Blogs

Showing 5 results.

Forums

« Back to SRE-V Technical Questions

My linux VM cannot ping VLAN interface

Combination View Flat View Tree View
Threads [ Previous | Next ]
Post New Thread
My linux VM cannot ping VLAN interface
Answer
11/7/12 1:49 PM
Hi,
I followed the Section Cisco IOS Layer 3 Routed Configuration - Devices in the Same Branch Subnet, but my Linux VM cannot pring the VLAN interface.  I have IOS 15.1(3)T, router CISCO2911/K9 with SRE-900 installed with SRE-V2.0.0. Below is the configuration on the router:
Current configuration : 5937 bytes
!
! Last configuration change at 13:38:50 UTC Wed Nov 7 2012 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname top-2911
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name netsys.com
ip name-server 192.168.39.150
ip name-server 192.168.38.201
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2051855198
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2051855198
 revocation-check none
 rsakeypair TP-self-signed-2051855198
!
!
crypto pki certificate chain TP-self-signed-2051855198
certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303531 38353531 3938301E 170D3130 30343031 32303531
  33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353138
  35353139 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008BDC 0C0976AC 0B1815A6 CF96F748 CAEBAB1C 18668A58 BE8911D8 60C8F06A
  5E64ECF6 304DE73D 7EEE9276 A06CB3B0 E253E74E 8D02B305 DF499D5C F5B297F8
  BFF4EC82 767ADA11 0370FE2E 9F83BD3B 35B1451F F17A2C8C 7D74FE90 CA5F2A1B
  657585EE 1754E9F1 DDE86A20 949AE078 EE88D0D5 49C21A93 60D05841 A561E3B5
  80AB0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15746F70 2D323931 312E6E65 7473636F 75742E63 6F6D301F
  0603551D 23041830 16801474 C2EDADEB 27EAA3F9 101858AE 40758CBD 31581430
  1D060355 1D0E0416 041474C2 EDADEB27 EAA3F910 1858AE40 758CBD31 5814300D
  06092A86 4886F70D 01010405 00038181 006252D9 173A2A9C 5D9C8CEA 3C40F165
  035DDF35 B864B3A4 709C94E0 E25774D9 51511C41 2F0B0504 D10E87E3 AB09248D
  E78D4B8C 33EE7DBC 90BD67C2 6DA6B619 8C1B72EA 871721B1 830A2EEC 24F82B32
  7AEC9752 875F57AB 4D111114 184BE448 F13964DD A4DB37BE BF59EF04 6381F612
  AECE6BEB 5A654461 1509F3E8 ACFE548E 0B
        quit
license udi pid CISCO2911/K9 sn FTX1348A0NK
hw-module sm 1
!
!
!
username admin privilege 15 secret 5 $1$NP0.$P0FcBwp4eK43TR6FjydAx.
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 172.25.1.13 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.202
 encapsulation dot1Q 202
 ip address 172.25.202.1 255.255.255.0
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface SM1/0
 ip address 172.25.192.177 255.255.255.240
 service-module ip address 172.25.192.178 255.255.255.240
 !Application: VMware ESXi 5.0.0 build-474610 running on SRE
 service-module ip default-gateway 172.25.192.177
 hold-queue 60 out
!
interface SM1/1
 description Internal switch interface connected to Service Module
 switchport trunk allowed vlan 1-1005
 switchport mode trunk
!
interface Vlan202
 ip unnumbered GigabitEthernet0/0.202
!
ip default-gateway 172.25.1.1
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 172.25.1.1
ip route 172.25.192.178 255.255.255.255 SM1/0
ip route 172.25.202.10 255.255.255.255 Vlan202
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.


top-2911#
 
My Linux VM IP:172.25.202.10 255.255.255.0 and its gateway: 172.25.202.1.  I also configured vlan 202 in the port group in vswitch1 the VM is connected to.
 
Can you give me some help?
 
Thanks!
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/7/12 6:29 PM as a reply to Vijay Raman.
Hi Vijay,
In ESXi you need to link the network adapter of the VM to the vlan ID.  Via the vSphere Client please create a port group and assign it the vlan ID 202.  Then assign the port group as the network adapter of the VM.  If that doesn't fix your issue, please also check that your Linux OS is not blocking access.
Thanks,
Brett
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/9/12 6:24 PM as a reply to Brett Tiller.
Brett Tiller:
Hi Vijay,
In ESXi you need to link the network adapter of the VM to the vlan ID.  Via the vSphere Client please create a port group and assign it the vlan ID 202.  Then assign the port group as the network adapter of the VM.  If that doesn't fix your issue, please also check that your Linux OS is not blocking access.
Thanks,
Brett

