Answered Question
This caused every untagged ingress frame is dropped, so the traffic replies were not reaching
the control plane of the switch.
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
See correct answer in context
Share:
Replies
Collapse all
Hi
Can the switch ping out to the network? is the ip default-gateway set?
Regards
Stephen
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
See More
can you provide partial relevant configuration? Also, try a debug ip icmp when pinging it to
see if the icmp packets are reaching the switch
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
See More
ip classless
Make sure ip routing is not turned on the 3560, otherwise the default gateway statement is
no good. If routing is turned on then you would need a default static route pointing to the
3750 gateway address for that vlan and get rid of the default gateway statement. Is this
switch trunked or just an access port ? Check trunk setup , native vlan for trunk etc... You
should be able to get to the switch from 3750 even if the gateway is no good because it is
directly attached to the 3750 which is where i assume the vlan 1 subnet originates. Source
ping the switch from the vlan 1 SVI .
See More
Perhaps the output of show ip interface brief or of show interface status might shed some
light on the issue?
I also wonder what would be in the output of show arp from the problem switch.
HTH
Rick
See More
IP-Address
Vlan1
10.19.0.112
YES manual up
FastEthernet0/1
unassigned
Protocol
up
down
FastEthernet0/2
unassigned
YES unset up
up
FastEthernet0/3
unassigned
YES unset up
up
FastEthernet0/4
unassigned
down
FastEthernet0/5
unassigned
down
FastEthernet0/6
unassigned
YES unset up
up
FastEthernet0/7
unassigned
YES unset up
up
FastEthernet0/8
unassigned
YES unset up
up
FastEthernet0/9
unassigned
YES unset up
up
FastEthernet0/10
unassigned
YES unset up
up
FastEthernet0/11
unassigned
YES unset up
up
FastEthernet0/12
unassigned
YES unset up
up
FastEthernet0/13
unassigned
YES unset up
up
FastEthernet0/14
unassigned
FastEthernet0/15
unassigned
YES unset up
FastEthernet0/16
unassigned
FastEthernet0/17
unassigned
YES unset up
up
FastEthernet0/18
unassigned
YES unset up
up
FastEthernet0/19
unassigned
FastEthernet0/20
unassigned
YES unset up
up
FastEthernet0/21
unassigned
YES unset up
up
FastEthernet0/22
unassigned
YES unset up
up
FastEthernet0/23
unassigned
FastEthernet0/24
unassigned
YES unset up
down
up
down
down
down
up
GigabitEthernet0/1
unassigned
YES unset up
up
GigabitEthernet0/2
unassigned
YES unset up
up
sh arp
Protocol Address
Internet 10.19.0.1
0 Incomplete
Internet 10.19.0.112
ARPA
See More
Thanks for the information. It is somewhat helpful, but not enough to diagnose the full
problem. It does confirm the IP address of the VLAN interface seems to be correct.
The fact that the arp table shows incomplete for the mac address of the gateway 10.19.0.1
indicates that arp is failing to resolve the IP address to a mac address. This typically indicates
some layer 2 problem. Can you post the output of show interface status, and indentify for us
the ports on the switch that connect to the upstream switch?
HTH
Rick
You may also want to check what vlans are allowed an the upstream trunk links with a show
int trunk. Do this on both sides of the trunks from the affected switch and ensure vlan1 is
allowed
Regards
Sent from Cisco Technical Support iPhone App
See More
connected trunk
connected trunk
Mode
on
on
Encapsulation Status
Native vlan
802.1q
trunking
1
802.1q
trunking
1
Port
Gi0/1
Gi0/2
Port
Vlans allowed and active in management domain
Gi0/1
1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi0/2
1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Gi0/1
Gi0/2
Encapsulation Status
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
Port
Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/3 1-4094
Gi1/0/4 1-4094
Gi1/0/5 1-4094
Native vlan
1
1
1
1
1
1
1
1
Gi1/0/6 1-4094
Gi1/0/7 1-4094
Gi1/0/25 1-4094
Port
Vlans allowed and active in management domain
Gi1/0/1 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/2 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/3 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/4 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/5 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/6 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/7 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/25 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,851,853
Gi1/0/2 1
Gi1/0/3 1,851,853
Gi1/0/4 1,851,853
Gi1/0/5 1,851,853
Gi1/0/6 1,851,853
Gi1/0/7 1,851,853
Gi1/0/25 1,25-32,125-132,503,830,850-851,853,935,977,984-985,990,998-999,1001
Show int trunk from Switch 2
Port
Mode
Gi1/0/1 on
Gi1/0/2 on
Gi1/0/3 on
Gi1/0/4 on
Gi1/0/5 on
Gi1/0/6 on
Gi1/0/7 on
Gi1/0/25 on
Encapsulation Status
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
802.1q
trunking
Port
Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/3 1-4094
Gi1/0/4 1-4094
Native vlan
1
1
1
1
1
1
1
1
Gi1/0/5 1-4094
Gi1/0/6 1-4094
Gi1/0/7 1-4094
Gi1/0/25 1-4094
Port
Vlans allowed and active in management domain
Gi1/0/1 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/2 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/3 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/4 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/5 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/6 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/7 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi1/0/25 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,26,126,850
Gi1/0/2 1,26,126
Gi1/0/3 1,26,126,850
Gi1/0/4 1,26,126,850
Gi1/0/5 1,26,126,850
Gi1/0/6 1,26,126,850
Gi1/0/7 1,26,126,850
Gi1/0/25 1,25-32,125-132,503,830,850-851,853,935,977,984-985,990,998-999,1001
See More
Thanks for the additional information. So far it all looks reasonable (and looks like it should
be working).
