Solved: Catalyst 3750X Inter-VLAN routing issue

acravenaz1 · ‎12-29-2022

Hey folks,

I'm attempting to set up a greenfield Catalyst 3750X core stack and am having a bit of trouble getting 2 devices on different VLANs to be able to talk to each other. I'm fairly new to doing this sort of config so I'm sure it's user error, but I've looked up and followed just about every guide I can find regarding setting up & configuring inter-VLAN routing and I don't see any obvious differences between my config and theirs. Can someone help me figure out what I'm doing wrong?

Here's what works currently:

My IP space for this project is 10.230.0.0/16. VLAN IDs correspond to 3rd octets and are all /24s

Take VLAN 121 for instance, my user data VLAN. I connect a device to a port assigned to VLAN 121, it gets a DHCP IP (10.230.121.3) with correct default gateway (10.230.121.1). It can ping the gateway and the interface IP of all other VLANs on the switch, i.e. 10.230.15.1, 10.230.32.1, 10.230.121.1 etc

If I plug another device (laptop) into the same VLAN (gets IP 10.230.121.2), the two devices can ping each other just fine.

If I plug that second device into a port with a different VLAN like VLAN 15, it gets an IP just fine and again can ping interface IP of all other VLANs but the two devices can't talk to each other.

Tried a couple ping tests from the switch itself to confirm no firewall funny business, same result

SCTS-CORE-STACK#debug ip icmp
ICMP packet debugging is on
SCTS-CORE-STACK#ping 10.230.121.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/16 ms
SCTS-CORE-STACK#ping 10.230.121.3 source vlan15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
Packet sent with a source address of 10.230.15.1
.....
Success rate is 0 percent (0/5)
SCTS-CORE-STACK#

Here's my config. Only thing I've left out are irrelevant port configs and sensitive stuff.

version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime
service password-encryption
!
[....]
!
no aaa new-model
clock timezone MST -8
clock summer-time DST recurring
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.230.100.1 10.230.100.20
!
ip dhcp pool 8x8_Voice
   network 10.230.100.0 255.255.255.0
   default-router 10.230.100.1
   dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool User-Data-Test
   network 10.230.121.0 255.255.255.0
   default-router 10.230.121.1
   dns-server 8.8.8.8 4.2.2.2
   domain-name ---
!
ip dhcp pool VMWare-Mgmt-Test
   network 10.230.32.0 255.255.255.0
   default-router 10.230.32.1
   dns-server 8.8.8.8 4.2.2.2
   domain-name ---
!
ip dhcp pool PD-Test
   network 10.230.15.0 255.255.255.0
   default-router 10.230.15.1
   dns-server 8.8.8.8 4.2.2.2
   domain-name ---
!
!
ip domain-name ---
ip name-server ---
vtp domain ---
vtp mode transparent
udld enable

!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-2,15,30-32,100,121,144 priority 24576
!
!
!
!
vlan internal allocation policy ascending
!
vlan 2
 name Network_Management
!
vlan 15
 name PD-QA
!
vlan 20
 name DMZ
!
vlan 30
 name VMWare-DHCP
!
vlan 31
 name VMWare-Static
!
vlan 32
 name VMWare-Mgmt
!
vlan 40
 name Camera
!
vlan 100
 name 8x8-Voice
!
vlan 121
 name User-Data
!
vlan 144
 name Wireless-Data
!
vlan 990
 name ISP
!
vlan 999
 name FORTIGATE_DMZ
!
[....]
!
interface GigabitEthernet2/0/13
 switchport access vlan 121
 switchport mode access
!
interface GigabitEthernet2/0/14
 switchport access vlan 15
 switchport mode access
!
interface GigabitEthernet2/0/15
 switchport access vlan 121
 switchport mode access
!
[....]
!
interface Vlan1
 ip address 10.230.1.1 255.255.255.0
!
interface Vlan2
 description Network_Management
 ip address 10.230.2.1 255.255.255.0
!
interface Vlan15
 description PD-QA
 ip address 10.230.16.1 255.255.255.0 secondary
 ip address 10.230.17.1 255.255.255.0 secondary
 ip address 10.230.15.1 255.255.255.0
!
interface Vlan20
 description DMZ
 no ip address
!
interface Vlan30
 description VMWare-DHCP
 ip address 10.230.30.1 255.255.255.0
!
interface Vlan31
 description VMWare-Static
 ip address 10.230.31.1 255.255.255.0
!
interface Vlan32
 description VMWare-Mgmt
 ip address 10.230.32.1 255.255.255.0
!
interface Vlan40
 description Camera
 ip address 10.230.40.1 255.255.255.0
!
interface Vlan100
 description 8x8 Voice
 ip address 10.230.100.1 255.255.255.0
!
interface Vlan121
 description User-Data
 ip address 10.230.121.1 255.255.255.0
!
interface Vlan144
 description Wireless-Data
 ip address 10.230.144.1 255.255.255.0
!
interface Vlan999
 ip address 10.10.10.254 255.255.255.0
!
ip classless
no ip http server
no ip http secure-server
!
!
no vstack
[...]

