Gradelain, It sounds like you are moving your client into a different vlan based on policy attributes and that the C5 is changing policy but the client can't get to their default gateway.
If this is the case I'm interested in knowing if you are running VRRP on the default gateway? If you're running VRRP and the VLAN the client starts in has a VLAN-ID (VRID) that's the same as the VLAN they are moving into then the client will still contain an ARP entry for the MAC address of the previous gateway (if VLAN-ID 1 then it will be 00-00-5e-00-01-01) which conflicts with the MAC address of the new VLAN and thus makes communication with the new gateway impossible until the ARP table clears. If that's the case an easy solution is to ensure that you utilize unique VLAN-ID's on both those VLAN's so that the MAC address will be different, since VRRP utilizes the VRID as part of the MAC address. Matthew Hess Sr. Mgr. Network & Telecom Milton Hershey School PO Box 830 Hershey PA 17033-0830 Phone: 717-520-2224 -----Original Message----- From: Enterasys Customer Mailing List digest [mailto:[email protected]] Sent: Wednesday, May 14, 2014 12:10 AM To: enterasys digest recipients Subject: enterasys digest: May 13, 2014 ENTERASYS Digest for Tuesday, May 13, 2014. 1. client communication issue on C5G 2. Re: client communication issue on C5G 3. AW: client communication issue on C5G 4. Re: client communication issue on C5G 5. AW: client communication issue on C5G 6. Re: AW: client communication issue on C5G ---------------------------------------------------------------------- Subject: client communication issue on C5G From: Gradelain Ngouni <[email protected]> Date: Tue, 13 May 2014 18:43:18 +0200 X-Message-Number: 1 Hello All, The problem I’m facing now is as follow: The C5G switch operating on following Firmware(06.61.08.0013 ) is configured to accept following radius attribute: Policy and VLAN-ID. From the switch I can ping the Client-Gateway and from the client itself NOT. The client receives the right policy(which actually allows everything). And dynamically received the right VLAN IDE as well: [cid:[email protected]] - Vlan existent on the switch and uplinks and the whole Path to the core -->verified - Vlan also configured manually on the switch port where the client is connected --> ping still unsuccessful - Policy applied without vlan information --> didn’t help too Any Hint will be welcome. Thanks and regards Gradelain Gradelain Ngouni Dipl. -Ing. IT-Projektleiter SCALTEL AG Anna-Birle-Str. 2 55252 Mainz-Kastel Telefon +49 6134 50789-23 Telefax +49 (0) 6134 50789-10 [email protected] [cid:3e10f76d6b2148c5abd16e820a7f2890] Rechtsform: Aktiengesellschaft Registergericht: Kempten HRB 7208 Sitz: Waltenhofen Vorstandsvorsitzender: Christian Skala Vorstand: Joachim Skala Aufsichtsratsvorsitzender: Alfons Hörmann ________________________________________________________________________________ Technologie-Forum 2014 "IT-Projekte im Mittelstand - Zukunftssichere Investitionen" Es ist wieder soweit! Das SCALTEL Technologie-Forum öffnet im Mai seine Pforten. Unsere Kunden berichten als Referenten praxisnah über umgesetzte Projekte. Alle Technologien des SCALTEL Portfolios gibt es hautnah an den zahlreichen Live-Demo-Ständen zum Anfassen. Erhalten Sie wertvolle Tipps und Erkenntnisse, um Ihre IT-Projekte erfolgreich voranzutreiben 15. Mai in Wiesbaden 22. Mai in Kempten Mehr zum Technologie-Forum und den Referenten finden Sie hier: Website<http://www.scaltel.de/technologie-forum-wth-wi-2014.html>. Nutzen Sie die Chance und sichern Sie sich hier Ihre Teilnahme: Anmeldeformular<http://www.scaltel.de/anmeldeformular.html> In Kooperation mit: [cid:4c7735871d0b4dbe9bb35d046fbf705e] ---------------------------------------------------------------------- Subject: Re: client communication issue on C5G From: John Kaftan <[email protected]> Date: Tue, 13 May 2014 