We help IT Professionals succeed at work.

VLan across tunnel issue

jasonmichel
jasonmichel asked
on
have 2 sites, connected via ipsec tunnel with 2821's on each end.  the main site has several vlans as does the other side.  One particular vlan  (32) 10.15.32.x  can't see 10.15.250.x (250) vlan on the other side of the tunnel, all the other vlans at the same site of the 32 vlan can see that network no problem.  I see the acl for that vlan that includes the 32 vlan and the other side has the return as well.  This was working before swapping the vlan gateway from the 2821 to a 4900 and left the 2821 as vpn enpoint and internet gateway.  I don't think I'm missing anything, but i've been staring at it too long.  Hopefully you guys can see. basically if i tracert to that 10.15.250.x address from the machine on the 10.15.32.x network it dies at the internet gateway 192.168.253.25 which is the also the default route for the 4900.  I am attaching the configs.  I appreciate any help.
4900-scrub.txt
courthouse-scrub.txt
basement-scrub.txt
resource-scrub.txt
Comment
Watch Question

Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Sound like you just need to turn on vlan trunking / tunneling (dot1q) on the ingress / egress ports these are talking over.
config
interface (whichever is your uplink port)
and do a
switchport trunk encapsulation dot1q

You only need to do this on your main WAN uplink ports the switches are talking to each other over.

Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Here's a real-world example of a port with VLAN trunking enabled -

interface GigabitEthernet1/0/25
 description TW_SONET_WS
 switchport trunk encapsulation dot1q
 switchport mode trunk

Author

Commented:
They have trunking on, did you look at configs?  All other vlans talk fine. Just the 32
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
In your 10G uplinks on your 4900 and basement switch, what is their current status (trunk, access port?) If access, set it statically on both "switchport mode access vlan 32", or just put them in mode trunk.
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Also, check to make sure interface vlan 32 isn't active on the standby switch and in standby on the active switch.
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
I did look the configs, i saw trunking on, but no encaps set to dot1q.
Setting the mode to tunk does not equal dot1q encapsulation, and won't pass the VLAN tags.  
I did not see any ports with ecaps on.
Did I miss something?

Author

Commented:
on the 4900 uplink to vlan 32 switch its set to trunk

interface TenGigabitEthernet2/3
 description Uplink to Other-2960-stack te1/0/1
 switchport mode trunk


on the vlan 32 stack, hmm it don't like they are in trunk mode

interface TenGigabitEthernet2/0/1
 description Uplink to Core-4900-2 Port te2/3


Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
"show int trunk" on the relevant interfaces, please.
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Jason,
My point is, "switchmport mode trunk" isn't enough to get the job done. To pass VLAN tagging, you also need to set encapsulation over the trunk, hence my aforementioned -

switchport trunk encapsulation dot1q

on your ingress / egress ports of each switch.  That will pass your VLAN tags.

If you don't have this, you aren't passing / tagging VLANs over your trunk.




Author

Commented:
i understand what you are saying about encapsulation, the thing is though, none of the other vlan switches have that enabled, just trunking only and they work fine, ill put dot1q on the trunk ports and test

Author

Commented:
Core-4900-1#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/1       on               802.1q         trunking      1
Te1/2       on               802.1q         trunking      1
Te1/3       on               802.1q         trunking      1
Te1/4       on               802.1q         trunking      1
Te2/1       on               802.1q         trunking      1
Te2/2       on               802.1q         trunking      1
Te2/3       on               802.1q         trunking      1
Te2/4       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/1       1-4094
Te1/2       1-4094
Te1/3       1-4094
Te1/4       1-4094
Te2/1       1-4094
Te2/2       1-4094
Te2/3       1-4094
Te2/4       1-4094

Port        Vlans allowed and active in management domain
Te1/1       1,31-37,39,90,98-99

Port        Vlans allowed and active in management domain
Te1/2       1,31-37,39,90,98-99
Te1/3       1,31-37,39,90,98-99
Te1/4       1,31-37,39,90,98-99
Te2/1       1,31-37,39,90,98-99
Te2/2       1,31-37,39,90,98-99
Te2/3       1,31-37,39,90,98-99
Te2/4       1,31-37,39,90,98-99

Port        Vlans in spanning tree forwarding state and not pruned
Te1/1       1
Te1/2       1
Te1/3       1,33
Te1/4       1,31-37,39,90,98-99
Te2/1       1
Te2/2       1
Te2/3       1
Te2/4       none
----------------------------------------------------------------------------------------------------------

Basement-2960-stack#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/0/1     on               802.1q         trunking      1
Te2/0/1     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/0/1     1-4094
Te2/0/1     1-4094

Port        Vlans allowed and active in management domain
Te1/0/1     1,31-37,39,90,98-99
Te2/0/1     1,31-37,39,90,98-99

Port        Vlans in spanning tree forwarding state and not pruned
Te1/0/1     1,31-37,39,90,98-99
Te2/0/1     none
-------------------------------------------------------------------------------------------------
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Is the "basement-scrub" a problem child?
I'm not seeing similar VLANs setup on each switch...
For instance, basement only has Vlan1 defined, so it looks like all the ports with vlan 32 access should be failing.
You would need an
interface vlan32
and some ip dedicated to that interface, for instance.

