We have a switch gc2960. It has ports configured on vlan 27 and vlan 29.
It is connected to switch ch3550. It has presence of vlan 27 vlan 29 and also vlan 18 and several other vlans.
Our internet firewall is connected to ch3550. It is a fortinet product, so this is not indicated on the diagram.
When the two switches were connected on vlan 29 access ports, pc's on vlan 29 on gc2960 worked as expected. vlan 27 clients of course did not work.
When we switched the connecting ports to trunk ports, some weird stuff happened. Clients on gc2960 on vlan 29 could ping and resolve dns, but not browse the intenet. The same was true for clients on gc2960 vlan 27. We verified that packets from the web were coming in through the firewall. What we were thinking, is that they somehow were not being tagged to vlan 29 even though we were trunking.
When we set native vlan 29 on the trunk, then clients on gc2960 vlan 29 operated as expected. However, clients on gc2960 vlan 27 are still having this problem, we can ping and resolve dns but not browse.
Consider the other switch ch2960-jstreet which has presence of vlan 18 and vlan 27. It is also connected on trunk to ch3550. We are not using native vlan on this trunk, and traffic works as expected.
Is the lack of presence of vlan 18 a factor as to why gc2960 is not receiving the tagged packets correctly?
Should the interface vlan18 on gc2960 have an ip address on the vlan 18 network?
Maybe you can post the trunking port configs from the 3550 and the 2960 you are having issues with along with the L3 parameters . How is the internet FW setup does it use statics for all your networks pointing back to the 3550 and are all those their for all your known networks?
That switchport access command wont change anything , it really has no meaning because you have the port hardcoded as a trunk port . The port would have to be switchport mode access for that command to do anything. You dont need the native vlan as 29 it just "must" match on each end. If you have no native statement it defaults to a native vlan of 1 . Try this
Originally, I had the gc2960 connected to the ch3750 unit shown on the extreme left of the diagram as trunking. I moved it to f0/5 on the 3550, thinking we had too many switch hops or spanning-tree issues. The problem persisted.
But... That's *exactly* how I had it configured. It should work, but doesn't.
In this configuration, clients on vlan 29 had the problem with inbound tcp stuff. Let me be more explicit about the trouble we were seeing. A client pc on vlan 29 running windows at the GC site was able to ping any web site. It could resolve DNS. We could browse to previously-resolved web sites, for example google would appear and we could even receive google's type-ahead search. But we would go to some random web site, and it would just sit there and the throbber would spin. Eventually it would time out. This was veirified on two other pc's on vlan 29. Why ICMP ping would work, but TCP web sessions would not, is a mystery I don't fully understand.
We tried some of the obvious client-side solutions. This was seen in both ie and firefox. We switched to google dns server. We checked to see that proxy was off. We checked to see that appropriate routes were present on the firewall and the ch3550 switch.
We put the ports ch3550 f0/5 and gc2960 g0/1 from trunk to access vlan 29 and it worked. The access vlan 29 shown in my running config above is a relic of that.
I called one cisco consultant. He was stumped - suggested it was a weird firewall problem, perhaps it was out of sessions.
I called the firewall manufacurer, Fortinet. Our unit is a 60b, rather old. They turned on packet tracing. We could see the outbound packets from our test client on vlan 29. We would also see return packets - I even saw text of a website that I recognized in one packet. So traffic is getting at least back through the firewall, and it's not an issue of the firewall being out of sessions.
Regardless, I ordered a new firewall. it is sitting on my desk, I haven't tried it yet. We needed a new one anyway.
I used a different port on the ch3550. It used to be on g0/9 I think.
I replaced the gc2960 switch with an old crappy dell powerconnect 3024. I set it so some ports were untagged on vlan 29 and some on vlan 27, and set tagging on the 3024's gigabit port for both vlans. I set the upling port as native vlan 29. This configuration had worked elsewhere in our network. I changed the ch3550 f0/5 to trunking. Same result as before. This tells me the problem is not with gc2960.
I called another cisco consultant. They were equally stumped. These are the guys who suggested adding native vlan 29 to the trunk port. With this, client pc's on vlan 29 could finally browse as expected.
We just bought a used ws-c3750g-24t off ebay to stack with the existing ws-c3750g-12s labeled as ch3750 so as to eliminate unit ch3550, thinking maybe there is something wrong with ch3550 or we are having spanning-tree issues or something. We haven't received it yet. We were also planning to do that anyway to simplify the network.
Message was edited by: Network Support to correct typos
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...