12:55:49 -0400 X-Message-Number: 2 Have you done a 'sh port egress' on the port? Is the goal to have any client that gets the ROLE-MAC-Telefonserver policy to be contained to VLAN 22 no matter what VLAN the port is set to? We have our RADIUS attribute set to Filter ID (Discard VTA). Is there a reason why you are trying to assign the VLAN via RADIUS? I assume you are using Policy Manager. If you configure your ROLE-MAC-Telefonserver to contain to VLAN 22 your RADIUS server wouldn't need to know anything about the VLAN. It would just have to get the Filter ID correct and the rest would happen via Policy. John On Tue, May 13, 2014 at 12:43 PM, Gradelain Ngouni < [email protected]> wrote: > Hello All, > > The problem I’m facing now is as follow: > > The C5G switch operating on following Firmware(06.61.08.0013 ) is > configured to accept following radius attribute: Policy and VLAN-ID. > > From the switch I can ping the Client-Gateway and from the client > itself NOT. > > The client receives the right policy(which actually allows everything). > And dynamically received the right VLAN IDE as well: > > - Vlan existent on the switch and uplinks and the whole Path to > the core àverified > > - Vlan also configured manually on the switch port where the > client is connected à ping still unsuccessful > > - Policy applied without vlan information à didn’t help too > > Any Hint will be welcome. > > > > Thanks and regards > > > > Gradelain > > > *Gradelain Ngouni* > Dipl. -Ing. > IT-Projektleiter > > > SCALTEL AG > Anna-Birle-Str. 2 > 55252 Mainz-Kastel > > > Telefon +49 6134 50789-23 Telefax +49 (0) 6134 50789-10 > [email protected] > Rechtsform: Aktiengesellschaft > Registergericht: Kempten HRB 7208 > Sitz: Waltenhofen > Vorstandsvorsitzender: Christian Skala > Vorstand: Joachim Skala > Aufsichtsratsvorsitzender: Alfons Hörmann > > > *_____________________________________________________________________ > ___________* > > > > *Technologie-Forum 2014 * > > *"IT-Projekte im Mittelstand - Zukunftssichere Investitionen"* > > > > Es ist wieder soweit! Das SCALTEL Technologie-Forum öffnet im Mai > seine Pforten. > > > > Unsere *Kunden *berichten *als Referenten* praxisnah über *umgesetzte > Projekte*. Alle Technologien des SCALTEL Portfolios gibt es hautnah an > den zahlreichen Live-Demo-Ständen zum Anfassen. > Erhalten Sie wertvolle *Tipps und Erkenntnisse*, um Ihre IT-Projekte > erfolgreich voranzutreiben > > > * 15. Mai in Wiesbaden 22. Mai in Kempten* > > > > Mehr zum Technologie-Forum und den Referenten finden Sie hier: > Website<http://www.scaltel.de/technologie-forum-wth-wi-2014.html> > . > > Nutzen Sie die Chance und sichern Sie sich hier Ihre Teilnahme: > Anmeldeformular <http://www.scaltel.de/anmeldeformular.html> > > > > *In Kooperation mit:* > > > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > -- John Kaftan IT Infrastructure Manager Utica College ---------------------------------------------------------------------- Subject: AW: client communication issue on C5G From: Gradelain Ngouni <[email protected]> Date: Tue, 13 May 2014 19:25:17 +0200 X-Message-Number: 3 Hello John, here the „sh port egress“. [cid:[email protected]] The only reason why, the vlan attribute is configured on the NAC-Gateway is that, the policy were configured separately from someone else. And shouldn’t be manipulated at this time. Yes, any Client that gets the role “ROLE-MAC-Telefonserver” should be assign vlan 22 no matter what vlan is set on the port. The final goal of the Role “ROLE-MAC-Telefonserver” should be allowing everything except some specific protocol, therefore in my opinion better to assign the vlan trough NAC and the protocol restriction trough PM. Similar rules are working on other switches pretty well. The IP address on vlan 22 is assign to the pc manually and the PC still can’t ping its gateway. Thanks in advance. Gradelain Gradelain