Perhaps you could post the output of show cdp neighbor from the problem switch and also
from both of the upstream switches.
Where is the address 10.19.0.1 located? (on which device)
HTH
Rick
All looks ok
Not sure if this was done or can be done. But try to remove vlan 1 completely. Else default
it's config shut it down and start configuring it from scratch - bring it up only when
configured. Have had similar issues with svi's in the past
Regards
Holdtme
131
Trunk Switch 1
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID
Local Intrfce
CHI-3560-2601
Gig 1/0/1
Trunk Switch 2
CHI-3750G-2602#sh cdp neighbors gi1/0/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID
Local Intrfce
CHI-3560-2602
Gig 1/0/2
See More
Perhaps we have a clue about the problem. I see that from the problem switch we believe that
upstream switch 1 is using interface gi1/0/2
CHI-3750G-2601 Gig 0/1
126
Gig 1/0/1
173
SI
WS-C3560-2Gig 0/1
I am not sure what causes this mismatch. But I suspect that this is related to the problem.
HTH
Rick
See More
Local Intrfce
Gig 1/0/2
SI
WS-C3560-2Gig 0/1
Switch 2
Device ID
CHI-3560-2602
Local Intrfce
Gig 1/0/2
SI
WS-C3560-2Gig 0/2
Or did you show the incorrect cdp neighbor on the upstream switch 1? Since the neighbor it
is reporting seems to not be the problem switch?
Trunk Switch 1
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID
Local Intrfce
CHI-3560-2601
Gig 1/0/1
OK. Let us take a slightly different approach. We know that part of the difficulty is that the
problematic switch is not able to arp for the 10.19.0.1 address (it shows incomplete in the arp
table). You have told us that this address is HSRP on the upstream switches. So can the
problematic switch arp (and ping) to the physical interface address (not the shared address)
on either or both of the upstream switches\?
Also I would be curious to know if the upstream switches can arp for the management
address of the problematic switch?
HTH
Rick
See More
Yes this is what I was looking for. It demonstrates that there is successful communication
between the upstream switch and the problematic switch. So the questions in this thread
about where interfaces configured correctly, were the trunks set up correctly, were the right
VLANs allowed on the trunk, etc are all answered now. We have successful communication.
The next test I would like to do is to see if the problematic switch can arp (and ping) to the
interface address of the upstream switch.
HTH
Rick
See More
0 Incomplete
ARPA
Internet 10.19.0.110
0 Incomplete
ARPA
See More
I am a bit surprised at this. But I believe that it is quite helpful. Something is preventing the
switch from arp to what should be locally connected addresses. Would you turn on debug arp,
try the ping, and post the output of the debug?
It might also be helpful to turn on debug arp on the upstream switch, try ping from the
problematic switch, and post output to see if the arp gets to the upstream switch.
It would seem that either the problematic switch is not sending the arp request or that the
upstream is not sending the reply. These tests should show which it is.
HTH
Rick
See More
Charlie,
I know you've rebuilt the config on the switch. Take my earlier suggestion and remove the
SVI (interface vlan 1) and re-add it if you can. as it's not working, i wont do any harm right
now.
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
See More
IP-Address
Vlan1
1.1.1.1
Protocol
up
LABSW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSW(config)#no int vlan 1
LABSW#sh run int vlan 1
^
IP-Address
Protocol
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
Charile,
From this problem switch upto the cores - where in that path are pings succesfull - what switch is able to ping
the cores?
res
Paul
See More
Okay from the good switch directly attached to the problem switch, and the problem switch
can you post:
Running config
sh int trunk
sh vtp status
sh ip int brief
sh vlan bri
sh cdp neighbour
res
Paul
Please don't forget to rate this post if it has been helpful.