pieterh · ‎12-30-2022

the issue may not be in your switch configuration , but on your client-PC's
like MS-windows firewall blocks traffic not coming from the local subnet of the PC (=/24 subnet)
-> disable the windows firewall for a moment and check
then enable firewall and add rule to allow ping from /16 subnet

View solution in original post

balaji.bandi · ‎12-29-2022

how many devices are connected to the switch, is there any device connected in VLAN 15 ? looks vlan 15 down I guess here

Can you post the below output :

show  ip interface brief

show IP arp

show IP route

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

acravenaz1 · ‎12-29-2022

Sure, output below.

The port-channels are uplinks to other switches but I'm not worried about those for now. Gi1/0/48 is a bridge to an ISP connection, end devices are plugged into Gi2/0/13 - 15

SCTS-CORE-STACK#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.230.1.1      YES TFTP   up                    up
Vlan2                  10.230.2.1      YES TFTP   up                    up
Vlan15                 10.230.15.1     YES TFTP   up                    up
Vlan20                 unassigned      YES TFTP   up                    up
Vlan30                 10.230.30.1     YES TFTP   up                    up
Vlan31                 10.230.31.1     YES TFTP   up                    up
Vlan32                 10.230.32.1     YES TFTP   up                    up
Vlan40                 10.230.40.1     YES TFTP   up                    up
Vlan100                10.230.100.1    YES TFTP   up                    up
Vlan121                10.230.121.1    YES manual up                    up
Vlan144                10.230.144.1    YES TFTP   up                    down
Vlan999                10.10.10.254    YES TFTP   up                    down
FastEthernet0          unassigned      YES TFTP   administratively down down
GigabitEthernet1/0/1   unassigned      YES unset  down                  down
GigabitEthernet1/0/2   unassigned      YES unset  down                  down
GigabitEthernet1/0/3   unassigned      YES unset  up                    up
GigabitEthernet1/0/4   unassigned      YES unset  down                  down
GigabitEthernet1/0/5   unassigned      YES unset  up                    up
GigabitEthernet1/0/6   unassigned      YES unset  down                  down
GigabitEthernet1/0/7   unassigned      YES unset  up                    up
GigabitEthernet1/0/8   unassigned      YES unset  down                  down
GigabitEthernet1/0/9   unassigned      YES unset  up                    up
GigabitEthernet1/0/10  unassigned      YES unset  down                  down
GigabitEthernet1/0/11  unassigned      YES unset  up                    up
GigabitEthernet1/0/12  unassigned      YES unset  down                  down
GigabitEthernet1/0/13  unassigned      YES unset  down                  down
GigabitEthernet1/0/14  unassigned      YES unset  down                  down
GigabitEthernet1/0/15  unassigned      YES unset  down                  down
GigabitEthernet1/0/16  unassigned      YES unset  down                  down
GigabitEthernet1/0/17  unassigned      YES unset  down                  down
GigabitEthernet1/0/18  unassigned      YES unset  down                  down
GigabitEthernet1/0/19  unassigned      YES unset  down                  down
GigabitEthernet1/0/20  unassigned      YES unset  down                  down
GigabitEthernet1/0/21  unassigned      YES unset  down                  down
GigabitEthernet1/0/22  unassigned      YES unset  down                  down
GigabitEthernet1/0/23  unassigned      YES unset  down                  down
GigabitEthernet1/0/24  unassigned      YES unset  down                  down
GigabitEthernet1/0/25  unassigned      YES unset  down                  down
GigabitEthernet1/0/26  unassigned      YES unset  down                  down
GigabitEthernet1/0/27  unassigned      YES unset  down                  down
GigabitEthernet1/0/28  unassigned      YES unset  down                  down
GigabitEthernet1/0/29  unassigned      YES unset  down                  down
GigabitEthernet1/0/30  unassigned      YES unset  down                  down
GigabitEthernet1/0/31  unassigned      YES unset  down                  down
