Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4348
Views
0
Helpful
5
Replies

Unable to SSH to VLAN IP After Creating Another VLAN Interface

nonamer15
Level 1
Level 1

‎10-12-2019 11:00 AM - edited ‎02-21-2020 09:35 AM

Below is the topology I have.

topology.JPG

 

From server1, I'm able to SSH to the VLAN2 IP of sw1. However, when I create a VLAN3 interface and assign an IP to it, I'm no longer able to SSH to the VLAN2 IP of sw1. I'm still able to reach it via ICMP, though. SSH/ICMP work no problem with VLAN3.

interface Vlan3
 ip address 10.1.3.241 255.255.255.0

 

Because I'm able to SSH to the VLAN2 IP of sw1 before the creation of the VLAN3 interface, I wouldn't think the firewall would be the issue as it allowed that traffic before. However, I'm seeing the below logs on the firewall:

%ASA-7-609001: Built local-host VLAN2:10.1.2.241
%ASA-6-302013: Built inbound TCP connection 5814 for VLAN3:10.1.3.1/14785 (10.1.3.1/14785) to VLAN2:10.1.2.241/22 (10.1.2.241/22)
%ASA-6-302014: Teardown TCP connection 5814 for VLAN3:10.1.3.1/14785 to VLAN2:10.1.2.241/22 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-7-609002: Teardown local-host VLAN2:10.1.2.241 duration 0:00:00
%ASA-6-106015: Deny TCP (no connection) from 10.1.3.1/14785 to 10.1.2.241/22 flags RST  on interface VLAN3

 

I'm not understanding why this connection is showing as being torn down on the firewall. SSH will start working again once I remove the IP of the VLAN3 interface, but I don't understand why assigning an IP to it creates a problem.

 

Below is the configuration of the firewall.

hostname fw1
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif INTERNET
 security-level 0
 ip address 192.168.1.222 255.255.255.0 
!
interface GigabitEthernet0/1
 description SW1; FA0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.2
 vlan 2
 nameif VLAN2
 security-level 0
 ip address 10.1.2.254 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 3
 nameif VLAN3
 security-level 0
 ip address 10.1.3.254 255.255.255.0 
!
interface GigabitEthernet0/1.4
 vlan 4
 nameif VLAN4
 security-level 0
 ip address 10.1.4.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group network NAT-INSIDE-TO-OUTSIDE
 network-object 10.0.0.0 255.0.0.0
access-list FROM-VLAN2 extended permit icmp any any 
access-list FROM-VLAN2 extended permit tcp any 10.1.3.0 255.255.255.0 eq ssh 
access-list FROM-VLAN2 extended deny ip any any log errors 
access-list FROM-VLAN3 extended permit icmp any any 
access-list FROM-VLAN3 extended permit tcp any any eq ssh 
access-list FROM-VLAN3 extended deny ip any any log errors 
access-list FROM-INTERNET extended deny ip any any log errors interval 1 
access-list FROM-VLAN4 remark * PERMIT ALL ICMP *
access-list FROM-VLAN4 extended permit icmp any any 
access-list FROM-VLAN4 extended deny ip any any log errors interval 1 
pager lines 24
logging enable
logging buffer-size 500000
logging console warnings
logging monitor errors
logging buffered warnings
mtu INTERNET 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (VLAN2,INTERNET) source dynamic NAT-INSIDE-TO-OUTSIDE interface
nat (VLAN3,INTERNET) source dynamic NAT-INSIDE-TO-OUTSIDE interface
nat (VLAN4,INTERNET) source dynamic NAT-INSIDE-TO-OUTSIDE interface
access-group FROM-INTERNET in interface INTERNET
access-group FROM-VLAN2 in interface VLAN2
access-group FROM-VLAN3 in interface VLAN3
access-group FROM-VLAN4 in interface VLAN4
route INTERNET 0.0.0.0 0.0.0.0 192.168.1.254 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 VLAN2
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

 

Any help is appreciated. Thanks.

1 person had this problem
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎10-12-2019 01:54 PM

From my understanding you are creating the VLAN 3 interface on switch 1.  When you do this you are routing directly between VLAN 2 and 3 on switch one.  If you have set the default gateway on server1 to be the ASA5520 you have created an asynchronous routing situation and the ASA will drop the traffic by default.

How I see it you have 4 options to get this working:

1. If your L3 switch (switch1) supports VRFs, create a VRF and place VLAN 3 interface into this VRF

2. Enable TCP bypass on the ASA

3. Move the default gateway of server 1 to the VLAN 3 IP of switch 1

4. Remove VLAN 3 interface from switch 1 and just use ASA for routing between the VLANs.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

nonamer15
Level 1
Level 1
In response to Marius Gunnerud

‎10-12-2019 04:44 PM

Thanks for the response. You are correct. Server1's default gateway is fw1. In regards to asynchronous routing, I would think that would only be a problem if sw1 was a L3 switch. In this case, when an SSH session is initiated by server1, this packet would hit fw1 as that is server1's default gateway. The ACLs on fw1 would allow this traffic and route it to sw1 via VLAN2. When sw1 replied, it would have a route to server1, and would send the packet directly to server1, bypassing the firewall.