 
Hi Brett,
Yes we did put the port group in the samce vlan and it still didn't work. So I've played around with the configurations, and tried to stayed closed to the section Cisco IOS Layer 3 routed Configuration in the documentation. finally I got the VM able to ping the vlan interface and vice versa and ping the router, but my VM cannot ping netowrk 10.20.0.0 Below is the configuration. I am using vlan 202 and assigned sub interface gig 0/0.202 ip address to the vlan interface.
Current configuration : 5545 bytes
!
! Last configuration change at 15:25:37 UTC Fri Nov 9 2012 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname axp-dev-3826
!
boot-start-marker
boot system flash0:c3900-universalk9-mz.SPA.152-1.GC.bin
boot-end-marker
!
!
enable secret 5 $1$cVny$d/FPC.FDQlfSQ9Dd7v.5X0
!
no aaa new-model
!
no ipv6 cef
!
ip traffic-export profile calvin-rite
! No outgoing interface configured
! No destination mac-address configured
!
!
!
!
!
ip domain name netscout.com
ip name-server 192.168.39.150
ip name-server 192.168.38.201
ip cef
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2534788575
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2534788575
 revocation-check none
 rsakeypair TP-self-signed-2534788575
 crypto pki certificate chain TP-self-signed-2534788575
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32353334 37383835 3735301E 170D3130 31323238 31353037
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35333437
  38383537 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AE36 F59113AA F507A73F 1C2B0F2F DEFD7229 8EE04EAE E3A23BAC AB6FCC10
  F6BD94DA 370E2A70 C1F03686 6CE25F5E 79556E5C 64F19B54 F2407FDB 7507D7FD
  D5311A64 0433A739 9CD44AA4 73473A58 29BC0DE0 E07548F6 9D750741 93AF0313
  919069EC 4115EFA8 E8849091 136D8A3C 1285C4D9 427F9D0C 920DD95D E1B76CBF
  058F0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
  551D1104 1F301D82 1B333238 362D6178 702D6465 76656C2E 6E657473 636F7574
  2E636F6D 301F0603 551D2304 18301680 14744618 2A34FB9A EA16B9AB E2CE4ACC
  22DEC9AB 91301D06 03551D0E 04160414 7446182A 34FB9AEA 16B9ABE2 CE4ACC22
  DEC9AB91 300D0609 2A864886 F70D0101 04050003 81810013 27ED1CB5 E2BE7EBE
  4D2E0786 59EF161B 26A0A9F6 841DE6E2 0EAC31EC 3B43A6DE 635C8D47 8952ADCE
  5AD19678 D2EC06CA 05FF9AD6 17BA932F 9DEFC15D D6296927 99C50C88 29D47F36
  815231FF B93412CD 87F3D06D 59F8F254 700A1D21 5C5A1C6B B0F0E1A3 87E19871
  3A882167 0CFC332C F09A14B8 56BE8D90 AFEB4F8C 8E83C7
        quit
license udi pid C3900-SPE100/K9 sn FOC13353X3Z
hw-module sm 1
!
hw-module sm 2
!
!
!
username root privilege 3 password 7 0208014F1805003458
username admin privilege 15 secret 5 $1$Os/.$WcX/gzSUjcLfPwvLcPUTW.
username user1 password 0 user1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 172.25.1.12 255.255.255.0
speed auto
 no mop enabled
!
interface GigabitEthernet0/0.202
 encapsulation dot1Q 202
 ip address 172.25.202.50 255.255.255.0
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip wccp 61 redirect in
 ip flow ingress
 duplex full
 speed 1000
 no keepalive
 no mop enabled
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface SM1/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 172.25.1.18 255.255.255.0
 !Application: VMware ESXi 5.0.0 build-474610 running on SRE
 service-module ip default-gateway 172.25.1.12
!
interface SM1/1
 description Internal switch interface connected to Service Module
 switchport access vlan 202
 switchport trunk allowed vlan 1-1024
 switchport mode trunk
 no ip address
!
interface SM2/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 172.25.1.16 255.255.255.0
 !Application: VMware ESXi 4.1.0 build-348481 running on SRE
 service-module ip default-gateway 172.25.1.12
 hold-queue 60 out
interface SM2/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan30
 no ip address
!
interface Vlan40
 ip address 40.0.0.100 255.255.255.0
!
interface Vlan202
 ip unnumbered GigabitEthernet0/0.202
!
ip default-gateway 172.25.1.1
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.25.1.1
ip route 40.0.0.1 255.255.255.255 Vlan40
ip route 40.0.0.101 255.255.255.255 Vlan40
ip route 172.25.1.14 255.255.255.255 SM2/0
ip route 172.25.1.16 255.255.255.255 SM2/0
ip route 172.25.1.18 255.255.255.255 SM1/0
ip route 172.25.202.51 255.255.255.255 Vlan202
ip route 172.25.202.101 255.255.255.255 Vlan202
!
!
!
snmp-server community public RO
snmp-server enable traps entity-sensor threshold
tftp-server flash 10.20.197.15
tftp-server flash 10.20.197.52
!
control-plane
!
!
!
line con 0
 login local

