Solved: Re: 3750g in L2 mode allows routing between Vlans

dmoorefnlc · ‎06-30-2005

have a 3750g running in L2 mode, Ip routing is not enabled, no default gateways. This is a test switch

interface Vlan252

description TermServices Vlan 10.120.252.0 /24

ip address 10.120.252.3 255.255.255.0

no ip route-cache

standby 252 ip 10.120.252.1

standby 252 priority 101

standby 252 preempt

!

interface Vlan255

description Firewall VLAN

ip address 10.120.255.3 255.255.255.0

no ip route-cache

standby 255 ip 10.120.255.1

standby 255 priority 101

standby 255 preempt

I put a laptop on Vlan 252 with IP of 10.120.252.250 and it can ping my Vlan255 interface ip of 10.120.255.1.

I have " switchport access vlan 252" assigned to an gig interface the laptop uses.

Thought this wasn't possible in L2 mode? If IP routing was enabled yep, devices on vlan 252 could ping across vlans.

What am I missing here? Again "ip routing" is not enabled.

Richard Burts · ‎06-30-2005

Doug

Thanks for clarifying. With no ip routing configured you should certainly be operating in layer 2 mode.

I think the behavior you describe is normal - and I am not sure that we can say that it really crosses VLANs. I believe this is what is happening:

- laptop in VLAN 252 sends ping to 10.120.255.1. Since this is a remote address the laptop forwards the ping to its default gateway which is the VLAN 252 address.

- the ping is received on VLAN 252 interface.

- since the destination address of the ping is a local address the ping packet is sent to the CPU of the 3750 for processing.

- the CPU of the 3750 generates a response and sends it to the PC address.

- the response is sent to VLAN 252 interface which forwards it to the laptop.

If you test and tell me that the laptop in VLAN 252 can ping to addresses of other devices through the VLAN 255 interface, then I will agree that it is crossing VLANs and that you have a very wierd problem. But to be able to ping another interface on the 3750 I believe is not a problem.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎06-30-2005

Doug

I am not clear about what you are saying. When you say ip routing is not enabled do you mean that you have configured "no ip routing"? Or do you mean something else?

Are you saying that IP routing is not enabled because you do not see it in the config and you have not configured a default gateway or a routing protocol? IP routing does not require a default gateway or a dynamic routing protocol to route between VLANs (subnets) on the same box. They are only required to route to remote destinations. Routing is enabled by default and will not show up in the config.

You say it is operating in L2 mode, but you have created two layer three interfaces. From my perspective creating the interface vlan 252 and interface vlan 255 puts it into layer 3 mode. The default behavior is to route between them. The way to stop this is to configure no ip routing. (If that is what you really want to do.)

HTH

Rick

HTH

Rick

craigallen · ‎06-30-2005

IP rounting is enabled by default on 3750's when 2 interfaces are on the same switch the routing will show connected networks. If the devices ahave this switch configued as defualt gateway in there IP settings then the swicth will route the packets across the interfaces. please attach a show run and remove passwords

dmoorefnlc · ‎06-30-2005

This is the same switch I am having problems with trunking to the procurve 4104gl. I noticed that IP routing wasn't enabled on my 3750G. I issued the command "ip routing" and my trunking had issues to the procurve. So checking the 3750G for unusual behiviour. Unplugged the procurve and started testing with my Tac engineer and this is what we have found so far.

I am saying that issuing:

Config t

no ip routing

Turning off ip routing, I can still ping from a laptop on vlan 252 to vlan 255 interface on the 3750g which is 10.120.255.1

So, L3 is turned off, laptop on L2 vlan 252 can ping device on L2 Vlan 255

I thought this was not possible in L2 only mode.

Richard Burts · ‎06-30-2005

Doug

Thanks for clarifying. With no ip routing configured you should certainly be operating in layer 2 mode.

I think the behavior you describe is normal - and I am not sure that we can say that it really crosses VLANs. I believe this is what is happening:

- laptop in VLAN 252 sends ping to 10.120.255.1. Since this is a remote address the laptop forwards the ping to its default gateway which is the VLAN 252 address.

- the ping is received on VLAN 252 interface.

- since the destination address of the ping is a local address the ping packet is sent to the CPU of the 3750 for processing.

- the CPU of the 3750 generates a response and sends it to the PC address.

- the response is sent to VLAN 252 interface which forwards it to the laptop.

If you test and tell me that the laptop in VLAN 252 can ping to addresses of other devices through the VLAN 255 interface, then I will agree that it is crossing VLANs and that you have a very wierd problem. But to be able to ping another interface on the 3750 I believe is not a problem.

HTH

Rick

HTH

Rick

dmoorefnlc · ‎06-30-2005

Rick

Right on the money.

Finally got 2 pcs 10.120.255.250 and 10.120.252.250, with L2, neither could ping each other

enabled ip routing, did a reboot, both could ping across vlans.