Weird Problem with SF302-8P switches. . .

HSIAdministrator · ‎03-12-2012

3 Network Engineers later. . . I'm appealing to these boards for ideas.

Situation:

Rolling out new Avaya POE VOIP phone system for our corporate office.

Existing Infrastructure:

1 Core Cisco 3560 connected to 7 Cisco 2960 with ethertrunking enabled and passing VLAN 1, 100, 300, 400, 500.

Data VLAN 1/100 (Split to allow the DHCP requests coming from the diffrent sides ofthe building to hand out VLAN appropriate scop Addresss)

Vlan 1 - 192.168.0.0/24

Vlan 100 - 192.168.0.0/24

Vlan 300 (Avaya Servers and Phone Gear4)

Vlan 400 Avaya DHCP scope for phone addreeses

Vlan 500 Management VLAN for all SF 302 Switches.

Because many of the offices have more PC's and phones in them than network drops we purchased 30 SF302-08P switches to power the phones and PC's in the offices. We started by flashing them all to the current release of the firm ware 1.1.2.0 and successfully configured them to work with Vlan 1. The PC's get vlan specific DHCP addresses as do the phones, PC's connected through phones also grab the correct IP address range. We then setup the configuration for Vlan 1, after monkeying around and testing the only major diffrence being we blocked the inheritence of VLAN 1 at a switch port level on the Access switch so that the Vlan 100 would be the data vlan and the PC's would pull the correct IP addresses from DHCP.

We deployed a few switches on each side and began testing, on the 192.168.0.0/24 side of the network everything is working gloriously, Mac's Windows XP PC's and Windows 7 PC's are all able to conected to the internet and access the pages needed for our call center employees to do what they need to.

However, on the 192.168.1.0/24 side of the network things got interesting. We found that windows xp machines connected to the SF302 switches which have pulled correct DHCP and DNS information. Can ping, for example, www.expedia.com but when you try to navigate to the website with a browser the page times out. Connecting the same PC directly to a wall port connected to the Access 2950 switch and it can reach the website without a problem. Plug a windows 7 PC into the SF302-08P switch and it can surf to the same websites without issues.

I've had three diffrent network engineers look at this and it has them stumped, I'm at a loss and any hel would be greatly appreciated.

here is the running config from one of the SF302 switches that is not working.

interface fa4

spanning-tree link-type point-to-point

exit

vlan database

vlan 1,100,400,500

exit

voice vlan id 400

voice vlan state oui-enabled

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

voice vlan oui-table add 2cf4c5 "new avaya"

interface fastethernet1

voice vlan enable

exit

interface fastethernet2

voice vlan enable

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

exit

interface fastethernet3

voice vlan enable

exit

interface fastethernet4

voice vlan enable

exit

interface fastethernet4

voice vlan cos mode all

exit

interface fastethernet5

voice vlan enable

exit

interface fastethernet6

voice vlan enable

exit

interface fastethernet7

voice vlan enable

exit

interface fastethernet8

voice vlan enable

exit

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

interface fastethernet1

lldp med disable

exit

interface fastethernet2

lldp med disable

exit

interface fastethernet3

lldp med disable

exit

interface fastethernet4

lldp med disable

exit

interface fastethernet5

lldp med disable

exit

interface fastethernet6

lldp med disable

exit

interface fastethernet7

lldp med disable

exit

interface fastethernet8

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

lldp med disable

exit

interface gigabitethernet1

lldp med disable

exit

interface gigabitethernet2

lldp med disable

exit

interface vlan 500

ip address 192.168.100.27 255.255.255.0

exit

ip default-gateway 192.168.100.1

ip dhcp relay address 192.168.0.3

ip dhcp relay enable

interface vlan 100

ip dhcp relay enable

exit

interface vlan 400

ip dhcp relay enable

exit

interface vlan 500

no ip address dhcp

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

exit

hostname access-302-18

ip ssh server

no snmp-server server

interface fastethernet4

macro description switch

exit

interface gigabitethernet1

exit

interface fastethernet1

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet2

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet3

switchport mode general

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet4

!next command is internal.

macro auto smartport dynamic_type unknown

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet5

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet6

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet7

switchport mode general

[0mMore: <space>, Quit: q or CTRL+Z, One line: <return>

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface fastethernet8

switchport mode general

switchport general allowed vlan add 100 tagged

switchport general pvid 100

exit

interface gigabitethernet1

switchport trunk allowed vlan add 100,400,500

exit

interface gigabitethernet2

switchport mode access

switchport access vlan 500

exit

n

David Hornstein · ‎03-12-2012

Hi joshua,

You mention "However, on the 192.168.1.0/24 side of the network things got interesting"

I see no mention within the description of the network setup or the CLI script, of network 192.168.1.

Would it be possible to see a network or topology diagram of how this network is setup?

i see that you have put some switch ports in general mode. I would have thought the default trunk mode would have been ok.

