On access switch 2 - The port

wasiimcisco · ‎01-11-2010

Hi,

I am having problem with VLAN in my network. I have connected one Access point (192.168.50.11) to access switch 2 via trunk port. Access switch 2 is connected to Distrubution switch via trunk port. Distrubution and Core are running OSPF.

Access switch is connected to one LAN and connected to core switch via trunk. From the LAN 192.168.80.0 I am not able to reach Access point (192.168.50.11).

I have access then distribution and Core layers in my network.

Access Switch 1 (VTP client)

--------------

|

| Trunk

|

Core Switch (VTP mode Server)

|

|OSPF

|

Distribution Switch (VTP mode Transparent)

|

| Trunk

|

Acess Switch 2 (VTP client)

|

| Trunk

|

Wireless Access point

Configuration of Access switch 2 is attached. VLAN 50 is active on all switches. I am not even able to ping the AP from distribution switch and access switch.

Attached si configuraiton of all the switches. I have so many wireless access points that are connected access switches and these access swtiches are trunk with core. I never had this problem. Only this time when i connect the AP with distribution side I am not able to ping it.

Please help me out.

Giuseppe Larosa · ‎01-11-2010

Hello Wasim,

two points to verify:

native vlan on AP side

interface FastEthernet0/1
description ***ENOCH3F1-WAP55*******
switchport trunk native vlan 50
switchport mode trunk
no ip address
end

if vlan 50 is carried everywhere, SVI for vlan 50 is up/up on distribution switch?

I see that distribution switch sees the subnet by OSPF

ENOC_H3F2_DIST#show ip route 192.168.50.13
Routing entry for 192.168.50.0/24
Known via "ospf 1", distance 110, metric 2, type intra area
Last update from 192.168.0.157 on Port-channel12, 4d08h ago
Routing Descriptor Blocks:
* 192.168.0.157, from 192.168.0.166, 4d08h ago, via Port-channel12
Route metric is 2, traffic share count is 1

is this port-channel defined on core switch?

on core I see:

Vlan50 192.168.50.2 YES manual up up

link between core and distribution is layer3

ENOCDC_CORE01#sh running-config interface port-channel 11
Building configuration...

Current configuration : 208 bytes
!
interface Port-channel11
description PORT-CHANNEL11 TO ENOC_H3F2_DIST
ip address 192.168.0.153 255.255.255.252

by the way there is another portchannel because IP subnets doesn't match between what I see on core and what I see on distribution.

yes, and it is a Layer3 port-channel so you have SVI vlan 50 defined on core, a L3 link between core and distribution, the AP connected in vlan 50 to access switch. You have partitioned vlan 50.

You need to use an SVI defined on distribution switches not one defined on core, otherwise you would need a L2 trunk between core and distribution and it is not recommended.

You need to review your design for vlan 50

Hope to help

Giuseppe

wasiimcisco · ‎01-11-2010

Hi,

thanks for the reply, Below is the answer of your questions.

Distrubution switch dont have the SVI for VLAN 50. Only core 1 and Core two has SVI 192.168.50.2, 192.168.50.3 and HSRP 192.168.50.3.

I have created one SVI for VLAN 50 on Distrubution switch (192.168.50.4). But not able to ping from Core switch.

VLAN Status on Distribution switch Vlan50 192.168.50.4 YES manual up up

Access point configuration I have attached. AP and distribution switch can reach each other.

There is two port channels on core switches. One port channel 11 is between core to distribution and one port channel 1 between core 1 and core 2.

Port-channel1 unassigned YES manual up up
Port-channel11 192.168.0.153 YES manual up up

OSPF configuration of Core and distrubution I have also attached for your reference. I think now we need to modify the OSPF configuration. I have changed the gateway of Access point and points towards the distrubtuion SVI (192.168.50.4). I even try to advertise the Access point IP in OSPF of Distrubution switch but no luck.

router ospf 1
network 192.168.50.11 0.0.0.0 area 0

interface Vlan50
ip address 192.168.50.4 255.255.255.0

router ospf 1
log-adjacency-changes
network 172.20.1.0 0.0.0.255 area 1
network 192.168.0.154 0.0.0.0 area 0
network 192.168.0.158 0.0.0.0 area 0
network 192.168.103.1 0.0.0.0 area 1
network 192.168.104.1 0.0.0.0 area 1
network 192.168.105.1 0.0.0.0 area 1
network 192.168.106.1 0.0.0.0 area 1
network 192.168.107.1 0.0.0.0 area 1
network 192.168.108.1 0.0.0.0 area 1
network 192.168.109.1 0.0.0.0 area 1
network 192.168.110.1 0.0.0.0 area 1
network 192.168.111.1 0.0.0.0 area 1
network 192.168.112.1 0.0.0.0 area 1
network 192.168.113.1 0.0.0.0 area 1
network 192.168.114.1 0.0.0.0 area 1
network 192.168.115.1 0.0.0.0 area 1
network 192.168.116.1 0.0.0.0 area 1
network 192.168.117.1 0.0.0.0 area 1
network 192.168.118.1 0.0.0.0 area 1
!
ip default-gateway 192.168.250.1

Core switch OSPF configuration

router ospf 1
router-id 192.168.0.165
log-adjacency-changes
passive-interface default
no passive-interface Vlan250
no passive-interface Port-channel11
network 192.168.0.153 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
default-information originate always

Please let me know what I am missing.

Giuseppe Larosa · ‎01-11-2010

Hello Wassim,

or you remove SVI vlan50 on core routers, that is what I recommend, or you need to add a L2 trunk carrying vlan 50 between core switches and distribution switches.

