12-29-2022 02:03 PM
Hey folks,
I'm attempting to set up a greenfield Catalyst 3750X core stack and am having a bit of trouble getting 2 devices on different VLANs to be able to talk to each other. I'm fairly new to doing this sort of config so I'm sure it's user error, but I've looked up and followed just about every guide I can find regarding setting up & configuring inter-VLAN routing and I don't see any obvious differences between my config and theirs. Can someone help me figure out what I'm doing wrong?
Here's what works currently:
My IP space for this project is 10.230.0.0/16. VLAN IDs correspond to 3rd octets and are all /24s
Take VLAN 121 for instance, my user data VLAN. I connect a device to a port assigned to VLAN 121, it gets a DHCP IP (10.230.121.3) with correct default gateway (10.230.121.1). It can ping the gateway and the interface IP of all other VLANs on the switch, i.e. 10.230.15.1, 10.230.32.1, 10.230.121.1 etc
If I plug another device (laptop) into the same VLAN (gets IP 10.230.121.2), the two devices can ping each other just fine.
If I plug that second device into a port with a different VLAN like VLAN 15, it gets an IP just fine and again can ping interface IP of all other VLANs but the two devices can't talk to each other.
Tried a couple ping tests from the switch itself to confirm no firewall funny business, same result
SCTS-CORE-STACK#debug ip icmp
ICMP packet debugging is on
SCTS-CORE-STACK#ping 10.230.121.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/16 ms
SCTS-CORE-STACK#ping 10.230.121.3 source vlan15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
Packet sent with a source address of 10.230.15.1
.....
Success rate is 0 percent (0/5)
SCTS-CORE-STACK#
Here's my config. Only thing I've left out are irrelevant port configs and sensitive stuff.
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime
service password-encryption
!
[....]
!
no aaa new-model
clock timezone MST -8
clock summer-time DST recurring
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.230.100.1 10.230.100.20
!
ip dhcp pool 8x8_Voice
network 10.230.100.0 255.255.255.0
default-router 10.230.100.1
dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool User-Data-Test
network 10.230.121.0 255.255.255.0
default-router 10.230.121.1
dns-server 8.8.8.8 4.2.2.2
domain-name ---
!
ip dhcp pool VMWare-Mgmt-Test
network 10.230.32.0 255.255.255.0
default-router 10.230.32.1
dns-server 8.8.8.8 4.2.2.2
domain-name ---
!
ip dhcp pool PD-Test
network 10.230.15.0 255.255.255.0
default-router 10.230.15.1
dns-server 8.8.8.8 4.2.2.2
domain-name ---
!
!
ip domain-name ---
ip name-server ---
vtp domain ---
vtp mode transparent
udld enable
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-2,15,30-32,100,121,144 priority 24576
!
!
!
!
vlan internal allocation policy ascending
!
vlan 2
name Network_Management
!
vlan 15
name PD-QA
!
vlan 20
name DMZ
!
vlan 30
name VMWare-DHCP
!
vlan 31
name VMWare-Static
!
vlan 32
name VMWare-Mgmt
!
vlan 40
name Camera
!
vlan 100
name 8x8-Voice
!
vlan 121
name User-Data
!
vlan 144
name Wireless-Data
!
vlan 990
name ISP
!
vlan 999
name FORTIGATE_DMZ
!
[....]
!
interface GigabitEthernet2/0/13
switchport access vlan 121
switchport mode access
!
interface GigabitEthernet2/0/14
switchport access vlan 15
switchport mode access
!
interface GigabitEthernet2/0/15
switchport access vlan 121
switchport mode access
!
[....]
!
interface Vlan1
ip address 10.230.1.1 255.255.255.0
!
interface Vlan2
description Network_Management
ip address 10.230.2.1 255.255.255.0
!
interface Vlan15
description PD-QA
ip address 10.230.16.1 255.255.255.0 secondary
ip address 10.230.17.1 255.255.255.0 secondary
ip address 10.230.15.1 255.255.255.0
!
interface Vlan20
description DMZ
no ip address
!
interface Vlan30
description VMWare-DHCP
ip address 10.230.30.1 255.255.255.0
!
interface Vlan31
description VMWare-Static
ip address 10.230.31.1 255.255.255.0
!
interface Vlan32
description VMWare-Mgmt
ip address 10.230.32.1 255.255.255.0
!
interface Vlan40
description Camera
ip address 10.230.40.1 255.255.255.0
!
interface Vlan100
description 8x8 Voice
ip address 10.230.100.1 255.255.255.0
!
interface Vlan121
description User-Data
ip address 10.230.121.1 255.255.255.0
!
interface Vlan144
description Wireless-Data
ip address 10.230.144.1 255.255.255.0
!
interface Vlan999
ip address 10.10.10.254 255.255.255.0
!
ip classless
no ip http server
no ip http secure-server
!