Thanks!
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/9/12 9:15 PM as a reply to Vijay Raman.
Hi Vijay,
The 10.20.0.0 IP is on a separate network than your VM.   Please check that the TFTP servers on that IP resides on the same vlan.  Also from your VM try doing a traceroute to the tftp server.  My guess is that the packets are being routed to the default IP you've specified in the router which is probably the wrong path.  If that is the case, I think you'll want to create an IP route in the router to route packets to the 10.20.0.0 network.
Thanks,
Brett
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/12/12 8:38 PM as a reply to Brett Tiller.
Brett Tiller:
Hi Vijay,
The 10.20.0.0 IP is on a separate network than your VM.   Please check that the TFTP servers on that IP resides on the same vlan.  Also from your VM try doing a traceroute to the tftp server.  My guess is that the packets are being routed to the default IP you've specified in the router which is probably the wrong path.  If that is the case, I think you'll want to create an IP route in the router to route packets to the 10.20.0.0 network.
Thanks,
Brett

 
Hi Brett,
Thanks! I am able to connect VM to the network now. There is nothing wrong in the router configuration, the issue is we don't have a route in our network to the VM.  So after we update our network with the route to VM, the VM is connected to the networks.
Now we have another issue. Our VM doesn't see any packets exported from Gig 0/1.  Our RITE configured as follows:
ip traffic-export profile NETSCOUT
  interface SM1/1
  bidirectional
  mac-address 0080.8c00.0001
 
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip wccp 61 redirect in
 ip flow ingress
 ip traffic-export apply NETSCOUT
 duplex full
 speed 1000
 no keepalive
 no mop enabled
So in the port group VM Networks I changed the vlanID to 4095 from 202 and the VM now can see exported packets, but the VM lost connetions to the network. If I change vlanID in the port group to 202 the vm can connect to the networks, but VM doesn't see exported packets.  Can you give us some help?
Thanks!
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/13/12 1:33 AM as a reply to Vijay Raman.
Hi Vijay,
I did some research and it appears that VMware does special handling for tag 4095 which is why I think that is working for you.  Here's some information and the write up has some other ideas as well: http://vmnomad.blogspot.com/2011/07/vlan-tagging-and-use-cases-of-vlan-id.html .
Regarding your issue, the packets coming from the interface Gig0/1 are not on that same vlan on the network right? If that's correct I think that is is probably why the VM cannot see them because they are not tagged.  Since you mentioned port 4095 works, I think in VMware you can create multiple network adapters and assign more than one to a VM.  If that's the case then as a work around you should be able to have your VM able to accept data from both vlan IDs 2095 and 202 which would give you the functionality that you desire.
Please let us know if that work around resolves your issue.
Thanks,
Brett
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/13/12 6:23 PM as a reply to Brett Tiller.
Brett Tiller:
Hi Vijay,
I did some research and it appears that VMware does special handling for tag 4095 which is why I think that is working for you.  Here's some information and the write up has some other ideas as well: http://vmnomad.blogspot.com/2011/07/vlan-tagging-and-use-cases-of-vlan-id.html .
Regarding your issue, the packets coming from the interface Gig0/1 are not on that same vlan on the network right? If that's correct I think that is is probably why the VM cannot see them because they are not tagged.  Since you mentioned port 4095 works, I think in VMware you can create multiple network adapters and assign more than one to a VM.  If that's the case then as a work around you should be able to have your VM able to accept data from both vlan IDs 2095 and 202 which would give you the functionality that you desire.
Please let us know if that work around resolves your issue.
Thanks,
Brett

 
Hi Brett,
If I put the port group in vlan 4095 the VM would loose network connection, ie, I cannot ping to the VM. So I put the port group in vlan 202, and change the RITE configuration as follows.  It works for me but I don't understand completely what is going on.  can you explain? Here is the full configuration:
Thanks!