 

I guess I was under the assumption that if I issued the command no ip routing, even though sw1 has multiple L3 interfaces, it would still operate at L2 and send all traffic to its default gateway. Is this assumption incorrect? A show ip route only has a default gateway.

sw1#sh ip route
Default gateway is 10.1.2.254

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

 

Below is the configuration of sw1 as well.

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname sw1
!
boot-start-marker
boot-end-marker
!
logging buffered 500000
!
aaa new-model
!
!
!
!
!         
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode off
no ip source-route
no ip domain-lookup
ip domain-name lab.com
!
!
login block-for 300 attempts 5 within 300
login on-failure log
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2    
!
vlan 3
!
vlan 4
lldp run
!
ip ssh version 2
!
! 
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
 description FW1; GI0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport trunk allowed vlan 2-4
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/2
 description SW2; GI0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport trunk allowed vlan 2-4
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/3
 description SW3; GI0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport trunk allowed vlan 2
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!         
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 shutdown
!
interface GigabitEthernet0/1
 shutdown 
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 10.1.2.241 255.255.255.0
 no ip redirects
!
interface Vlan3
 ip address 10.1.3.241 255.255.255.0
 no ip redirects
!
ip default-gateway 10.1.2.254
no ip http server
no ip http secure-server
!
!
ip access-list extended ACCESS-ROUTER
 permit tcp 10.0.0.0 0.255.255.255 any eq 22
 deny   ip any any log
!
no cdp run
!         
!
!
no vstack
!
line con 0
 exec-timeout 720 0
 logging synchronous
line vty 0 4
 access-class ACCESS-ROUTER in
 exec-timeout 720 0
 logging synchronous
 transport input ssh
line vty 5 15
 access-class ACCESS-ROUTER in
 exec-timeout 720 0
 logging synchronous
 transport input ssh
!
end
0 Helpful

Marius Gunnerud
VIP
VIP
In response to nonamer15

‎10-13-2019 04:31 AM

Hi,

I just tested this and got the same result.  It would seem that routing between VLANs is still allowed as long as there are VLAN interfaces configured.  no ip routing seems to only disable dynamic routing.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP
In response to nonamer15

‎10-13-2019 12:26 PM

Would just like to add that my test was done in a virtual environment, so it would be interesting to see if the same result occurs in an environment with hardware.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

nonamer15
Level 1
Level 1
In response to Marius Gunnerud

‎10-13-2019 02:44 PM 

 It would seem that routing between VLANs is still allowed as long as there are VLAN interfaces configured.  no ip routing seems to only disable dynamic routing.

 

I'm not sure this is true. You said you tested in a virtual environment and I've done some testing with Cisco dCloud (also virtual). We should get the same results, but what you're saying is different than what I'm seeing. Below is the topology.

 dcloud.JPG

 

In this scenario, sw4/5 are configured as hosts with no switchport. Below are the configurations.

---sw1---
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport mode trunk
 switchport nonegotiate
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport mode trunk
 switchport nonegotiate
 media-type rj45
 negotiation auto
!
interface Vlan2
 ip address 10.1.2.1 255.255.255.0
 no ip route-cache
!
interface Vlan3
 ip address 10.1.3.1 255.255.255.0
 no ip route-cache
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!         
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end



---sw2---
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport mode trunk
 switchport nonegotiate
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
!         
interface Vlan2
 ip address 10.1.2.2 255.255.255.0
!
ip default-gateway 10.1.2.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end



---sw3---
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport mode trunk
 switchport nonegotiate
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport access vlan 3
 switchport mode access
 media-type rj45
 negotiation auto
!         
interface Vlan3
 ip address 10.1.3.2 255.255.255.0
!
ip default-gateway 10.1.3.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end



---sw4---
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 no switchport
 ip address 10.1.2.3 255.255.255.0
 negotiation auto
!
ip default-gateway 10.1.2.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!         
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end



---sw5---
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw5
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 no switchport
 ip address 10.1.3.3 255.255.255.0
 negotiation auto
!
ip default-gateway 10.1.3.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!         
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end

 

With this, sw2 and sw4 are unable to reach sw3 and sw5. Likewise, sw3 and sw5 are unable to reach sw2 and sw4. So interVLAN routing does not work simply because sw1 has L3 interfaces in both VLANs. What is strange to me is that sw2 and sw4 are able to reach sw1's VLAN3 interface. Likewise, sw3 and sw5 are able to reach sw1's VLAN2 interface. I would expect that traffic to be treated no different, but apparently it isn't.

 

After this, if I issue ip routing on sw1, everyone is able to reach everyone else as expected.

 

So looking at the original topology, I'm still not understanding why creating the VLAN3 interface on sw1 creates a problem. Based on the dCloud example, sw1 should still send this traffic back to fw1, so there shouldn't be an asynchronous routing problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card