Solved: After configuring routing between VLAN's, reachability outcomes varies

guhanece · ‎05-19-2025

With reference to above Topology involving ACCESS VLAN's:

Generally, it is well defined and understood that : Routing is required to switch & reach the traffic between 2 different VLAN's.

So, defined the static route / default route ( In this example , I am using default route)

ip route 0.0.0.0 0.0.0.0 vlan 200 - on Switch-FIRST

ip route 0.0.0.0 0.0.0.0 vlan 100 - on Switch-SECOND

ip route 0.0.0.0 0.0.0.0 192.168.1.10 - on Switch-SECOND

Whereas with above referred topology: From "Switch-SECOND" - Able to successfully reach 172.10.1.1 ( L3 interface connected on Switch-FIRST).

But, Unable to reach 192.168.2.10 which is assigned with VLAN200.

Kindly Justify - even after adding static route taking Vlan100 and NH-IP(192.168.1.10) - Unable to get PING 192.168.2.10 SUCCESSFUL from "Switch-SECOND"

With Catalyst Devices Solution is achievable:

Identified that through creating "do1Q encapsulation " on Switch-FIRST and Keeping the Switch-FIRST and Switch-SECOND in same TRUNK mode:

Reach-ability between VLAN100 from Switch-SECOND to VLAN200 of Switch-FIRST is achievable through assigning "encapsulation do1q 100" on Fa0/2 of Switch-FIRST, and "switchport mode trunk on link between Switch-FIRST and Switch-SECOND"

Insightful findings:

In-spite of understanding that " Routing is enough to provide between VLAN's" -> It should be understood that " Routing can be provided between VLAN's considering Required VLAN's are allowed as in TRUNK mode ( Or SVI VLAN's in TRUNK mode) to allow the traffic on connected "SVI interface IP " ( which is a destined IP address ).

Kindly correct - does my Insightful findings is correct with understanding or different.

Attached the Switch-FIRST and Switch-SECOND , and intermediate Switch0 configurations:

Switch-FIRST#show ip interface brief | inc up

FastEthernet0/1 unassigned YES unset up up

FastEthernet0/2 unassigned YES unset up up

FastEthernet0/3 172.10.1.1 YES manual up up

Vlan100 192.168.1.10 YES manual up up

Vlan200 192.168.2.10 YES manual up up

Switch-FIRST#

!

interface Vlan100

mac-address 0040.0b66.d101

ip address 192.168.1.10 255.255.255.0

!

interface Vlan200

mac-address 0040.0b66.d102

ip address 192.168.2.10 255.255.255.0

!

ip classless

ip route 192.168.2.0 255.255.255.0 Vlan200

!

ip flow-export version 9

!

Switch-SECOND#show ip interface brief | inc up

FastEthernet0/1 unassigned YES unset up up

FastEthernet0/2 unassigned YES unset up up

Vlan100 192.168.1.20 YES manual up up

Vlan200 192.168.2.20 YES manual up up

Switch-SECOND#

!

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 200

switchport mode access

!

Switch0:

hostname Switch0

!

spanning-tree mode pvst

spanning-tree extend system-id

!

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 100

switchport mode access

!

fracjackmac · ‎05-19-2025

Hello @guhanece,

A few observations:

First, the switchport mode access configuration command is typically used on interfaces that connect exclusively to end devices.

Second, when you connect network infrastructure devices together using Layer 2 interfaces, you would typically use trunk interfaces (switchport trunk encapsulation dot1q + switchport mode trunk ) if you plan to distribute more than one VLAN across multiple switches.

For example, on Switch-SECOND, you might want to change the config on Fa0/1:

config t
interface fa0/1
no switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
end

Switch0 would need similar config changes on both interfaces Fa0/1 and Fa0/2 so that traffic for both VLAN 100 and VLAN 200 can move back and forth between Switch-FIRST and Switch-SECOND.

Interface Fa0/2 on Switch-FIRST would also need to be converted from an access port to a trunk port.

Third, the reason you are able to ping 172.10.1.2 from Switch-SECOND:

1) ip route 0.0.0.0 0.0.0.0 vlan 100 tells the management host on Switch-SECOND that EVERYTHING that is not directly connected
   can be reached by sending traffic out interface Fa0/1, which is using vlan 100 and an IP address of 192.168.1.20.

2) When 172.10.1.2 is sent a ping request from Switch-SECOND, the management host, using a source address of 192.168.1.20,
   uses the default route to send the traffic out interface Fa0/1.