GigabitEthernet1/0/32  unassigned      YES unset  down                  down
GigabitEthernet1/0/33  unassigned      YES unset  down                  down
GigabitEthernet1/0/34  unassigned      YES unset  down                  down
GigabitEthernet1/0/35  unassigned      YES unset  down                  down
GigabitEthernet1/0/36  unassigned      YES unset  down                  down
GigabitEthernet1/0/37  unassigned      YES unset  down                  down
GigabitEthernet1/0/38  unassigned      YES unset  down                  down
GigabitEthernet1/0/39  unassigned      YES unset  down                  down
GigabitEthernet1/0/40  unassigned      YES unset  down                  down
GigabitEthernet1/0/41  unassigned      YES unset  down                  down
GigabitEthernet1/0/42  unassigned      YES unset  down                  down
GigabitEthernet1/0/43  unassigned      YES unset  down                  down
GigabitEthernet1/0/44  unassigned      YES unset  down                  down
GigabitEthernet1/0/45  unassigned      YES unset  down                  down
GigabitEthernet1/0/46  unassigned      YES unset  down                  down
GigabitEthernet1/0/47  unassigned      YES unset  down                  down
GigabitEthernet1/0/48  192.168.1.2     YES DHCP   up                    up
GigabitEthernet1/1/1   unassigned      YES unset  down                  down
GigabitEthernet1/1/2   unassigned      YES unset  down                  down
GigabitEthernet1/1/3   unassigned      YES unset  down                  down
GigabitEthernet1/1/4   unassigned      YES unset  down                  down
Te1/1/1                unassigned      YES unset  down                  down
Te1/1/2                unassigned      YES unset  down                  down
GigabitEthernet2/0/1   unassigned      YES unset  down                  down
GigabitEthernet2/0/2   unassigned      YES unset  down                  down
GigabitEthernet2/0/3   unassigned      YES unset  up                    up
GigabitEthernet2/0/4   unassigned      YES unset  down                  down
GigabitEthernet2/0/5   unassigned      YES unset  up                    up
GigabitEthernet2/0/6   unassigned      YES unset  down                  down
GigabitEthernet2/0/7   unassigned      YES unset  up                    up
GigabitEthernet2/0/8   unassigned      YES unset  down                  down
GigabitEthernet2/0/9   unassigned      YES unset  up                    up
GigabitEthernet2/0/10  unassigned      YES unset  down                  down
GigabitEthernet2/0/11  unassigned      YES unset  up                    up
GigabitEthernet2/0/12  unassigned      YES unset  down                  down
GigabitEthernet2/0/13  unassigned      YES unset  up                    up
GigabitEthernet2/0/14  unassigned      YES unset  up                    up
GigabitEthernet2/0/15  unassigned      YES unset  down                  down
GigabitEthernet2/0/16  unassigned      YES unset  down                  down
GigabitEthernet2/0/17  unassigned      YES unset  down                  down
GigabitEthernet2/0/18  unassigned      YES unset  down                  down
GigabitEthernet2/0/19  unassigned      YES unset  down                  down
GigabitEthernet2/0/20  unassigned      YES unset  down                  down
GigabitEthernet2/0/21  unassigned      YES unset  down                  down
GigabitEthernet2/0/22  unassigned      YES unset  down                  down
GigabitEthernet2/0/23  unassigned      YES unset  down                  down
GigabitEthernet2/0/24  unassigned      YES unset  down                  down
GigabitEthernet2/0/25  unassigned      YES unset  down                  down
GigabitEthernet2/0/26  unassigned      YES unset  down                  down
GigabitEthernet2/0/27  unassigned      YES unset  down                  down
GigabitEthernet2/0/28  unassigned      YES unset  down                  down
GigabitEthernet2/0/29  unassigned      YES unset  down                  down
GigabitEthernet2/0/30  unassigned      YES unset  down                  down
GigabitEthernet2/0/31  unassigned      YES unset  down                  down
GigabitEthernet2/0/32  unassigned      YES unset  down                  down
GigabitEthernet2/0/33  unassigned      YES unset  down                  down