>> Please let me know what I am missing.

the fact that it is enough to create an SVI for vlan50 to have a working connectivity: and end-to-end layer2 path is needed for this.

remove SVI vlan5 on core switches and add a network statement for SVI vlan 50 on distribution

on core 1,2

no int vlan 50

on Distrib1,2

router ospf 1

network 192.168.50.0 0.0.0.255 area 1

do this on both distribution switches and add an HSRP group to provide a default gateway to APs

Distrib1:

int vlan 50

ip address 192.168.50.2 255.255.255.0

standby 50 ip 192.168.50.1

standby 50 pri 105

standby 50 preempt

Distrib2:

int vlan 50

ip address 192.168.50.3 255.255.255.0

standby 50 ip 192.168.50.1

standby 50 pri 100

standby 50 preempt

Hope to help

Giuseppe

wasiimcisco · ‎01-12-2010

Actually I have only one distribution switch. I cant remove the VLAN 50 from core switches because this is management VLAN for other wireless access point. If you see the wireless access point configuration VLAN 55 is for user and 50 is for management.

For VLAN 55 which is data VLAN I have created SVI on core switches

interface Vlan55
ip address 192.168.55.2 255.255.255.0
ip helper-address 192.168.200.68
standby 55 ip 192.168.55.1
standby 55 priority 200
standby 55 preempt

and 55 VLAN (for users) is active on Distrubution. There is no SVI on distrubtion for VLAN 55 (user VLAN).

Shall I create on SVI for VLAN 55 on distrubution and remove SVI from core for user VLAN 55.

interface Vlan55
ip address 192.168.55.1 255.255.255.0
ip helper-address 192.168.200.68

router ospf 1

network 192.168.50.0 0.0.0.255 area 1

Please suggest how to make accessible Management IP 192.168.50.11 from core switch.

Jon Marshall · ‎01-12-2010

wasiimcisco wrote:

Actually I have only one distribution switch. I cant remove the VLAN 50 from core switches because this is management VLAN for other wireless access point. If you see the wireless access point configuration VLAN 55 is for user and 50 is for management.

For VLAN 55 which is data VLAN I have created SVI on core switches

interface Vlan55
ip address 192.168.55.2 255.255.255.0
ip helper-address 192.168.200.68
standby 55 ip 192.168.55.1
standby 55 priority 200
standby 55 preempt

and 55 VLAN (for users) is active on Distrubution. There is no SVI on distrubtion for VLAN 55 (user VLAN).

Shall I create on SVI for VLAN 55 on distrubution and remove SVI from core for user VLAN 55.

interface Vlan55
ip address 192.168.55.1 255.255.255.0
ip helper-address 192.168.200.68

router ospf 1

network 192.168.50.0 0.0.0.255 area 1

Please suggest how to make accessible Management IP 192.168.50.11 from core switch.

The problem you have is that for the access switch connected to core switch to be able to get to the AP on vlan 50 there must be a L2 path all the way through your network from the access switch_1 to the AP but you don't have that because you have a L3 link between the core and dist switches. So vlan 50 on access switch_1 and the core switch is not the same vlan as vlan 50 on the dist and access switch_2.

Now if you migrate the L3 interfaces to the dist switch you still have a partitioned vlan 50 so that probably won't solve your problem. There are 3 options to solve the issue -

1) change the link between the core switch and the dist switch to be a L2 trunk and not a L3 link

2) add another link between the core switch and the dist switch which is a L2 link and allows vlan 50 across it

3) have a redesign of network so that you do not need vlan 50 on both access switches.

These are your 3 options. Whatever you do you need to provide a L2 path end to end from access switch_1 to access_switch_2 for this to work.

Jon

Giuseppe Larosa · ‎01-12-2010

Hello Wasiim,

as you can see Jon agrees on the cause of your problem.

or you change the port-channel on a L2 trunk

int port-channel 12

no ip address

switchport

switchport mode trunk

switchport trunk enc dot1q

switchport trunk allowed vlan 50,X

where X is the vlan where you move the IP subnet where OSPF runs now

int vlan X

ip address 192.168.0.158 255.255.255.252

no shut

this is needed on both core switches and distribution switch.

Hope to help

Giuseppe

wasiimcisco · ‎01-12-2010

thanks for the reply and suggestion.

Now we have decided to change the management VLAN for the part of network that is connected behind the Distribution switch. Now all the access switches that are connected with distribution is in VLAN 100 as management. I will use this management VLAN 100 for the access point also.

But Distribution switch is in Transparent mode and all access are in client. I am not able to add VLAN 55 in the access switch. I know this is silly but when we were introducing Layer 3 between distribution and core we didnt consider this.

I wana know if i will change the mode of distribution into Server will that remove the VLAN Database also. If not I will change the mode to server and make the access switch as client so that I can add the VLAN 55 on the access switch.

I hope when making the access switch as client for the distribution switch will not impact the trunk and VLAN configuration. Becauase currently distribution and access has the same VLAN. Only adding a new VLAN is problem due to VTP.

Giuseppe Larosa · ‎01-12-2010

Hello Wassiim,

yes because no Layer2 path exists between core switches and access layer switches not because distribution is in VTP transparent mode

I agree that given the current scenario with L3 link with core distribution switch should become VTP server for its switching block

I would take a maintanance window in any case.

converting the VTP mode to server should keep the current database.

Hope to help

Giuseppe

Sudeb Das · ‎07-17-2015

On access switch 2 - The port (g0) connect to AP (192.168.50.11) must have access port enable instead of trunk & switchport access vlan 50.

Because the AP is a transparent bridge & act like a host so the vlan 50 tagging must be done on g0 for communicating with vlan 50 of other switches. Now ospf will help to advertise the 50.0 network so that it can reach till desired location.

OSPF and VLAN problem