6850 vlan routing

[groy]

Hi,

I'm facing a vlan routing problem wich i can't find the source..

on a 6850,
I have 3 vlan (100, 101, 200) and i add a fourth (104)
VLAN 100 : 172.16.16.0/24 (voip)
VLAN 101 : 192.168.1.0/24 (data)
VLAN 200 : 172.16.200.0/24 (admin)
VLAN 104 : 192.168.4.0/24 (other data)

In vlan104, no problem to ping devices in the same vlan excepted the gateway.. (192.168.4.1)
in other vlan (100, 101 , 200), i can ping the vlan 104 gateway but i can't on devices (for example 192.168.4.10)...

6850 config :

Code: Select all

cr_localtechnique > write terminal 
! Stack Manager :
! Chassis :
system name cr_localtechnique
system timezone MET
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 100 enable name "voix"
vlan 100 port default 1/11
vlan 100 port default 1/12
vlan 100 port default 1/13
vlan 100 port default 1/14
vlan 101 enable name "lan_mairie"
vlan 101 port default 1/1
vlan 101 port default 1/2
vlan 101 port default 1/3
vlan 101 port default 1/4
vlan 101 port default 1/5
vlan 101 port default 1/6
vlan 101 port default 1/7
vlan 101 port default 1/8
vlan 101 port default 1/9
vlan 101 port default 1/10
vlan 101 port default 1/15
vlan 101 port default 1/16
vlan 101 port default 1/17
vlan 101 port default 1/18
vlan 101 port default 1/19
vlan 101 port default 1/20
vlan 101 port default 1/21
vlan 101 port default 1/22
vlan 101 port default 2/23
vlan 101 port default 2/24
vlan 104 enable name "lan_videoprotection"
vlan 200 enable name "admin"
! VLAN SL:
! IP :
ip service all
ip interface dhcp-client vlan 1 ifindex 1
ip interface "int-200" address 172.16.200.1 mask 255.255.255.0 vlan 200 ifindex 2
ip interface "int-100" address 172.16.1.1 mask 255.255.255.0 vlan 100 ifindex 3
ip interface "int-101" address 192.168.1.1 mask 255.255.255.0 vlan 101 ifindex 4
ip interface "int-104" address 192.168.4.1 mask 255.255.255.0 vlan 104 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication default "local" 
aaa authentication console "local" 
aaa authentication telnet "local" 
aaa authentication ssh "local" 
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
policy condition IPphoneDSCP dscp 46 
policy action IPphone-act priority 5 
policy rule IPphone-rule condition IPphoneDSCP action IPphone-act 
qos apply
! Policy manager :
! Session manager :
session prompt default "cr_localtechnique >"
! SNMP :
! RIP :
! OSPF :
! BFD-STD :
! ISIS :
! IPv6 :
! IPSec :
! IP multicast :
ip static-route 0.0.0.0/0 gateway 192.168.1.2 metric 1
! RIPng :
! OSPF3 :
! BGP :
! Health monitor :
! Interface :
! Udld :
! Netsec :
! Link Aggregate :
! Port Mapping :
! VLAN AGG:
! 802.1Q :
vlan 100 802.1q 1/15 "Voip+Data"
vlan 104 802.1q 1/15 "VP"
vlan 100 802.1q 1/16 "Voip+Data"
vlan 104 802.1q 1/16 "VP"
vlan 100 802.1q 1/17 "Voip+Data"
vlan 100 802.1q 1/18 "Voip+Data"
vlan 100 802.1q 1/19 "Voip+Data"
vlan 100 802.1q 1/20 "Voip+Data"
vlan 100 802.1q 1/21 "Voip+Data"
vlan 100 802.1q 1/22 "Voip+Data"
vlan 100 802.1q 1/23 "vers sw_accueil"
vlan 101 802.1q 1/23 "vers sw_accueil"
vlan 200 802.1q 1/23 "vers sw_accueil"
vlan 100 802.1q 1/24 "TAG PORT 1/24 VLAN 100"
vlan 101 802.1q 1/24 "TAG PORT 1/24 VLAN 101"
vlan 104 802.1q 1/24 "TAG PORT 1/24 VLAN 104"
vlan 200 802.1q 1/24 "TAG PORT 1/24 VLAN 200"
vlan 100 802.1q 2/1 "vers sw_etatcivil"
vlan 101 802.1q 2/1 "vers sw_etatcivil"
vlan 200 802.1q 2/1 "vers sw_etatcivil"
vlan 100 802.1q 2/2 "vers sw_policemunicipale"
vlan 101 802.1q 2/2 "vers sw_policemunicipale"
vlan 104 802.1q 2/2 "vers sw_policemunicipale"
vlan 200 802.1q 2/2 "vers sw_policemunicipale"
vlan 100 802.1q 2/3 "vers sw_etatcivil"
vlan 101 802.1q 2/3 "vers sw_etatcivil"
vlan 200 802.1q 2/3 "vers sw_etatcivil"
vlan 100 802.1q 2/4 "vers sw_conciergerie"
vlan 101 802.1q 2/4 "vers sw_conciergerie"
vlan 200 802.1q 2/4 "vers sw_conciergerie"
! Spanning tree :
bridge mode 1x1 
bridge 1x1 100 priority 25590 
bridge 1x1 101 priority 25590 
bridge 1x1 200 priority 25590 
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
swlog console level info
! SSH :
! VRRP :
! Web :
ip http ssl
! AMAP :
! LLDP :
! Lan  Power :
lanpower start 1
! NTP :
ntp server 194.2.0.28
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! ERP :
! SAA :
! DHCP Server :