Ngouni Dipl. -Ing. IT-Projektleiter SCALTEL AG Anna-Birle-Str. 2 55252 Mainz-Kastel Telefon +49 6134 50789-23 Telefax +49 (0) 6134 50789-10 [email protected] [cid:a788c58d08404f98bae975219bd7ee83] Rechtsform: Aktiengesellschaft Registergericht: Kempten HRB 7208 Sitz: Waltenhofen Vorstandsvorsitzender: Christian Skala Vorstand: Joachim Skala Aufsichtsratsvorsitzender: Alfons Hörmann ________________________________________________________________________________ Technologie-Forum 2014 "IT-Projekte im Mittelstand - Zukunftssichere Investitionen" Es ist wieder soweit! Das SCALTEL Technologie-Forum öffnet im Mai seine Pforten. Unsere Kunden berichten als Referenten praxisnah über umgesetzte Projekte. Alle Technologien des SCALTEL Portfolios gibt es hautnah an den zahlreichen Live-Demo-Ständen zum Anfassen. Erhalten Sie wertvolle Tipps und Erkenntnisse, um Ihre IT-Projekte erfolgreich voranzutreiben 15. Mai in Wiesbaden 22. Mai in Kempten Mehr zum Technologie-Forum und den Referenten finden Sie hier: Website<http://www.scaltel.de/technologie-forum-wth-wi-2014.html>. Nutzen Sie die Chance und sichern Sie sich hier Ihre Teilnahme: Anmeldeformular<http://www.scaltel.de/anmeldeformular.html> In Kooperation mit: [cid:d9c518aa49314f6a90cc344951c80a38] ---------------------------------------------------------------------- Subject: Re: client communication issue on C5G From: John Kaftan <[email protected]> Date: Tue, 13 May 2014 13:39:12 -0400 X-Message-Number: 4 Kind of has to be an egress issues between the client and the router. You could mirror the port that the client is on and capture traffic as the ping happens. Then you could move the capture to the uplink port for the switch. Any chance you have a lag going and forgot to do the egress on the Lag port? Or you do not have single port lag configured and your lag is down and you do not have the egress on the physical port? Anyway get proof that the packet is leaving the switch or not. You could start at the the other end and do a packet capture on the server or mirror the server port and grab a capture to see if the packet is making it to the server and it is just not coming back for some reason. You could also do a 'sh mac port ge.1.1' on your switch to see if the switch has learned your PCs Mac address. You could also disable auth on the port to see if your policy is causing the issue. Just some thoughts. I hate it when stuff like this happens. On Tue, May 13, 2014 at 1:25 PM, Gradelain Ngouni < [email protected]> wrote: > Hello John, > > > > here the „sh port egress“. > > > > The only reason why, the vlan attribute is configured on the > NAC-Gateway is that, the policy were configured separately from > someone else. And shouldn’t be manipulated at this time. > > Yes, any Client that gets the role “ROLE-MAC-Telefonserver” should > be assign vlan 22 no matter what vlan is set on the port. > > > > The final goal of the Role “ROLE-MAC-Telefonserver” should be allowing > everything except some specific protocol, therefore in my opinion > better to assign the vlan trough NAC and the protocol restriction trough PM. > > Similar rules are working on other switches pretty well. > > The IP address on vlan 22 is assign to the pc manually and the PC > still can’t ping its gateway. > > > > Thanks in advance. > > > > Gradelain > > > > > *Gradelain Ngouni* > Dipl. -Ing. > IT-Projektleiter > > > SCALTEL AG > Anna-Birle-Str. 2 > 55252 Mainz-Kastel > > > Telefon +49 6134 50789-23 Telefax +49 (0) 6134 50789-10 > [email protected] > Rechtsform: Aktiengesellschaft > Registergericht: Kempten HRB 7208 > Sitz: Waltenhofen > Vorstandsvorsitzender: Christian Skala > Vorstand: Joachim Skala > Aufsichtsratsvorsitzender: Alfons Hörmann > > > *_____________________________________________________________________ > ___________* > > > > *Technologie-Forum 2014 * > > *"IT-Projekte im Mittelstand - Zukunftssichere