!
no vstack
[...]
Solved! Go to Solution.
12-30-2022 06:01 AM
the issue may not be in your switch configuration , but on your client-PC's
like MS-windows firewall blocks traffic not coming from the local subnet of the PC (=/24 subnet)
-> disable the windows firewall for a moment and check
then enable firewall and add rule to allow ping from /16 subnet
12-29-2022 02:13 PM - last edited on 01-02-2023 03:36 AM by Translator
how many devices are connected to the switch, is there any device connected in VLAN 15 ? looks vlan 15 down I guess here
Can you post the below output :
show ip interface brief
show IP arp
show IP route
12-29-2022 02:19 PM
Sure, output below.
The port-channels are uplinks to other switches but I'm not worried about those for now. Gi1/0/48 is a bridge to an ISP connection, end devices are plugged into Gi2/0/13 - 15
SCTS-CORE-STACK#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.230.1.1 YES TFTP up up
Vlan2 10.230.2.1 YES TFTP up up
Vlan15 10.230.15.1 YES TFTP up up
Vlan20 unassigned YES TFTP up up
Vlan30 10.230.30.1 YES TFTP up up
Vlan31 10.230.31.1 YES TFTP up up
Vlan32 10.230.32.1 YES TFTP up up
Vlan40 10.230.40.1 YES TFTP up up
Vlan100 10.230.100.1 YES TFTP up up
Vlan121 10.230.121.1 YES manual up up
Vlan144 10.230.144.1 YES TFTP up down
Vlan999 10.10.10.254 YES TFTP up down
FastEthernet0 unassigned YES TFTP administratively down down
GigabitEthernet1/0/1 unassigned YES unset down down
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset up up
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset up up
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset down down
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset down down
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset down down
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset down down
GigabitEthernet1/0/24 unassigned YES unset down down
GigabitEthernet1/0/25 unassigned YES unset down down
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset down down
GigabitEthernet1/0/29 unassigned YES unset down down
GigabitEthernet1/0/30 unassigned YES unset down down
GigabitEthernet1/0/31 unassigned YES unset down down
GigabitEthernet1/0/32 unassigned YES unset down down
GigabitEthernet1/0/33 unassigned YES unset down down
GigabitEthernet1/0/34 unassigned YES unset down down
GigabitEthernet1/0/35 unassigned YES unset down down
GigabitEthernet1/0/36 unassigned YES unset down down
GigabitEthernet1/0/37 unassigned YES unset down down
GigabitEthernet1/0/38 unassigned YES unset down down
GigabitEthernet1/0/39 unassigned YES unset down down
GigabitEthernet1/0/40 unassigned YES unset down down
GigabitEthernet1/0/41 unassigned YES unset down down
GigabitEthernet1/0/42 unassigned YES unset down down
GigabitEthernet1/0/43 unassigned YES unset down down
GigabitEthernet1/0/44 unassigned YES unset down down
GigabitEthernet1/0/45 unassigned YES unset down down
GigabitEthernet1/0/46 unassigned YES unset down down
GigabitEthernet1/0/47 unassigned YES unset down down
GigabitEthernet1/0/48 192.168.1.2 YES DHCP up up
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
GigabitEthernet2/0/1 unassigned YES unset down down
GigabitEthernet2/0/2 unassigned YES unset down down
GigabitEthernet2/0/3 unassigned YES unset up up
GigabitEthernet2/0/4 unassigned YES unset down down
GigabitEthernet2/0/5 unassigned YES unset up up
GigabitEthernet2/0/6 unassigned YES unset down down
GigabitEthernet2/0/7 unassigned YES unset up up
GigabitEthernet2/0/8 unassigned YES unset down down
GigabitEthernet2/0/9 unassigned YES unset up up
GigabitEthernet2/0/10 unassigned YES unset down down
GigabitEthernet2/0/11 unassigned YES unset up up
GigabitEthernet2/0/12 unassigned YES unset down down
GigabitEthernet2/0/13 unassigned YES unset up up
GigabitEthernet2/0/14 unassigned YES unset up up
GigabitEthernet2/0/15 unassigned YES unset down down
GigabitEthernet2/0/16 unassigned YES unset down down
GigabitEthernet2/0/17 unassigned YES unset down down
GigabitEthernet2/0/18 unassigned YES unset down down
GigabitEthernet2/0/19 unassigned YES unset down down
GigabitEthernet2/0/20 unassigned YES unset down down
GigabitEthernet2/0/21 unassigned YES unset down down
GigabitEthernet2/0/22 unassigned YES unset down down
