Okay I am confused now

Are the distribution switches doing routing between vlans ie. I know not for the machine IP subnet but for other vlans ?

If they are then which distribution switch has the 2960 default gateway IP ?

Jon

The access switch's default gateway is the core switch, but a "show cdp neigh" on the access switch just shows a distribution switch so I guess the packets will go there first.

The path from the core switch to the firewall appears to go through another distro switch before hitting the firewall. If I look up the route to the windows machine or the firewall's vlan 900 interface(windows machine is vlan 900), it says "network not in table".

I'm not sure if the core switch needs a route added or not.

So it sounds like your distribution switches are not L3 or at least some of them aren't which is unusual.

Does the core switch have a default route and where does that point to ?

You shouldn't really be thinking about adding routes to anything until you understand how everything works at the moment.

I feel like I am troubleshooting in the dark ie. you keep telling me about different switches which you haven't mentioned before.

You should be drawing this out as you go along showing where the routing is taking place etc.

You need to be systematic ie.  we know the machine uses the firewall as it's default gateway.

So you need to work out how packets from your 2960 would get to the firewall.

So far you have got to the core switch.

Now you need to work out how the core switch would forward a packet to the machine's IP subnet.

It doesn't have a route for the machine IP subnet but it will probably have a default route. You need to follow that and see what the next hop is.

It may be the distribution switch it connects to is only L2 so no need to look there but if it is L3 you need to look in that switches routing table as well.

Let me know what you find.

Jon

The core switch does not have a default route.

Then it isn't going to work.

How did it work before though ?

Jon

That's what I'm trying to figure out and why I haven't wanted to change anything.

I think I may be getting bad information about how it was working before.

Yes, it sounds like you may well have.

I understand your reluctance you to change things without understanding and that's definitely the right approach.

Obviously I don't have access to your network but if you are absolutely sure that the 2960's default gateway is on the core switch and that switch doesn't have either -

1) a route to the machines subnet

or

2) a default route

then I can't see how it is ever going to work without you adding a route.

Jon

I just wanted to apologise if I came across a bit too harshly or patronisingly.

It was not intended that way.

Jon

Not t all you've been very helpful.

So I added a route to the core switch for this machine's subnet and pointed it at the firewall. I can see pings from the windows machine reach the firewall but the pings are still unsuccessful.

Will Cisco routers do a  route lookup on return traffic or will they just return traffic out the interface it came in on?

Will Cisco routers do a  route lookup on return traffic or will they just return traffic out the interface it came in on?

Routers always do a route lookup on any packets they receive.

The route you added to the core switch, was the next hop IP the firewall ie. you said there was a distribution switch between the core switch and the firewall, is this switch just a L2 switch ?

If so then it looks like routing is in place now.

So it comes down to the firewall and how traffic is handled there.

I remember you said the core switches path and the machines path to the firewall end up on different interfaces so it could be to do with how the firewall is routing between interfaces.

Do you know which interfaces were involved before the move on the firewall ?

Jon

Yes the route I added was on the core switch with the gateway as the firewall management IP. The IP I'm trying to reach is the VLAN 900 IP (workstation is in VLAN 900)

If I do a debug on the firewall I see that pings from the workstation do reach it.

I actually know a lot more about Juniper Netscreens that Cisco and I don't see anything wrong with its configuration.

I actually know a lot more about Juniper Netscreens

that's good because I don't :-)

So just to recap -

1) if you ping from the windows machines you see the pings arriving at the firewall

and

2) if you ping from the 2960 switch you see pings arriving at the firewall

is that correct ?

If so then do you see packets leaving the firewall being sent on ?

Jon

1. No. I think I did say that I could see the pings, but I cant.

2. Yes they arrive at the firewall from the 2960, but on the wrong interface (just noticed this).

I've gotten some new information about how this was working in the past - the traffic wasn't traversing any layer-3 switches at all.

Is there any reason traffic that used to only pass thru layer 2 devices would get stopped at a new layer 3 device even if that device has no interfaces in the vlan and should therefore just be trunking?

1) need to work out why. This one is confusing because if anything it should be the switch pings you don't see not the machines because the default gateway of the machine is the firewall.

2) can't comment much on that as i don't know which interface it should be arriving on but again i suspect that isn;t helping.

No there isn't any reason it should be stopped if the switch is just being used to pass the vlan information.

The only reason it might be stopped is if one of the trunk links did not allow that vlan.

That depends on whether you are allowing all vlans on all trunks or manually set which vlans are allowed per trunk.

I wonder if the 2960 switch pings are arriving on the wrong interface whether that has anything to do with the route you added but if the 2960's default gateway is on the core switch and the core switch didn't have a route I'm not sure what else you could have done.

Jon