Re: Can only ping 1/2 the hosts on a subnet.

dshowell · ‎01-13-2023

I have a Catalyst 9606 with several SVIs in the same vrf (interface vlan 5 and 10). I have a Catalyst 9300 connected to that 9606. There is a layer 2 LACP trunk between the 2, allowing VLAN 5 (VLAN 10 goes to a different switch). The 9300 has 20 or so users/servers on it. They are all in the same VLAN (5). If I source a ping from interface vlan 5 on the 9606, I can ping all of the hosts. If I source a ping from vlan 10 on the 9600 (same vrf as vlan 5), only about half of them respond. It is hit and miss as to what responds and what doesn't. For example .160-174 and .190-205 do not respond. However, .176-185 do respond. It is a x.x.x.128/25 network. I am thinking it is a default gateway or subnet mask misconfiguration on the servers. But am trying to rule anything else out.

Oddly enough, this same 9300 switch was recently migrated off an ASR. When it was connected to that router everything was pingable within the vrf. The L3 part on the ASR was port-channel1.5, with encapsulation dot1q 5. I am not sure if the ASR has some default configuration running in the background that would still allow connectivity, that the 9606 does not have.

MHM Cisco World · ‎01-13-2023

half user ? half meaning there is pair of service here,
are you using HSRP and config the interface of HSRP peer as GW in DHCP server ??

dshowell · ‎01-13-2023

I am not using HSRP. What I mean by 1/2 the hosts, is that I can ping some of the addresses on that subnet, when sourcing the ping from a different SVI in the same vrf. However, when I source the ping from the default gateway of the vlan that the hosts are on, I can ping them all.

MHM Cisco World · ‎01-13-2023

OK,
first smart step is check the reachability via
traceroute,
check where the traceroute stop.
share here please

dshowell · ‎01-16-2023

When I traceroute from another SVI on the same vrf some of the hosts show one hop, to the host. Others show no hops and just star out. I can't attach the output, as it is on a segregated network.

MHM Cisco World · ‎01-16-2023

so check non-work host, are get right IP (same subnet/mask) as other work host ?

balaji.bandi · ‎01-13-2023

post the config example to look at and post the example output you think is wrong.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dshowell · ‎01-13-2023

I can't post the config or any other output. It is on a segregated network. Sorry. I am really just wondering if anyone can think of a reason, other than a host misconfiguration, where I would only be able to ping half the hosts on a subnet, from another network on the same vrf.

Giuseppe Larosa · ‎01-16-2023

Hello @dshowell ,

>> I am not sure if the ASR has some default configuration running in the background that would still allow connectivity, that the 9606 does not have.

check with

show ip interface port1.5

on the ASR if proxy ARP was enabled on it

Proxy ARP can fix the issue of servers with a wrong less specific subnet mask when they ARP for a destination that they think is in the same subnet but actually it is not.

With proxy ARP enabled the network device answers to out of context ARP requests providing its own MAC address making the communication possible

Hope to help

Giuseppe

MHM Cisco World · ‎01-16-2023

I think same, but that meaning that all host can ping outside there subnet,
here he have half,
so I think issue in IP assign to non-work hosts.

dshowell · ‎01-16-2023

When they were connected to the ASR, I was able to ping all of them from outside their network from the same vrf. Now that they are on the 9600, I am only able to ping half of them from outside their network, but from the same vrf. So, the proxy arp idea would be what I would lean toward, if it was running on the ASR but no the 9600. However, it is running on both. So, I am leaning toward a misconfigured DG or subnet mask on the hosts.

dshowell · ‎01-16-2023

Thanks. I was thinking the same thing. The ASR was running ip proxy-arp. So is the 9600. So, I think it is either another default configuration or technology on the ASR, that the 9600 does not have or is not running. Or, it is a misconfigured subnet mask or default gateway on the hosts (servers). I am having the desktop folks check the configurations. However, the ip addresses that they can't get to are the iLO addresses of the servers. So, that might be problematic.

MHM Cisco World · ‎01-16-2023

I think the issue is

VLAN assign to port
VLAN dynamic assign to Port via 802.1x
or
you use op82 for dhcp server

dshowell · ‎01-16-2023

The VLAN on the port is fine. All the ports on the switch are access ports in vlan 5, except the uplink to the 9600, which is a trunk port that is dot1q tagging the vlan traffic. We are not running 802.1x. The hosts have statically assigned IP addresses. We are not using DHCP for that subnet.

MHM Cisco World · ‎01-16-2023

do this two steps
show mac address vlan 5 <<- in 9300 check the mac address
show mac address vlan 5 <<- in 9600 check the mac address (you learn from first step) is seen in trunk port.