GigabitEthernet2/0/34  unassigned      YES unset  down                  down
GigabitEthernet2/0/35  unassigned      YES unset  down                  down
GigabitEthernet2/0/36  unassigned      YES unset  down                  down
GigabitEthernet2/0/37  unassigned      YES unset  down                  down
GigabitEthernet2/0/38  unassigned      YES unset  down                  down
GigabitEthernet2/0/39  unassigned      YES unset  down                  down
GigabitEthernet2/0/40  unassigned      YES unset  down                  down
GigabitEthernet2/0/41  unassigned      YES unset  down                  down
GigabitEthernet2/0/42  unassigned      YES unset  down                  down
GigabitEthernet2/0/43  unassigned      YES unset  down                  down
GigabitEthernet2/0/44  unassigned      YES unset  down                  down
GigabitEthernet2/0/45  unassigned      YES unset  down                  down
GigabitEthernet2/0/46  unassigned      YES unset  down                  down
GigabitEthernet2/0/47  unassigned      YES unset  down                  down
GigabitEthernet2/0/48  unassigned      YES unset  down                  down
GigabitEthernet2/1/1   unassigned      YES unset  down                  down
GigabitEthernet2/1/2   unassigned      YES unset  down                  down
GigabitEthernet2/1/3   unassigned      YES unset  down                  down
GigabitEthernet2/1/4   unassigned      YES unset  down                  down
Te2/1/1                unassigned      YES unset  down                  down
Te2/1/2                unassigned      YES unset  down                  down
Port-channel1          unassigned      YES unset  up                    up
Port-channel2          unassigned      YES unset  up                    up
Port-channel3          unassigned      YES unset  up                    up
Port-channel4          unassigned      YES unset  up                    up
SCTS-CORE-STACK#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1            54   668b.c5e6.f41d  ARPA   GigabitEthernet1/0/48
Internet  192.168.1.2             -   0006.f6e1.b341  ARPA   GigabitEthernet1/0/48
Internet  10.230.144.1            -   0006.f6e1.b34b  ARPA   Vlan144
Internet  10.230.100.1            -   0006.f6e1.b349  ARPA   Vlan100
Internet  10.230.121.1            -   0006.f6e1.b34a  ARPA   Vlan121
Internet  10.230.121.3            0   c84b.d66e.aff7  ARPA   Vlan121
Internet  10.230.121.2           20   98fa.9b9b.6e94  ARPA   Vlan121
Internet  10.230.40.1             -   0006.f6e1.b348  ARPA   Vlan40
Internet  10.230.32.1             -   0006.f6e1.b347  ARPA   Vlan32
Internet  10.230.1.13             3   ac71.2e02.62e1  ARPA   Vlan1
Internet  10.230.1.12             0   ac71.2e02.19e5  ARPA   Vlan1
Internet  10.230.15.2             0   98fa.9b9b.6e94  ARPA   Vlan15
Internet  10.230.15.1             -   0006.f6e1.b343  ARPA   Vlan15
Internet  10.230.1.14            48   005d.733a.1b47  ARPA   Vlan1
Internet  10.230.1.11            47   005d.73dd.b647  ARPA   Vlan1
Internet  10.230.1.1              -   0006.f6e1.b340  ARPA   Vlan1
Internet  10.230.2.1              -   0006.f6e1.b342  ARPA   Vlan2
Internet  10.230.31.1             -   0006.f6e1.b346  ARPA   Vlan31
Internet  10.230.30.1             -   0006.f6e1.b345  ARPA   Vlan30
Internet  10.10.10.254            -   0006.f6e1.b34c  ARPA   Vlan999
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.230.17.1             -   0006.f6e1.b343  ARPA   Vlan15
Internet  10.230.16.1             -   0006.f6e1.b343  ARPA   Vlan15
SCTS-CORE-STACK#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 11 subnets
C       10.230.100.0 is directly connected, Vlan100
C       10.230.121.0 is directly connected, Vlan121
C       10.230.40.0 is directly connected, Vlan40
C       10.230.32.0 is directly connected, Vlan32
C       10.230.15.0 is directly connected, Vlan15
C       10.230.1.0 is directly connected, Vlan1
C       10.230.2.0 is directly connected, Vlan2
C       10.230.30.0 is directly connected, Vlan30
C       10.230.31.0 is directly connected, Vlan31
C       10.230.16.0 is directly connected, Vlan15
C       10.230.17.0 is directly connected, Vlan15
C    192.168.1.0/24 is directly connected, GigabitEthernet1/0/48
S*   0.0.0.0/0 [254/0] via 192.168.1.1