3) When the traffic gets to Switch0, switch 0 simply takes the incoming traffic for vlan 100 and floods it out ALL interfaces
   that are part of vlan 100 except the interface that the traffic came in on.
NOTE: The switch does not "own" the destination IP address, so the traffic is forwarded using the "U" (Unknown Unicast) in the
      Layer 2 BUM rules. This gets the traffic to Switch-FIRST without the need for any routes on Switch0.

4) Switch-FIRST sees the incoming destination address, recognizes that it has a directly connected host on Fa0/3 with that
   address, and sends the traffic out Fa0/3 to PC2.
NOTE: Since no vlan is mentioned for interface Fa0/3 and there is an IP address assigned, the route table should have a
      connected route that allows the traffic to be forwarded.

5) PC2 uses its default gateway (172.10.1.1) to reply to the ping request from Switch-SECOND.
NOTE: Since the destination address for the ping reply is in a known subnet (vlan 100), Switch-FIRST will send an ARP request
      out the Fa0/2 interface and receive an ARP reply from Switch-SECOND, so no Layer 3 routing is required to get the
      traffic back to Switch-SECOND.

Fourth, if the ping was initiated from PC1, there would be no reply because the source address of 192.168.2.40 is part of vlan 200. Traffic leaving PC2, destined for a vlan 200 subnet, would be flooded out all vlan 200 interfaces on Switch-FIRST, but since there is no interface to Switch0 that allows vlan 200 traffic, there is no path back to PC1.

Recall that the default route is ONLY used when there is no other route available.

Happy networking!!!

@@ittybittypacket

View solution in original post

fracjackmac · ‎05-19-2025

Hello @guhanece,

A few observations:

First, the switchport mode access configuration command is typically used on interfaces that connect exclusively to end devices.

Second, when you connect network infrastructure devices together using Layer 2 interfaces, you would typically use trunk interfaces (switchport trunk encapsulation dot1q + switchport mode trunk ) if you plan to distribute more than one VLAN across multiple switches.

For example, on Switch-SECOND, you might want to change the config on Fa0/1:

config t
interface fa0/1
no switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
end

Switch0 would need similar config changes on both interfaces Fa0/1 and Fa0/2 so that traffic for both VLAN 100 and VLAN 200 can move back and forth between Switch-FIRST and Switch-SECOND.

Interface Fa0/2 on Switch-FIRST would also need to be converted from an access port to a trunk port.

Third, the reason you are able to ping 172.10.1.2 from Switch-SECOND:

1) ip route 0.0.0.0 0.0.0.0 vlan 100 tells the management host on Switch-SECOND that EVERYTHING that is not directly connected
   can be reached by sending traffic out interface Fa0/1, which is using vlan 100 and an IP address of 192.168.1.20.

2) When 172.10.1.2 is sent a ping request from Switch-SECOND, the management host, using a source address of 192.168.1.20,
   uses the default route to send the traffic out interface Fa0/1.

3) When the traffic gets to Switch0, switch 0 simply takes the incoming traffic for vlan 100 and floods it out ALL interfaces
   that are part of vlan 100 except the interface that the traffic came in on.
NOTE: The switch does not "own" the destination IP address, so the traffic is forwarded using the "U" (Unknown Unicast) in the
      Layer 2 BUM rules. This gets the traffic to Switch-FIRST without the need for any routes on Switch0.

4) Switch-FIRST sees the incoming destination address, recognizes that it has a directly connected host on Fa0/3 with that
   address, and sends the traffic out Fa0/3 to PC2.
NOTE: Since no vlan is mentioned for interface Fa0/3 and there is an IP address assigned, the route table should have a
      connected route that allows the traffic to be forwarded.

5) PC2 uses its default gateway (172.10.1.1) to reply to the ping request from Switch-SECOND.
NOTE: Since the destination address for the ping reply is in a known subnet (vlan 100), Switch-FIRST will send an ARP request
      out the Fa0/2 interface and receive an ARP reply from Switch-SECOND, so no Layer 3 routing is required to get the
      traffic back to Switch-SECOND.

Fourth, if the ping was initiated from PC1, there would be no reply because the source address of 192.168.2.40 is part of vlan 200. Traffic leaving PC2, destined for a vlan 200 subnet, would be flooded out all vlan 200 interfaces on Switch-FIRST, but since there is no interface to Switch0 that allows vlan 200 traffic, there is no path back to PC1.

Recall that the default route is ONLY used when there is no other route available.

Happy networking!!!

@@ittybittypacket

Joseph W. Doherty · ‎05-19-2025

BTW, generally it's poor practice to not use a next hop IP for any static route, especially a default route.

The latter, when going to the Internet, often creates a ARP table so large, it will memory exhaust a router.