Current configuration : 5493 bytes
!
! Last configuration change at 18:41:05 UTC Tue Nov 13 2012 by admin
! NVRAM config last updated at 17:40:22 UTC Mon Nov 12 2012 by admin
! NVRAM config last updated at 17:40:22 UTC Mon Nov 12 2012 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname axp-dev-3826
!
boot-start-marker
boot system flash0:c3900-universalk9-mz.SPA.152-1.GC.bin
boot-end-marker
!
!
enable secret 5 $1$cVny$d/FPC.FDQlfSQ9Dd7v.5X0
!
no aaa new-model
!
no ipv6 cef
!
ip traffic-export profile ns-agent
  interface Vlan202
  bidirectional
  mac-address 0080.8c00.0001
!
!
!
!
!
ip domain name netscout.com
ip name-server 192.168.39.150
ip name-server 192.168.38.201
ip cef
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2534788575
 enrollment selfsigned
 sinterface GigabitEthernet0/0
 ip address 172.25.1.12 255.255.255.0
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip wccp 61 redirect in
 ip flow ingress
 ip traffic-export apply ns-agent
 duplex full
 speed 1000
 no keepalive
 no mop enabled
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface SM1/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 172.25.1.18 255.255.255.0
 !Application: VMware ESXi 5.0.0 build-474610 running on SRE
 service-module ip default-gateway 172.25.1.12
!
interface SM1/1
 description Internal switch interface connected to Service Module
 switchport mode trunk
 no ip address
!
interface SM2/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 172.25.1.16 255.255.255.0
 !Application: VMware ESXi 4.1.0 build-348481 running on SRE
 service-module ip default-gateway 172.25.1.12
 hold-queue 60 out
!
interface SM2/1
ubject-name cn=IOS-Self-Signed-Certificate-2534788575
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan30
 no ip address
!
interface Vlan40
 ip address 40.0.0.100 255.255.255.0
!
interface Vlan202
 ip address 172.25.202.50 255.255.255.0
!
ip default-gateway 172.25.1.1
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.25.1.1
ip route 40.0.0.1 255.255.255.255 Vlan40
ip route 40.0.0.101 255.255.255.255 Vlan40
ip route 172.25.1.14 255.255.255.255 SM2/0
ip route 172.25.1.16 255.255.255.255 SM2/0
ip route 172.25.1.18 255.255.255.255 SM1/0
ip route 172.25.202.51 255.255.255.255 Vlan202
!
!
!
snmp-server community public RO
snmp-server enable traps entity-sensor threshold
tftp-server flash 10.20.197.15
tftp-server flash 10.20.197.52
!
control-plane
!

Show ip traffic export :

Router IP Traffic Export Parameters
Monitored Interface             GigabitEthernet0/1
        Export Interface                Vlan202
        Destination MAC address 0080.8c00.0001
        bi-directional traffic export is on
Output IP Traffic Export Information    Packets/Bytes Exported    0/0
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
Input IP Traffic Export Information     Packets/Bytes Exported    19546575/899142450
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
        Profile ns-agent is Active
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/14/12 12:45 AM as a reply to Vijay Raman.
Hi Vijay,

Nice job!  It looks to me that you are now sending all propagated packets to vlan 202 on which your VM resides.  This change must be bypassing the problem you saw when you were routing the packets to the service module rather than directly to the VM which was probably due to the fact that the propagated packets were not tagged with the vlan ID. I'm assuming that your VM is now receiving all packets, those propagated from the Gig0/1 interface and those being sent to the VM?  Since the propagated packets are being directed to the vlan, I think they must be tagged which would make them acceptable to the vswitch on ESXi and accessible to the VM.

Did that answer your question?

Thanks,

Brett
Flag

RE: My linux VM cannot ping VLAN interface
Answer
11/16/12 6:37 PM as a reply to Brett Tiller.
Brett Tiller:
Hi Vijay,

Nice job!  It looks to me that you are now sending all propagated packets to vlan 202 on which your VM resides.  This change must be bypassing the problem you saw when you were routing the packets to the service module rather than directly to the VM which was probably due to the fact that the propagated packets were not tagged with the vlan ID. I'm assuming that your VM is now receiving all packets, those propagated from the Gig0/1 interface and those being sent to the VM?  Since the propagated packets are being directed to the vlan, I think they must be tagged which would make them acceptable to the vswitch on ESXi and accessible to the VM.

Did that answer your question?

Thanks,

Brett

 
Hi Brett,
Thanks for your help! I understand things in the router better now. I tried different configurations and the result is we can monitor all tagged and untagged traffic.
 
Have a great weekend!
Flag

Collateral


No files available