balaji.bandi · ‎12-29-2022

If I plug that second device into a port with a different VLAN like VLAN 15, it gets an IP just fine and again can ping interface IP of all other VLANs but the two devices can't talk to each other.

is this issue with only VLAN 15 ?

noticed that you have multiple IP bound to VLAN interface

have you tried

ping 10.230.121.3 source 10.230.15.1

you mentioned default-gateway I did not see in config ? have you changed that default to IP route command ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

acravenaz1 · ‎12-29-2022

Yes, that fails. Link is up though, when source is not specified, ping succeeds

SCTS-CORE-STACK#ping 10.230.121.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/16 ms
SCTS-CORE-STACK#ping 10.230.121.3 source vlan15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.230.121.3, timeout is 2 seconds:
Packet sent with a source address of 10.230.15.1
.....
Success rate is 0 percent (0/5)

MHM Cisco World · ‎12-29-2022

please traceroute to host I want to see where the packet is stop.

acravenaz1 · ‎12-29-2022

Sure, it dies immediately after hitting the default gateway

PS C:\Users\acraven> tracert 10.230.15.2

Tracing route to 10.230.15.2 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.230.121.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.

balaji.bandi · ‎12-29-2022

post full config or as i suggested before, is this only issue with VLAN 15 ?

have you moved the config default gateway to IP routing.

From swtich can you post ping results to end client :

SCTS-CORE-STACK#ping 10.230.15.2

SCTS-CORE-STACK#ping 10.230.121.3

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pieterh · ‎12-30-2022

the issue may not be in your switch configuration , but on your client-PC's
like MS-windows firewall blocks traffic not coming from the local subnet of the PC (=/24 subnet)
-> disable the windows firewall for a moment and check
then enable firewall and add rule to allow ping from /16 subnet

MHM Cisco World · ‎12-30-2022

Internet  192.168.1.1            54   668b.c5e6.f41d  ARPA   GigabitEthernet1/0/48
Internet  192.168.1.2             -   0006.f6e1.b341  ARPA   GigabitEthernet1/0/48
Internet  10.230.144.1            -   0006.f6e1.b34b  ARPA   Vlan144
Internet  10.230.100.1            -   0006.f6e1.b349  ARPA   Vlan100
Internet  10.230.121.1            -   0006.f6e1.b34a  ARPA   Vlan121
Internet  10.230.121.3            0   c84b.d66e.aff7  ARPA   Vlan121
Internet  10.230.121.2           20   98fa.9b9b.6e94  ARPA   Vlan121
Internet  10.230.40.1             -   0006.f6e1.b348  ARPA   Vlan40
Internet  10.230.32.1             -   0006.f6e1.b347  ARPA   Vlan32
Internet  10.230.1.13             3   ac71.2e02.62e1  ARPA   Vlan1
Internet  10.230.1.12             0   ac71.2e02.19e5  ARPA   Vlan1
Internet  10.230.15.2             0   98fa.9b9b.6e94  ARPA   Vlan15
Internet  10.230.15.1             -   0006.f6e1.b343  ARPA   Vlan15
Internet  10.230.1.14            48   005d.733a.1b47  ARPA   Vlan1
Internet  10.230.1.11            47   005d.73dd.b647  ARPA   Vlan1
Internet  10.230.1.1              -   0006.f6e1.b340  ARPA   Vlan1
Internet  10.230.2.1              -   0006.f6e1.b342  ARPA   Vlan2
Internet  10.230.31.1             -   0006.f6e1.b346  ARPA   Vlan31
Internet  10.230.30.1             -   0006.f6e1.b345  ARPA   Vlan30
Internet  10.10.10.254            -   0006.f6e1.b34c  ARPA   Vlan999
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.230.17.1             -   0006.f6e1.b343  ARPA   Vlan15
Internet  10.230.16.1             -   0006.f6e1.b343  ARPA   Vlan15

there is something wired, and I think it is stack issue,
you can see from show mac address table that only 192.168.1.1/2 is appear with physical port.

where we must see the mac address if host connect to VLAN121 !!!!!

that make me thing that the two SW stack is issue.
can you check other SW mac address table ?

paul driver · ‎12-30-2022

Hello
By default window operating systems have a software firewall and disable icmp echo-reply, as a test disable this firewall and test your ping again

open command prompt or powershell (in admin mode)

netsh advfirewall set allprofiles state off

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

acravenaz1 · ‎12-30-2022

Wow. I feel real dumb. I enabled all of the rules to allow ICMP ping through Windows firewall but didn't try disabling it entirely. Ping worked within same subnet but firewall was blocking from outside subnets because it's not recognized as a "Domain" network (since there isn't a domain controller in the network yet).

Been doing this for years and never realized that the default firewall rules restrict ping response to local subnet for non-domain networks. Learn something new every day!

Thanks guys, I'll mark the answer and we can archive this.