Encapsulation Status
802.1q
trunking
Native vlan
1
Port
Vlans allowed on trunk
Gi1/0/1 1-4094
Port
Gi1/0/1 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,851,853
CHI-3750G-2601#sh vtp status
VTP Version
:2
Configuration Revision
: 235
Maximum VLANs supported locally : 1005
Number of existing VLANs
: 36
VTP Operating Mode
: Client
VTP Domain Name
: CHI
VTP Pruning Mode
: Enabled
VTP V2 Mode
: Enabled
VTP Traps Generation
: Disabled
MD5 digest
: 0xE5 0x68 0x65 0x50 0x48 0x2F 0x23 0x4A
Configuration last modified by 10.19.0.254 at 4-12-12 13:49:06
CHI-3750G-2601#sh ip int brief
Interface
IP-Address
OK? Method Status
Vlan1
10.19.0.109 YES NVRAM up
GigabitEthernet1/0/1 unassigned YES unset up
Protocol
up
up
active
act/unsup
act/unsup
act/unsup
act/unsup
UPLINK SWITCH 2
#sh int trunk
Port
Mode
Gi1/0/1 on
Encapsulation Status
802.1q
trunking
Port
Vlans allowed on trunk
Gi1/0/1 1-4094
Native vlan
1
Port
Vlans allowed and active in management domain
Gi1/0/1 1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,26,126,850
#sh vtp status
VTP Version
:2
Configuration Revision
: 235
Maximum VLANs supported locally : 1005
Number of existing VLANs
: 36
VTP Operating Mode
: Client
VTP Domain Name
: CHI
VTP Pruning Mode
: Enabled
VTP V2 Mode
: Enabled
VTP Traps Generation
: Disabled
MD5 digest
: 0xE5 0x68 0x65 0x50 0x48 0x2F 0x23 0x4A
Configuration last modified by 10.19.0.254 at 4-12-12 13:49:06
#sh ip int brief
Interface
IP-Address
OK? Method Status
Vlan1
10.19.0.110 YES NVRAM up
GigabitEthernet1/0/1 unassigned YES unset up
Protocol
up
up
Mode
on
on
Encapsulation Status
Native vlan
802.1q
trunking
1
802.1q
trunking
1
Port
Gi0/1
Gi0/2
Port
Vlans allowed and active in management domain
Gi0/1
1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Gi0/2
1,25-32,125-132,503,803-804,830,850-851,853,935,977,984-985,990,998999,1001
Port
Gi0/1
Gi0/2
IP-Address
10.19.0.112
GigabitEthernet0/1
GigabitEthernet0/2
unassigned
unassigned
YES unset up
YES unset up
Protocol
up
up
up
See More
I would like to go back to my question of yesterday about arp between the problematic switch
and the upstream. The output of debug arp shows that the problematic router is generating
requests for arp for the gateway address but not receiving any response. The output of debug
arp on the upstream router shows that it receives the request from the problematic switch. It
does not seem to show that the upstream sends any response. But I am not sure how long that
debug was running. So I would ask Charlie to run debug arp on the upstream switch
(preferable the switch that is the active router in HSRP). While the debug is running then do
the ping from the problematic router. This should generate the arp request to upstream. Let
the debug run long enough to be sure whether the switch is sending a response or not.
HTH
Rick
See More
Charlie
CDP from previous posts:
Switch 1
Device ID
Local Intrfce
CHI-3560-2602
Gig 1/0/2
162
SI
WS-C3560-2Gig 0/1
Switch 2
Device ID
Local Intrfce
CHI-3560-2602
Gig 1/0/2
147
SI
WS-C3560-2Gig 0/2
Mode
on
Encapsulation Status
802.1q
trunking
Native vlan
1
UPLINK SWITCH 2 -
Mode
Gi1/0/1
on
Encapsulation Status
802.1q
trunking
Native vlan
1
Port
Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,26,126,850
Problematic Switch
#sh int trunk
Port
Gi0/1
Gi0/2
Mode
on
on
Encapsulation Status
Native vlan
802.1q
trunking
1
802.1q
trunking
1
Port
Gi0/1
1,25,27,29,31,125,127,129,131,503,851,853,935,977,985,999,1001
Gi0/2
26,28,30,32,126,128,130,132,830,850,984,990,998
Port
Gi0/1
Gi0/2
1,25,27,29,31,125,127,129,131,503,851,853,935,977,985,999,1001
26,28,30,32,126,128,130,132,830,850,984,990,998
Correct Answer
Charlie
thats great news, but unfortunate in a way that it was not found eariler
Not my text but the; vlan dot1q tag native which will prevent the double-encapsulation
attacks. This command globally works on all switchport trunks on that entire Ethernet
switch. This command will make sure that the native VLAN is always tagged on every trunk
on the switch. This is a great best practice and takes care of the issue with a single
command. This command should be entered in every switch in the campus." (my bold)
This caused every untagged ingress frame is dropped, so the traffic replies were not reaching
the control plane of the switch.
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful
See More
No, i've checked it out, and i've not seen a way to disable on a per-port basis. It's all-for-one,
or none-at-all
Really gald you located the issue.
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your
needs!
- Always vote on an answer if you found it helpful