GigabitEthernet2/0/23 unassigned YES unset down down
GigabitEthernet2/0/24 unassigned YES unset down down
GigabitEthernet2/0/25 unassigned YES unset down down
GigabitEthernet2/0/26 unassigned YES unset down down
GigabitEthernet2/0/27 unassigned YES unset down down
GigabitEthernet2/0/28 unassigned YES unset down down
GigabitEthernet2/0/29 unassigned YES unset down down
GigabitEthernet2/0/30 unassigned YES unset down down
GigabitEthernet2/0/31 unassigned YES unset down down
GigabitEthernet2/0/32 unassigned YES unset down down
GigabitEthernet2/0/33 unassigned YES unset down down
GigabitEthernet2/0/34 unassigned YES unset down down
GigabitEthernet2/0/35 unassigned YES unset down down
GigabitEthernet2/0/36 unassigned YES unset down down
GigabitEthernet2/0/37 unassigned YES unset down down
GigabitEthernet2/0/38 unassigned YES unset down down
GigabitEthernet2/0/39 unassigned YES unset down down
GigabitEthernet2/0/40 unassigned YES unset down down
GigabitEthernet2/0/41 unassigned YES unset down down
GigabitEthernet2/0/42 unassigned YES unset down down
GigabitEthernet2/0/43 unassigned YES unset down down
GigabitEthernet2/0/44 unassigned YES unset down down
GigabitEthernet2/0/45 unassigned YES unset down down
GigabitEthernet2/0/46 unassigned YES unset down down
GigabitEthernet2/0/47 unassigned YES unset down down
GigabitEthernet2/0/48 unassigned YES unset down down
GigabitEthernet2/1/1 unassigned YES unset down down
GigabitEthernet2/1/2 unassigned YES unset down down
GigabitEthernet2/1/3 unassigned YES unset down down
GigabitEthernet2/1/4 unassigned YES unset down down
Te2/1/1 unassigned YES unset down down
Te2/1/2 unassigned YES unset down down
Port-channel1 unassigned YES unset up up
Port-channel2 unassigned YES unset up up
Port-channel3 unassigned YES unset up up
Port-channel4 unassigned YES unset up up
SCTS-CORE-STACK#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 54 668b.c5e6.f41d ARPA GigabitEthernet1/0/48
Internet 192.168.1.2 - 0006.f6e1.b341 ARPA GigabitEthernet1/0/48
Internet 10.230.144.1 - 0006.f6e1.b34b ARPA Vlan144
Internet 10.230.100.1 - 0006.f6e1.b349 ARPA Vlan100
Internet 10.230.121.1 - 0006.f6e1.b34a ARPA Vlan121
Internet 10.230.121.3 0 c84b.d66e.aff7 ARPA Vlan121
Internet 10.230.121.2 20 98fa.9b9b.6e94 ARPA Vlan121
Internet 10.230.40.1 - 0006.f6e1.b348 ARPA Vlan40
Internet 10.230.32.1 - 0006.f6e1.b347 ARPA Vlan32
Internet 10.230.1.13 3 ac71.2e02.62e1 ARPA Vlan1
Internet 10.230.1.12 0 ac71.2e02.19e5 ARPA Vlan1
Internet 10.230.15.2 0 98fa.9b9b.6e94 ARPA Vlan15
Internet 10.230.15.1 - 0006.f6e1.b343 ARPA Vlan15
Internet 10.230.1.14 48 005d.733a.1b47 ARPA Vlan1
Internet 10.230.1.11 47 005d.73dd.b647 ARPA Vlan1
Internet 10.230.1.1 - 0006.f6e1.b340 ARPA Vlan1
Internet 10.230.2.1 - 0006.f6e1.b342 ARPA Vlan2
Internet 10.230.31.1 - 0006.f6e1.b346 ARPA Vlan31
Internet 10.230.30.1 - 0006.f6e1.b345 ARPA Vlan30
Internet 10.10.10.254 - 0006.f6e1.b34c ARPA Vlan999
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.230.17.1 - 0006.f6e1.b343 ARPA Vlan15
Internet 10.230.16.1 - 0006.f6e1.b343 ARPA Vlan15
SCTS-CORE-STACK#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 11 subnets
C 10.230.100.0 is directly connected, Vlan100
C 10.230.121.0 is directly connected, Vlan121
C 10.230.40.0 is directly connected, Vlan40
C 10.230.32.0 is directly connected, Vlan32
C 10.230.15.0 is directly connected, Vlan15
C 10.230.1.0 is directly connected, Vlan1
C 10.230.2.0 is directly connected, Vlan2
C 10.230.30.0 is directly connected, Vlan30
C 10.230.31.0 is directly connected, Vlan31
C 10.230.16.0 is directly connected, Vlan15
C 10.230.17.0 is directly connected, Vlan15
C 192.168.1.0/24 is directly connected, GigabitEthernet1/0/48
S* 0.0.0.0/0 [254/0] via 192.168.1.1
12-29-2022 02:25 PM - edited 12-29-2022 02:37 PM
If I plug that second device into a port with a different VLAN like VLAN 15, it gets an IP just fine and again can ping interface IP of all other VLANs but the two devices can't talk to each other.
is this issue with only VLAN 15 ?
noticed that you have multiple IP bound to VLAN interface
have you tried
ping 10.230.121.3 source 10.230.15.1
you mentioned default-gateway I did not see in config ? have you changed that default to IP route command ?
