Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
5
Replies

incoming traffic on vlan getting lost?

burlingtoniowa
Level 1
Level 1

‎04-12-2012 01:59 PM - edited ‎03-07-2019 06:06 AM

Cisco Support Community,

I hope I am articulating this problem correctly:

We have a switch gc2960. It has ports configured on vlan 27 and vlan 29.

It is connected to switch ch3550. It has presence of vlan 27 vlan 29 and also vlan 18 and several other vlans.

Our internet firewall is connected to ch3550. It is a fortinet product, so this is not indicated on the diagram.

network part.jpg

When the two switches were connected on vlan 29 access ports, pc's on vlan 29 on gc2960 worked as expected. vlan 27 clients of course did not work.

When we switched the connecting ports to trunk ports, some weird stuff happened. Clients on gc2960 on vlan 29 could ping and resolve dns, but not browse the intenet. The same was true for clients on gc2960 vlan 27. We verified that packets from the web were coming in through the firewall. What we were thinking, is that they somehow were not being tagged to vlan 29 even though we were trunking.

When we set native vlan 29 on the trunk, then clients on gc2960 vlan 29 operated as expected. However, clients on gc2960 vlan 27 are still having this problem, we can ping and resolve dns but not browse.

Consider the other switch ch2960-jstreet which has presence of vlan 18 and vlan 27. It is also connected on trunk to ch3550. We are not using native vlan on this trunk, and traffic works as expected.

Is the lack of presence of vlan 18 a factor as to why gc2960 is not receiving the tagged packets correctly?

Should the interface vlan18 on gc2960 have an ip address on the vlan 18 network?

Thank you all for your comments and advice.

Labels:
0 Helpful
5 Replies 5

glen.grant
VIP Alumni
VIP Alumni

‎04-12-2012 02:33 PM

  Maybe you can post the trunking  port configs from the 3550  and the 2960 you are having issues with along with the L3 parameters .   How is the internet FW setup does it use statics for all your networks pointing back to the 3550 and are all those their for all your known networks?  

0 Helpful

burlingtoniowa
Level 1
Level 1
In response to glen.grant

‎04-12-2012 03:00 PM

yes, the firewall uses all static routes, that point to ch3550.

Also, the switch ch3550 has a route to vlan29.

this is the config as of just now.

gc2960#show running-config interface gi0/1

Building configuration...

Current configuration : 92 bytes

!

interface GigabitEthernet0/1

switchport trunk native vlan 29

switchport mode trunk

end

ch3550#show running-config interface fa0/5

Building configuration...

Current configuration : 183 bytes

!

interface FastEthernet0/5

description trunk to gc2960

switchport access vlan 29

switchport trunk encapsulation dot1q

switchport trunk native vlan 29

switchport mode trunk

end

0 Helpful

burlingtoniowa
Level 1
Level 1
In response to burlingtoniowa

‎04-12-2012 03:02 PM

duh.

just noriced switchport access vlan 29.

maybe taking that out will help for vlan 27 traffic. Will advise, but need to drive out to the site to check.

But... why do we need to do native vlan 29 anyway? I would think it would work without it.

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to burlingtoniowa

‎04-12-2012 05:34 PM

  That switchport access command wont change anything , it really has no meaning because you have the port hardcoded as a trunk port .  The port would have to be switchport mode access for that command to do anything.   You dont need the native vlan as 29 it just "must" match on each end. If you have no native statement  it  defaults to a native vlan of 1 .  Try this

gc2960#show running-config interface gi0/1

Building configuration...

conf t

vlan 27

vlan 29

Current configuration : 92 bytes

!

interface GigabitEthernet0/1

  switchport mode trunk

end

ch3550#show running-config interface fa0/5

Building configuration...

Current configuration : 183 bytes

conf t

!

interface FastEthernet0/5

description trunk to gc2960

switchport trunk encapsulation dot1q

s witchport mode trunk

0 Helpful

burlingtoniowa
Level 1
Level 1
In response to glen.grant

‎04-13-2012 07:42 AM

Glen,

Originally, I had the gc2960 connected to the ch3750 unit  shown on the extreme left of the diagram as trunking. I moved it to f0/5  on the 3550, thinking we had too many switch hops or spanning-tree  issues. The problem persisted.

But... That's *exactly* how I had it configured. It should work, but doesn't.

In this configuration, clients on vlan 29 had the problem with inbound tcp stuff. Let me be more explicit about the trouble we were seeing. A client pc on vlan 29 running windows at the GC site was able to ping any web site. It could resolve DNS. We could browse to previously-resolved web sites, for example google would appear and we could even receive google's type-ahead search. But we would go to some random web site, and it would just sit there and the throbber would spin. Eventually it would time out. This was veirified on two other pc's on vlan 29. Why ICMP ping would work, but TCP web sessions would not, is a mystery I don't fully understand.

We tried some of the obvious client-side solutions. This was seen in both ie and firefox. We switched to google dns server. We checked to see that proxy was off. We checked to see that appropriate routes were present on the firewall and the ch3550 switch.

We put the ports ch3550 f0/5 and gc2960 g0/1 from trunk to access vlan 29 and it worked. The access vlan 29 shown in my running config above is a relic of that.

I called one cisco consultant. He was stumped - suggested it was a weird firewall problem, perhaps it was out of sessions.

I called the firewall manufacurer, Fortinet. Our unit is a 60b, rather old. They turned on packet tracing. We could see the outbound packets from our test client on vlan 29. We would also see return packets - I even saw text of a website that I recognized in one packet. So traffic is getting at least back through the firewall, and it's not an issue of the firewall being out of sessions.

Regardless, I ordered a new firewall. it is sitting on my desk, I haven't tried it yet. We needed a new one anyway.

I used a different port on the ch3550. It used to be on g0/9 I think.

I replaced the gc2960 switch with an old crappy dell powerconnect 3024. I set it so some ports were untagged on vlan 29 and some on vlan 27, and set tagging on the 3024's gigabit port for both vlans. I set the upling port as native vlan 29. This configuration had worked elsewhere in our network. I changed the ch3550 f0/5 to trunking. Same result as before. This tells me the problem is not with gc2960.

I called another cisco consultant. They were equally stumped. These are the guys who suggested adding native vlan 29 to the trunk port. With this, client pc's on vlan 29 could finally browse as expected.

We just bought a used ws-c3750g-24t off ebay to stack with the existing ws-c3750g-12s labeled as ch3750 so as to eliminate unit ch3550, thinking maybe there is something wrong with ch3550 or we are having spanning-tree issues or something. We haven't received it yet. We were also planning to do that anyway to simplify the network.

thanks!

Message was edited by: Network Support to correct typos

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card