Header Only - DO NOT REMOVE - Extreme Networks

vlan configuration for routing unable to ping own subnet


Hi guys, First of all, I'm really new to this and have been stumbling through to figure out a nagging issue

We created 4 VLANs with corresponding Virtual Routers (as well as separate subnets) in our brand new environment (Users,Server, Lab,Phone). One of our VLANs ("User") is the only one currently utilized. It is on a 10.1.15.x subnet (part of a B5 stack) seems to be restricting certain computers from accessing the internet. Most of the other client computers (on same subnet) are able to access the network and internet, with the exception of a few. The VLANs were setup last weekend, and I believe it may be a configuration issue.

The affected clients receive IP via DHCP and are able to get IPs;

IP: 10.1.15.x
Subnet Mask: 255.255.255.0
Gateway: 10.1.15.254

but are unable to ping the internal VLAN gateway (10.1.15.254). They can ping any IP on the same subnet (and vice versa) but are unable to ping any other IP on other subnet (the unnafected computers on same subnet are able to ping other subnets just fine, and have no problems connecting to internet).

I suspect some sort of MAC blocking?? It happens no matter what active port i try them on.

Any assistance in troubleshooting is hugely appreciated. We have had no luck figuring it out.

12 replies

Userlevel 7
Can you share the output of
code:
show vlan
with us?
Hi Drew, I sure can!

B5(su)->show vlan
VLAN: 1 NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
tg.1.50, tg.2.50

VLAN: 5 NAME: Server
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 7 NAME: iSCSI
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 9 NAME: Voice
VLAN Type: Permanent
Egress Ports
tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 11 NAME: Finance
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 12 NAME: MGMT-HR
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 15 NAME: Users
VLAN Type: Permanent
Egress Ports
ge.1.7, ge.1.9, ge.1.23, ge.1.27, ge.1.31, tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
ge.1.7, ge.1.9, ge.1.23, ge.1.27, ge.1.31

VLAN: 20 NAME: VPN
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 25 NAME: Lab
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 30 NAME: Testing
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.
Userlevel 7
Rasheed Folami wrote:

Hi Drew, I sure can!

B5(su)->show vlan
VLAN: 1 NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
tg.1.50, tg.2.50

VLAN: 5 NAME: Server
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 7 NAME: iSCSI
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 9 NAME: Voice
VLAN Type: Permanent
Egress Ports
tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 11 NAME: Finance
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 12 NAME: MGMT-HR
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 15 NAME: Users
VLAN Type: Permanent
Egress Ports
ge.1.7, ge.1.9, ge.1.23, ge.1.27, ge.1.31, tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
ge.1.7, ge.1.9, ge.1.23, ge.1.27, ge.1.31

VLAN: 20 NAME: VPN
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 25 NAME: Lab
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 30 NAME: Testing
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

Thanks, and welcome to The Hub!

I missed that you said this is part of the B-series. I only saw it was tagged as ExtremeXOS - I've re-tagged it EOS for you 🙂
One of our community members more familiar with the B-series will have to step in for me on this one.
I am assuming you are not doing policy, right?

show policy profile all should show nothing.
Well, show us this please:

show port egress
show vlan static
No, no policy in place
Hi Jeremy, here it is

B5(su)->show port egress
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.7 15 untagged static
ge.1.9 15 untagged static
ge.1.23 15 untagged static
ge.1.27 15 untagged static
ge.1.31 15 untagged static
tg.1.50 1 untagged static
tg.1.50 9 tagged static
tg.1.50 15 tagged static
tg.2.50 1 untagged static
tg.2.50 9 tagged static
tg.2.50 15 tagged static

B5(su)->show vlan static
VLAN: 1 NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
tg.1.49-50, tg.2.49-50, lag.0.1-6
Forbidden Egress Ports
None.
Untagged ports
tg.1.49-50, tg.2.49-50, lag.0.1-6

VLAN: 5 NAME: Server
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 7 NAME: iSCSI
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 9 NAME: Voice
VLAN Type: Permanent
Egress Ports
tg.1.50, ge.2.1-48, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
ge.2.1-48

VLAN: 11 NAME: Finance
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 12 NAME: MGMT-HR
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 15 NAME: Users
VLAN Type: Permanent
Egress Ports
ge.1.1-48, tg.1.50, tg.2.50
Forbidden Egress Ports
None.
Untagged ports
ge.1.1-48

VLAN: 20 NAME: VPN
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 25 NAME: Lab
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 30 NAME: Testing
VLAN Type: Permanent
Egress Ports
None.
Forbidden Egress Ports
None.
Untagged ports
None.
Just a quick question, tg.2.50 and tg.1.50 go to what? Other switches connected to it? Who is doing the routing? Enterasys, Cisco, Extreme? I know the B5 doesn't do L3 interfaces.
Jeremy,
My apologies; I should have mentioned this earlier.