Author

Commented:
vlan 32 is set up on the 4900

interface Vlan32
 ip address 10.15.32.3 255.255.255.0
 ip helper-address 10.15.31.6
 standby 3 ip 10.15.32.1
 standby 3 timers 5 15
 standby 3 priority 105
 standby 3 preempt
 standby 3 authentication (*EF2fif
 standby 3 track 3 decrement 10

all the switchports in the basement switch are set to access mode vlan 32, with the tengig uplink set to trunk

Author

Commented:
Basement-2960-stack#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Te1/0/2, Te2/0/2
31   servers                          active
32   basement                         active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34, Gi1/0/35, Gi1/0/36
                                                Gi1/0/37, Gi1/0/38, Gi1/0/39
                                                Gi1/0/40, Gi1/0/41, Gi1/0/42
                                                Gi1/0/43, Gi1/0/44, Gi1/0/45
                                                Gi1/0/46, Gi2/0/1, Gi2/0/2
                                                Gi2/0/3, Gi2/0/4, Gi2/0/5
                                                Gi2/0/6, Gi2/0/7, Gi2/0/8

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi2/0/9, Gi2/0/10, Gi2/0/11
                                                Gi2/0/12, Gi2/0/13, Gi2/0/14
                                                Gi2/0/15, Gi2/0/16, Gi2/0/17
                                                Gi2/0/18, Gi2/0/19, Gi2/0/20
                                                Gi2/0/21, Gi2/0/22, Gi2/0/23
                                                Gi2/0/24, Gi2/0/25, Gi2/0/26
                                                Gi2/0/27, Gi2/0/28, Gi2/0/29
                                                Gi2/0/30, Gi2/0/31, Gi2/0/32
                                                Gi2/0/33, Gi2/0/34, Gi2/0/35
                                                Gi2/0/36, Gi2/0/37, Gi2/0/38
                                                Gi2/0/39, Gi2/0/40, Gi2/0/41
                                                Gi2/0/42, Gi2/0/43, Gi2/0/44
                                                Gi2/0/45, Gi2/0/46, Gi2/0/47
                                                Gi2/0/48
33   1st_floor                        active
34   2nd_floor                        active
35   3rd_floor                        active
36   VLAN0036                         active
37   VLAN0037                         active
39   VLAN0039                         active
90   sheriff                          active
98   hvac                             active    Gi1/0/47, Gi1/0/48
99   voip                             active

Author

Commented:
attached is a net diag.  maybe that will help
netdiag.pdf

Author

Commented:
I believe it to be an acl problem, i can ping all the other vlans at the other site except that 250 one.  when i do a tracert it dies at the 2821 LAN interface

C:\Documents and Settings\Administrator>tracert 10.15.250.102

Tracing route to 10.15.250.102 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.15.32.3
  2    <1 ms    <1 ms    <1 ms  192.168.253.25
  3     *
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
On basement, I'm not seeing a VLAN32 interface, only VLAN1.
Have you tried adding an interface w/ IP to basement?

What I would expect, from looking over this, is to see your "basement"
interfaceTenGig2/0/1 set to trunk w/ ecaps dot1q, and to see the VLAN32 named and configed.

You said this was working previously, so that rules out your private line provider not passing encapsulation (had issue wth that before...)

Author

Commented:
i don't need a switch to have an interface for vlan 32 for it to work...only reason to have an interface on a layer 2 switch is for management.  Plus you cannot encapsulate a trunk port on a 2960, it does it automatically when you put in trunk mode.


Basement-2960-stack#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/0/1     on               802.1q         trunking      1
Te2/0/1     on               802.1q         trunking      1

Author

Commented:
its also working on all the other switches set up the exact same way, which is making me think its a acl issue, because the traffic is making all the way to the 2821 but the 2821 is not sending it across the tunnel
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Ok, gotcha, I use 3750's for base switches, 2970's for hosts, so the 29xx's have minimal VLAN configs.

I do believe I had to setup the VLANs I wanted to route between on the 2970's, though.. for instance

interface Vlan87
 ip address 192.168.1.37 255.255.255.0
 no ip route-cache

But, with your last statement, it does seem to be some acl issue, taking a look with that in mind now...


Author

Commented:
all the switches and the LAN interface of the router have a 192.168.253.x address, which is basically a management network.  when i tracert from a machine on the 32 vlan it gets all the way to the 2821 LAN interface (192.168.253.25)

C:\Documents and Settings\Administrator>tracert 10.15.250.102

Tracing route to 10.15.250.102 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.15.32.3
  2    <1 ms    <1 ms    <1 ms  192.168.253.25
  3     *
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Why is the trace going through 32.3 instead of 32.2? Post sh standby for vlan 32 from your 4900's.

Author

Commented:
thats odd to me too, heres another thing thats odd, if i telnet  into 10.15.32.1 the second 4900 is what i log into and not the first
Vlan32 - Group 3
  State is Active
    2 state changes, last state change 1w3d
  Virtual IP address is 10.15.32.1
  Active virtual MAC address is 0000.0c07.ac03
    Local virtual MAC address is 0000.0c07.ac03 (v1 default)
  Hello time 5 sec, hold time 15 sec
    Next hello sent in 1.328 secs
  Authentication text, string "(*EF2fif"
  Preemption enabled
  Active router is local
  Standby router is 10.15.32.2, priority 100 (expires in 12.832 sec)
  Priority 105 (configured 105)
    Track object 3 state Up decrement 10
  Group name is "hsrp-Vl32-3" (default)

Author

Commented:
and the first 4900 i get by logging into 10.15.32.2

Vlan32 - Group 3
  State is Standby
    1 state change, last state change 1w3d
  Virtual IP address is 10.15.32.1
  Active virtual MAC address is 0000.0c07.ac03
    Local virtual MAC address is 0000.0c07.ac03 (v1 default)
  Hello time 5 sec, hold time 15 sec
    Next hello sent in 2.592 secs
  Authentication text, string "(*EF2fif"
  Preemption enabled
  Active router is 10.15.32.3, priority 105 (expires in 13.024 sec)
  Standby router is local
  Priority 100 (default 100)
    Track object 3 state Up decrement 10
  Group name is "hsrp-Vl32-3" (default)

Author

Commented:
actually it looks like all the vlans are on standby on the 4900_1 and active on the 4900_2
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Okay. I just noticed the 4900 config you posted is of the second one and you do have it configured to be the active hsrp switch. Regardless that shouldn't be the issue.

Author

Commented:
yeah, so back to being stumped...you think maybe its an acl?  its the only thing i can think of because its actually getting to the edge router, but not going across tunnel
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
I looked several times and nothing sticks out. What does a trace from the remote site give you.

Author

Commented:
931 permit ip 10.15.0.0 0.0.255.255 10.15.250.0 0.0.0.255 (56755942 matches)


that is the ACL that is on the edge router, it should encompass all the vlans at this site

and on the remote site

290 permit ip 10.15.250.0 0.0.0.255 10.15.32.0 0.0.0.255 (2698787 matches)

Author

Commented:
not really a pc on that vlan on the remote side, its all hvac, security etc
Sr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011
Commented:
Try entering a more specific acl entry on the main router acl like the one on the remote and put it before line 931. See if you get matches.

Author

Commented:
hmm i put the more specifc one in

929 permit ip 10.15.32.0 0.0.0.255 10.15.250.0 0.0.0.255

and it worked....odd..why wouldn't the more inclusive one work by default....it actually worked like that before the 10g swap.

Author

Commented:
i didn't get any hits on that entry tho..
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
???????

It works now but no matches on the new entry?

Author

Commented:
lol i know...thats what i said

Author

Commented:
ping before
929 permit ip 10.15.32.0 0.0.0.255 10.15.250.0 0.0.0.255
931 permit ip 10.15.0.0 0.0.255.255 10.15.250.0 0.0.0.255 (56938916 matches)

ping after
929 permit ip 10.15.32.0 0.0.0.255 10.15.250.0 0.0.0.255
   
931 permit ip 10.15.0.0 0.0.255.255 10.15.250.0 0.0.0.255 (56941553 matches)

it looks like its going out the existing one now

Author

Commented:
i take it out, it stops working...
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
I just talked to one of my CCIE Security buddies, and he agreed that sometimes the more specific acl entries are preferred over the broad ones. This must be one of those cases, though it goes against everything that I assume before this. Very odd situation.

Author

Commented:
yeah I can see that as well, but the fact that it wouldn't show hits on that one but the hits would show up on the old entry is what has me scratching my head...either way, it works..lol
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Have you considered going with gre tunnels and using a dynamic routing protocol over your vpns? It would be much cleaner.

Author

Commented:
not really, just because i don't have much experience with it, is it a difficult transition?
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
It will require some planning, because you will be adding EIGRP, but very doable. The downside is that you would want to do all sites.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.