Investitionen"* > > > > Es ist wieder soweit! Das SCALTEL Technologie-Forum öffnet im Mai > seine Pforten. > > > > Unsere *Kunden *berichten *als Referenten* praxisnah über *umgesetzte > Projekte*. Alle Technologien des SCALTEL Portfolios gibt es hautnah an > den zahlreichen Live-Demo-Ständen zum Anfassen. > Erhalten Sie wertvolle *Tipps und Erkenntnisse*, um Ihre IT-Projekte > erfolgreich voranzutreiben > > > * 15. Mai in Wiesbaden 22. Mai in Kempten* > > > > Mehr zum Technologie-Forum und den Referenten finden Sie hier: > Website<http://www.scaltel.de/technologie-forum-wth-wi-2014.html> > . > > Nutzen Sie die Chance und sichern Sie sich hier Ihre Teilnahme: > Anmeldeformular <http://www.scaltel.de/anmeldeformular.html> > > > > *In Kooperation mit:* > > > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > -- John Kaftan IT Infrastructure Manager Utica College ---------------------------------------------------------------------- Subject: AW: client communication issue on C5G From: Gradelain Ngouni <[email protected]> Date: Tue, 13 May 2014 19:52:00 +0200 X-Message-Number: 5 Hello John, thanks for your thoughts so far. What has not been done yet is: - Capturing the packets I even disable the authentication on the port bus still no success: [cid:[email protected]] I have a feeling that something is going wrong with the switch?? Many thanks Gradelain Gradelain Ngouni Dipl. -Ing. IT-Projektleiter SCALTEL AG Anna-Birle-Str. 2 55252 Mainz-Kastel Telefon +49 6134 50789-23 Telefax +49 (0) 6134 50789-10 [email protected] [cid:c40ef61b1839486fab4c0312f5e1c8cd] Rechtsform: Aktiengesellschaft Registergericht: Kempten HRB 7208 Sitz: Waltenhofen Vorstandsvorsitzender: Christian Skala Vorstand: Joachim Skala Aufsichtsratsvorsitzender: Alfons Hörmann ________________________________________________________________________________ Technologie-Forum 2014 "IT-Projekte im Mittelstand - Zukunftssichere Investitionen" Es ist wieder soweit! Das SCALTEL Technologie-Forum öffnet im Mai seine Pforten. Unsere Kunden berichten als Referenten praxisnah über umgesetzte Projekte. Alle Technologien des SCALTEL Portfolios gibt es hautnah an den zahlreichen Live-Demo-Ständen zum Anfassen. Erhalten Sie wertvolle Tipps und Erkenntnisse, um Ihre IT-Projekte erfolgreich voranzutreiben 15. Mai in Wiesbaden 22. Mai in Kempten Mehr zum Technologie-Forum und den Referenten finden Sie hier: Website<http://www.scaltel.de/technologie-forum-wth-wi-2014.html>. Nutzen Sie die Chance und sichern Sie sich hier Ihre Teilnahme: Anmeldeformular<http://www.scaltel.de/anmeldeformular.html> In Kooperation mit: [cid:755124f762a345ceaaefbe0309b8c843] ---------------------------------------------------------------------- Subject: Re: AW: client communication issue on C5G From: John Kaftan <[email protected]> Date: Tue, 13 May 2014 22:54:30 -0400 X-Message-Number: 6 I have had that feeling too multiple times but it has always been something logical in the end or some little detail I have missed. I would call Enterasys and not beat my head against the wall. Your switch is covered for free and their support is awesome. Please let us know what it was. Couple of other commands to try: 'Show port status' make sure your port is not dorment or admin down 'Show port mirror' make sure your port is not in a mirror 'Show spantree spanguardlock' make sure your port is not locked. Don't see why it would be but what the heck. Is this a single switch or is it a stack member? --- END OF DIGEST --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] ***Disclaimer: This E-mail may contain privileged, confidential, copyrighted, or other legally protected information. If you are not the intended recipient, you may not use, copy, or retransmit it. If you have received this by mistake please notify the sender by return E-mail, then delete. Thank you. --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