Therefore, it's seems to be a problem of vlan's routing. ?

Any ideas ?

Thanks,
GR

[devnull]

Are you sure you are in 104?

there a no ports in default VLAN i see only some tagged vlans additional to tagged VOIP which is (in my experiences) uncommon.

Try to set a port to 104 native

vlan 104 port default 1/X

attach a PC and ping default gateway.. should work!

[humbertoss]

Hi,

Another item is about spanning tree, because there isn´t explicit configuration to vlan 104.

Check if exist any issue about this.

[devnull]

If you don't have a config for vlan 104 it will take default confgi (32768 as priority.. that would maybe result in an unwanted rootbridge but should not hinder a client ping its default gateway..

[groy]

@devnull
you're right this config is uncommon, it confuses me.
evidently...
I try this (on 1/15) and it works ! thanks
I can ping everythings on every vlan
but nothing on wan, surely a nat issue. my isp router don't know this network (192.168.4.0)...

in absolute and in "cisco terms", why it works with my port in access mode and why not in trunk mode ?
Before my port 1/15 was in trunk tagged with 101 and 104 => don't work ; after, 1/15 is in access on 104 => it works; escapes me...on the principle.

anyhow, thank you to getting me out of fog

@humbertoss
I will try to return before move my port default on vlan 104 and fix this stp parameter to show if that's have an impact.
you think yes ?

Thanks,
GR

[devnull]

You PC sends out packets untagged (more or less tagged packets are seen only with (ESX)Servers, VOIP Phones or links between switches)
That means traffic of you PC is put in default vlan - if nothing is configured it is vlan 1

check using
show vlan port 1/x

Maschines in the same vlan can ping each other, even if the IP of the PCs does not match the IP of the vlan interface/aka dafault gateway.

so in your case you put your PCs on some ports that do not have the correct default vlan (e.g. port 1/11, 1/12,1/13)
They can communicate with each other (all in same vlan 100) but the ip address for vlan 100 is 172.16.1.1.

Your PCs having different IPs (192.168.4.X) can't contact that gateway (you should have been able to observe broadcast of the other network using wireshark..


In Cisco Terms:
you had a mismatch between native (access) vlan and IP network of client.
Also on Cisco connection of a client to a port
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 101,104

Will result of the client traffic residing in the (not seen)
"switchport trunk native vlan 1"
putting vlan 104 tagged on the ports only works when the clients sends qtagged packets. in that case the (not shown because default) vlan 1 was used to put client traffic in.

There is not "automation" puting a client with 192.168.4.X into vlan 104 on cisco or Alcatel without proper configuration of the port.
(well there is with port mobility and vlan rules... but thats not commonly used).

@STP will not have any impact here..

.. this is more or less switching/vlan basics and is same on all plattforms.

[groy]

Thanks to enlightenments

So,
typically
a port in front of devices in vlan XXX is always configuring in : vlan XXX port default 1/YY
and
a port in front of switchs can be in trunk mode to pass through multiple vlan :
vlan 1 port default 1/YY
vlan 101 802.1q 1/YY
vlan 104 802.1q 1/YY
vlan 200 802.1q 1/YY
...etc

True ?

[devnull]

Typically yes.

You can have 802.1q ports when using voip phones or servers, routers,firewalls .
I have never seen a notebook or desktop using a tag only native vlans (port default)