12-29-2022 02:28 PM
Yes, that fails. Link is up though, when source is not specified, ping succeeds
SCTS-CORE-STACK#ping 10.230.121.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/16 ms
SCTS-CORE-STACK#ping 10.230.121.3 source vlan15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
Packet sent with a source address of 10.230.15.1
.....
Success rate is 0 percent (0/5)
12-29-2022 02:30 PM
please traceroute to host I want to see where the packet is stop.
12-29-2022 02:36 PM
Sure, it dies immediately after hitting the default gateway
PS C:\Users\acraven> tracert 10.230.15.2
Tracing route to 10.230.15.2 over a maximum of 30 hops
1 2 ms 1 ms 1 ms 10.230.121.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
12-29-2022 02:40 PM - edited 12-30-2022 08:09 AM
post full config or as i suggested before, is this only issue with VLAN 15 ?
have you moved the config default gateway to IP routing.
From swtich can you post ping results to end client :
SCTS-CORE-STACK#ping 10.230.15.2
SCTS-CORE-STACK#ping 10.230.121.3
12-30-2022 06:01 AM
the issue may not be in your switch configuration , but on your client-PC's
like MS-windows firewall blocks traffic not coming from the local subnet of the PC (=/24 subnet)
-> disable the windows firewall for a moment and check
then enable firewall and add rule to allow ping from /16 subnet
12-30-2022 06:15 AM
Internet 192.168.1.1 54 668b.c5e6.f41d ARPA GigabitEthernet1/0/48 Internet 192.168.1.2 - 0006.f6e1.b341 ARPA GigabitEthernet1/0/48 Internet 10.230.144.1 - 0006.f6e1.b34b ARPA Vlan144 Internet 10.230.100.1 - 0006.f6e1.b349 ARPA Vlan100 Internet 10.230.121.1 - 0006.f6e1.b34a ARPA Vlan121 Internet 10.230.121.3 0 c84b.d66e.aff7 ARPA Vlan121 Internet 10.230.121.2 20 98fa.9b9b.6e94 ARPA Vlan121 Internet 10.230.40.1 - 0006.f6e1.b348 ARPA Vlan40 Internet 10.230.32.1 - 0006.f6e1.b347 ARPA Vlan32 Internet 10.230.1.13 3 ac71.2e02.62e1 ARPA Vlan1 Internet 10.230.1.12 0 ac71.2e02.19e5 ARPA Vlan1 Internet 10.230.15.2 0 98fa.9b9b.6e94 ARPA Vlan15 Internet 10.230.15.1 - 0006.f6e1.b343 ARPA Vlan15 Internet 10.230.1.14 48 005d.733a.1b47 ARPA Vlan1 Internet 10.230.1.11 47 005d.73dd.b647 ARPA Vlan1 Internet 10.230.1.1 - 0006.f6e1.b340 ARPA Vlan1 Internet 10.230.2.1 - 0006.f6e1.b342 ARPA Vlan2 Internet 10.230.31.1 - 0006.f6e1.b346 ARPA Vlan31 Internet 10.230.30.1 - 0006.f6e1.b345 ARPA Vlan30 Internet 10.10.10.254 - 0006.f6e1.b34c ARPA Vlan999 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.230.17.1 - 0006.f6e1.b343 ARPA Vlan15 Internet 10.230.16.1 - 0006.f6e1.b343 ARPA Vlan15
there is something wired, and I think it is stack issue,
you can see from show mac address table that only 192.168.1.1/2 is appear with physical port.
where we must see the mac address if host connect to VLAN121 !!!!!
that make me thing that the two SW stack is issue.
can you check other SW mac address table ?
12-30-2022 07:04 AM - last edited on 01-02-2023 03:39 AM by Translator
Hello
By default window operating systems have a software firewall and disable icmp echo-reply, as a test disable this firewall and test your ping again
open command prompt or powershell (in admin mode)
netsh advfirewall set allprofiles state off
12-30-2022 11:04 AM
Wow. I feel real dumb. I enabled all of the rules to allow ICMP ping through Windows firewall but didn't try disabling it entirely. Ping worked within same subnet but firewall was blocking from outside subnets because it's not recognized as a "Domain" network (since there isn't a domain controller in the network yet).
Been doing this for years and never realized that the default firewall rules restrict ping response to local subnet for non-domain networks. Learn something new every day!
Thanks guys, I'll mark the answer and we can archive this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide