I can't go home until I figure this one out, so I figured I'd reach out for help. I've crossposted from /r/sysadmin in hopes of someone seeing this and helping me out of a jam.
I was tasked with bringing a production switch from one school district's network to another (districts merged, long story), so I was trying to maintain as much as possible here, but in the process of bringing the switch in, I've somehow managed to create a situation where the switch can see all the internal networks, but can't see past our network's connection to the DNS and DHCP servers, behind a switch managed by our state IT, which serves as the connection to the rest of the world. I'm fairly new to managing a network of this scale, so naturally I'm a bit in over my head here, as in the process we lost our network admin and I got a battlefield promotion, so to speak.
Configs (pruned to what I believe is relevant):
Working switch:
Current configuration : 16126 bytes
!
! Last configuration change at 13:42:00 CST Tue Aug 10 2021 by ****
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service unsupported-transceiver
!
hostname 101-school1-Core
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
switch 1 provision ws-c3850-12xs
switch 2 provision ws-c3850-12xs
!
ip routing
!
system mtu 9198
no errdisable detect cause gbic-invalid
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
!
redundancy
mode sso
!
!
vlan configuration 70,170,270,400
ip flow monitor Netflow-to-Prime input
!
vlan 70
name Old Data
!
vlan 904
name Loop-Edu
!
vlan 905
name Loop-School2
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
template 1/0/1
!
interface TenGigabitEthernet1/0/11
description Loop-School2
switchport access vlan 905
switchport mode access
!
interface TenGigabitEthernet2/0/11
description Loop-Edu
switchport access vlan 904
switchport trunk native vlan 904
switchport mode access
storm-control broadcast level 10.00
storm-control unicast level 10.00
!
interface Vlan1
ip address 172.16.7.6 255.255.255.128
ip ospf 10 area 0
!
interface Vlan70
description ***DATA VLAN***
ip address 10.162.72.1 255.255.252.0
ip helper-address 10.162.64.65
ip helper-address 10.162.64.30
ip helper-address 10.2.5.40
!
interface Vlan904
description Edu - School1
ip address 172.16.0.38 255.255.255.248
ip ospf 10 area 0
!
interface Vlan905
description School1 - School2
ip address 172.16.0.41 255.255.255.248
ip ospf 10 area 0
!
interface Vlan921
ip address 172.16.0.137 255.255.255.248
ip ospf 10 area 0
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.162.16.0 0.0.3.255 area 0
network 10.162.72.0 0.0.3.255 area 0
network 10.162.84.0 0.0.1.255 area 0
network 10.162.136.0 0.0.0.255 area 0
network 10.162.176.0 0.0.1.255 area 0
network 10.162.178.0 0.0.1.255 area 0
network 10.162.180.0 0.0.1.255 area 0
network 10.162.182.0 0.0.1.255 area 0
network 10.162.184.0 0.0.1.255 area 0
network 10.162.186.0 0.0.1.255 area 0
network 10.162.240.0 0.0.1.255 area 0
network 10.162.242.0 0.0.1.255 area 0
network 10.162.244.0 0.0.1.255 area 0
network 10.162.246.0 0.0.1.255 area 0
network 172.16.0.32 0.0.0.7 area 0
network 172.16.0.136 0.0.0.7 area 0
network 172.22.2.0 0.0.0.255 area 0
network 172.22.4.0 0.0.0.255 area 0
network 172.22.16.0 0.0.0.255 area 0
!
ip default-gateway 10.162.64.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.162.64.1
!
!
access-list 101 permit udp host 10.162.64.102 any eq 16962
!
ap group default-group
end
Trouble switch:
Current configuration : 17572 bytes
!
! Last configuration change at 19:59:44 CST Sun Feb 28 1993 by ****
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service unsupported-transceiver
!
hostname *****-3560G-Sw
!
boot-start-marker
boot-end-marker
!
system mtu routing 1500
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name *domain*
!
no errdisable detect cause gbic-invalid
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name Voice
!
vlan 904
lldp timer 60
lldp reinit 3
lldp run
!
interface GigabitEthernet0/14
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
storm-control broadcast level 0.50
storm-control multicast level 0.50
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
description Edu-School1
switchport access vlan 904
switchport trunk encapsulation dot1q
switchport trunk native vlan 904
switchport mode access
!
interface Vlan1
ip address 10.160.80.1 255.255.255.0
ip helper-address 10.2.5.40
!
interface Vlan100
description Voice Vlan
ip address 10.160.81.1 255.255.255.0
!
interface Vlan904
description Edu-School1
ip address 172.16.0.37 255.255.255.248
ip ospf cost 30000
ip ospf mtu-ignore
ip ospf 10 area 0
!
!
router eigrp 100
network 10.160.80.0 0.0.0.255
redistribute connected
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.160.0.0 0.0.255.255 area 0
network 172.16.0.32 0.0.0.7 area 0
!
ip route 0.0.0.0 0.0.0.0 10.162.64.1
!
ntp server 129.6.15.28 prefer
ntp server 129.6.15.29
end
The good one is able to get dns info. The bad switch naturally also doesn't get DHCP from the helper-address.
A diagram would look like this:
Problem switch <=> School1 <=> School2 <=> School3 <=> School4 <=> State Network <=> DNS/DHCP
I can ping all the way to School4, but can't ping the state network, though this is true for all our switches. Packets are supposed to get to School4 and take a static route out into the state network.
What obvious thing have I missed due to being new to this?
No comments:
Post a Comment