

switchport access vlan 301

switchport mode access

speed 100

duplex full

!

interface FastEthernet1/0/8

!

interface FastEthernet1/0/9

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet1/0/10

!

interface FastEthernet1/0/11

switchport access vlan 101

switchport mode access

speed 100

duplex full

!

interface FastEthernet1/0/12

!

interface FastEthernet1/0/13

description Org5

switchport access vlan 200

switchport mode access

speed 100

duplex full

!

interface FastEthernet1/0/14

!

interface FastEthernet1/0/15

switchport access vlan 200

switchport mode access

!

interface FastEthernet1/0/16

!

interface FastEthernet1/0/17

!

interface FastEthernet1/0/18

!

interface FastEthernet1/0/19

!

interface FastEthernet1/0/20

!

interface FastEthernet1/0/21

!

interface FastEthernet1/0/22

!

interface FastEthernet1/0/23

!

interface FastEthernet1/0/24

switchport access vlan 101

switchport mode access

speed 100

duplex full

!

interface GigabitEthernet1/0/1

switchport access vlan 200

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 172.20.12.251 255.255.252.0

!

interface Vlan101

ip address 10.131.26.1 255.255.255.0

!

interface Vlan102

ip address 10.131.27.1 255.255.255.0

!

interface Vlan200

ip address XXXX 255.255.255.0

!

interface Vlan201

ip address 10.131.32.1 255.255.255.0

!

interface Vlan301

ip address 10.131.36.1 255.255.255.0

!

router rip

version 2

network 10.0.0.0

network 172.20.0.0

network XXXX

no auto-summary

!

ip default-gateway XXXX

ip classless

ip route 0.0.0.0 0.0.0.0 XXXX

ip http server

!

control-plane

!

line con 0

password 7 xxxxxx

line vty 0 4

password 7 xxxxxx

no login

line vty 5 15

password 7 xxxxxx

no login

!

end

JohnHumphrey · ‎12-17-2006

Switch05#sh runn

Building configuration...

Current configuration : 4144 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Switch05

!

enable secret 5 XXXX

!

clock timezone CST -5

ip subnet-zero

!

ip name-server 172.20.0.17

ip name-server 172.20.2.17

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface FastEthernet0/1

description Org1

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/2

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/3

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/4

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/5

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/6

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/7

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/8

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/9

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/10

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/11

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/12

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/13

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/14

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/15

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/16

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/17

switchport access vlan 102

switchport mode access

speed 100

duplex full

JohnHumphrey · ‎12-17-2006

Continued from above:

!

interface FastEthernet0/18

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/19

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/20

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/21

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/22

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/23

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/24

switchport access vlan 102

switchport mode access

speed 100

duplex full

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan102

ip address 10.131.27.2 255.255.255.0

no ip route-cache

!

ip default-gateway 10.131.27.1

ip http server

snmp-server enable traps <..... removed for posting....>

!

line con 0

password 7 XXXX

line vty 0 4

password 7 XXXX

login

line vty 5 15

password 7 XXXX

login

!

end

glen.grant · ‎12-17-2006

to change back from a routed port just add the following to the interface. If you were trying to implement ipx on this network the definitions would go on the layer 3 SVI (vlan 102 ) definition not the port . If you do a show interface status you will probably see the port in question as "routed" , the comands below will change it to a switched port .

interface FastEthernet1/0/5

switchport

switchport mode access

switchport access vlan 102

no ip address

speed 100

duplex full

JohnHumphrey · ‎12-17-2006

Is there a monitoring command that I can use to verify IPX traffic is going across the Switch?

SH IP INT BRIEF tells me that UP and UP on Status and Protocol. VLAN 201 is now functioning at the level that I witnessed prior to my changes as far as I can tell; it is also UP and UP.

JohnHumphrey · ‎12-17-2006

Would the appropriate testing command be:

SHOW BRIDGE VLAN 201

Are there any other useful T/S commands that would be appropriate here?

glen.grant · ‎12-17-2006

If you need info on bridging http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00801cde91.html#1030666

glen.grant · ‎12-17-2006

You can use "show ipx route" and show ipx server" to see other ipx devices on the network . Did you get the bridgeing to work or did you configure ipx routing on the 3750 ? If using bridgeing then use the "show bridge " command.

JohnHumphrey · ‎12-17-2006

I reconfigured the BRIDGING again using the VLAN. I was told that VLAN-BRIDGING was the only way to get IPX to flow across a Catalyst 3750 Switch with my IOS and Version.

I asked an Administrator from the organization in question to go into work or log in from home to see if he could now see his missing server again that is on that VLAN. I am 3 counties away, and I have no login rights to his network (remote or local), so I really cannot test it for him.

The Routers are also handled by another third organization, so I have no access to run commands on those devices for testing.

In case these child organizations are not converted from IPX to IP by the time my new network comes up in 2-3 months, will your mentioned SHOW IPX ROUTE and SHOW IPX SERVER commands work on Cisco 2800 and 2810 series Routers, which is what I will be using on the new network. It will be a managed network, so I should have A LOT of help by that time. The timing of this move, left me unsupported, and I was tasked to "make it happen".

JohnHumphrey · ‎12-17-2006

I missed one step that was necessary to make it all work. I assumed that the Bridge went out the default gateway to the next network. I also tried to use two different VLAN Bridges for the two different organizations. I had to add the uplink VLAN to the same "BRIDGE-GROUP 1" that the first organization was added to. I then had to add the second organization to the same BRIDGE-GROUP, since only ONE Bridge-group could be added to the uplink.

I received a phone call from the administrator, saying his network was still not up. At that point I realized that I needed to add the Uplink to the same group. He can now see all his other servers, but he is getting SAP alarms, since the routers still think his server was supposed to be at the old building. At this point, my work is done, other than a phone call to the person responsible for the routers to make sure the SAP alarms go away and the IPX Network Number is pointing to the right building.

I want to offer a BIG THANK YOU to SCOTT and GLEN for all your advice. You guys are REAL PROS!!!