When you go to the section in the SF302-8P GUI on VLAN Management > interface settings , then click the "help" text in the top right hand corner of the GUI. A popup window will come up defining the three modes. General mode is a very specific mode, and i am trying to figure why you used it.

I am also trying to figure why in the cli you have some DHCP relays on VLAN interface 100 and 400, but the interfaces don't have IP addresses associated with them.

By the sound of your result, where almost everything is working, you have done a great job. The GUI does take a bit of getting used to

Seems like I am getting only part of the story here, but i and i guess others want to assist, but really need some more information.. Can you please go over your description again, or if the description is completly correct, you better have a chat witjh the good folk at SBSC.

www.cisco.com/go/sbsc

regards Dave

HSIAdministrator · ‎03-12-2012

Bear with me, I am a fledgling network guy, I know enough to truly be dangerous, and when the guy who was administering our networks left to move to another company I got tasked with taking over the phone migration, mid stream.

Here is the diagram of our network.

Hope this is legible. . . and expandible so it can be read, here is an overall view of our network. The SF302 Switches Exist in their own management VLAN (500) and use IP addresses 192.168.100.1-30 are connected into the Access switches in this network topology using the Ge1 uplink port. The port on the Access switch is configured for Trunking to pass all the VLAN information to the devices connected to the SF302 switch.

As to the why:

For simplicity, we about 230+ PCs in our office, with this many PC's using so many DHCP addresses along with printers, switches, wifi devices, etc all needing iP addresses to provide enough IP's and limit the broadcast domain the designers split the network into multiple DHCP scopes routed through the core 3560 Switch.

The result was the east half of the building is assigned IP addresses out of the 192.168.0.0/24 subnet and the West side of the building is assigned DHCP Addresses out of the 192.168.1.0/24 subnet. From a centrally located DHCP server (Our Primary DC)

The FastEthernet ports are in general mode; from what the guy who set them explained to me, this allows them to pass both the Tagged Vlan 400 Traffic for the phones and the untagged Vlan 100 traffic for the data vlan. This allows either a PC or a VOIP phone to be plugged into any port on the switch and pull the appropriate DHCP address and as far as I am able to tell is functioning as designed.

The DHCP relay as I understand it, is required to forward dhcp requests to the DHCP Server so that it knows which DHCP scope to assign an IP address to.

David Hornstein · ‎03-12-2012

Hi Joshua,

Ah, i think i understand sorry, I'm not the sharpest tool in the toolbox.

So we want VLAN 100 as untagged VLAN on the fastethernet ports. This may vary because you are using VLAN100 to half the data clients broadcast domain. East client may use a different VLAN and West client for the sake of this discussion use VLAN100 for data access.

You also want VLAN 400 as a tagged interface on the fast Ethernet ports for connection of Avaya phones

You have Gig 2 setup for vlan access mode in VLAN 500, so I guess you are using this port to plug into for management purposes.

Since we are using 2960 switches to plug into and the SF300 series uses a discovery protocol called CDP, voice vlan information will be propagated to the SF300 series switches. Kewl stuff

If it's that simple, it's a very easy vlan configuration

I guess the uplink port G1 is going to be the uplink to the 2960 switch.

We are going to start of simple to get connectivity going, and then you can play with the VOICE VLAN QOS setting and LLDP-MED settings.

I will create a short webex video to set this up. I do not have a SF300 switch but a SG300-10P switch.

The configuration via the gui should be pretty much identical. I will paste a video link below;

Click here to see 5 minute video

hope this gets you started.

regards Dave

HSIAdministrator · ‎03-12-2012

I appreciate it and will give it a watch. I will be interested to see if the VLAN and VIOP setup you recomend will resolve the issue with windows XP pc's connected to the SF302 switch not being able to access expedia.com on our network.

David Hornstein · ‎03-12-2012

Hi Joshua,

I left a few things out of the video, I pasted the link in my last post above..

I did not add the address 192.168.1.27 to vlan 500
- I was still using the default vlan for management, as I have to run it on an existing local network...sorry
I did not add any DHCP relays, but I don't think you need them on VLAN 400 or 100 or 500 as members of these trunked vlans will get their IP addresses probably from the DHCP server at 192.168.0.3. A guess as it's not mentioned , but i assume the DHCP server is VLAN aware....maybe
I did not play with LLDP-MED, or voice vlan setting.

Plug the switch into the 2960 and turn the switch on, you may see in the console, if the Sf300 learns some voice VLAN settings.

I am out of the office for a few days, so it may be a little while before I can respond. But let me know how the configuration went.

Here is the configuration it produced, modified slightly for your switch. try it out if you want.

interface gi2

spanning-tree link-type point-to-point

exit

vlan database

vlan 100,400,500

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 500

ip address 192.168.10.27 255.255.255.0

exit

interface vlan 1

no ip address dhcp

exit

hostname dave

no passwords complexity enable

no snmp-server server

interface gigabitethernet1 - learnt this from Cisco switch

macro description "switch | no_switch | switch"

exit

interface fastethernet1

switchport trunk allowed vlan add 400