One switch room services 1 part of the building, while the other switch room services the other parts.

tg.1.50 and tg.2.50 are Gigabit fiber connections on an b5 stack of 2 switches, to another B5 stack of 4 switches (same ports; tg.1.50, tg.2.50) in another server room in the building. And Extreme is doing the routing.

The problem seems to be prevalent on one part of the building, meaning it could be the configs on the switches in that room. I traced back to the other switch room and I can get out to the internet on that switch.

I think the problem is with Link Aggregation between both stacks. From what i read its not enabled on the ports by default on the B5 switches. When I run "set lacp enable" and "show lacp" on the affected stack, I get the following;

B5(su)->set lacp enable
B5(su)->show lacp
Global Link Aggregation state: enabled
Single Port LAGs: disabled

Aggregator: lag.0.1
Actor Partner
System Identifier: D8:84:66:17:30:B7 00:00:00:00:00:00
System Priority: 32768 0
Admin Key: 1
Oper Key: 1 0
Attached Ports: None.

Aggregator: lag.0.2
Actor Partner
System Identifier: D8:84:66:17:30:B7 D8:84:66:17:23:CD
System Priority: 32768 32768
Admin Key: 32768
Oper Key: 32768 32768
Attached Ports: tg.1.50
tg.2.50

Aggregator: lag.0.3
Actor Partner
System Identifier: D8:84:66:17:30:B7 00:00:00:00:00:00
System Priority: 32768 0
Admin Key: 32768
Oper Key: 32768 0
Attached Ports: None.

Aggregator: lag.0.4
Actor Partner
System Identifier: D8:84:66:17:30:B7 00:00:00:00:00:00
System Priority: 32768 0
Admin Key: 32768
Oper Key: 32768 0
Attached Ports: None.

Aggregator: lag.0.5
Actor Partner
System Identifier: D8:84:66:17:30:B7 00:00:00:00:00:00
System Priority: 32768 0
Admin Key: 32768
Oper Key: 32768 0
Attached Ports: None.

Aggregator: lag.0.6
Actor Partner
System Identifier: D8:84:66:17:30:B7 00:00:00:00:00:00
System Priority: 32768 0
Admin Key: 32768
Oper Key: 32768 0
Attached Ports: None.

So I'm suspecting its not seeing the other stack as a partner on those ports (tg.1.50 & tg.2.50).

I tried using the following command to set it as a partner but it didn't work;

B5(su)->set lacp static lag.0.2 key 1 tg.1.50

Issuing :
set lacp static lag.0.2
set lacp aadminkey lag.0.2 1
set port lacp port tg.1.50 aadminkey 1
set port lacp port tg.1.50 disable

B5(su)->set lacp static lag.0.2 key 1 tg.2.50

Issuing :
set port lacp port tg.2.50 aadminkey 1
set port lacp port tg.2.50 disable

HELP!
Userlevel 4
Hi Rasheed,

If you are connecting to another C5 you should not use static lags.

Here is a recommendation of how to configure LACP on a securestack ( ports are examples ). Clear the static lag configuration first.

LACP configuration for link aggregation
  • LACP is enabled globally but disabled per port (on most current products).
  • Use the default dynamic lacp in most cases and simply configure the aadminkey to a fixed figure manually to control the association after reboot.
  • example config below is all that is needed to get a lag up if both ends run lacp[list]
  • set lacp aadminkey lag.0.10 10 set port lacp port ge.1.1 aadminkey 10 set port lacp port ge.1.2 aadminkey 10 set port lacp port ge.1.1-2 enable[/code]
[/list]- Don't forget to enable lacp on the ports.
- Don't forget that you will need to egress the required vlans over the logical lag port ( lag.0.x )also as the member ports become a part of a lag. This could be why you are not getting the vlans across the lonk to the gateway. Try this and let us know how you get on. If you still have problems a diagram of what you are trying to acheive and where the gaetway is would be useful. Also , here is an article with L2 best practises for EOS .

https://gtacknowledge.extremenetworks.com/articles/How_To/EOS-Basic-Switch-Layer-2-Configuration-Bes...
Thank you Glyn! Good stuff. It works now. The ports were not enabled for lacp. All set now.
Userlevel 4
Glad you are sorted Rasheed. Have a good day.

Glyn

Reply