Solved: Catalyst 9300 Static Routing

srantheman2024 · ‎01-18-2024

Need some help with 9300 Static Routing.

We have a stacked 9300 being used as a collasped core with all of our VLANS on it. Each VLAN has an SVI and IP routing is enabled. We also have a gateway of last resort set of the firewall that is connected to the internet. As you will see below, I can ping the firewall from the same VLAN as the firewall. I can also reach the internet from that same VLAN. I can also reach any VLAN that is directly connected to the 9300 (VLAN 10 to VLAN 20 ETC). What I can't do is reach the firewall for any other VLAN.

Let me know if I missed any steps to get this all setup. Below is all my info.

S* 0.0.0.0/0 [1/0] via 192.168.200.254
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.100.0/24 is directly connected, Vlan100
L 10.10.100.254/32 is directly connected, Vlan100
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Vlan210
L 172.16.10.253/32 is directly connected, Vlan210
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.254/32 is directly connected, Vlan10
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.254/32 is directly connected, Vlan20
192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.30.0/24 is directly connected, Vlan30
L 192.168.30.254/32 is directly connected, Vlan30
192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.40.0/24 is directly connected, Vlan40
L 192.168.40.254/32 is directly connected, Vlan40
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.0/24 is directly connected, Vlan50
L 192.168.50.254/32 is directly connected, Vlan50
192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.90.0/24 is directly connected, Vlan90
L 192.168.90.254/32 is directly connected, Vlan90
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.0/24 is directly connected, Vlan200
L 192.168.200.253/32 is directly connected, Vlan200

9300L_Core#ping 192.168.200.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
9300L_Core#ping 192.168.200.254 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....
Success rate is 0 percent (0/5)
9300L_Core#ping 192.168.200.253 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.253, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
9300L_Core#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.1 YES NVRAM up up
Vlan10 192.168.10.254 YES NVRAM up up
Vlan20 192.168.20.254 YES NVRAM up up
Vlan30 192.168.30.254 YES NVRAM up up
Vlan40 192.168.40.254 YES NVRAM up up
Vlan50 192.168.50.254 YES NVRAM up up
Vlan90 192.168.90.254 YES manual up up
Vlan100 10.10.100.254 YES NVRAM up up
Vlan200 192.168.200.253 YES manual up up

MHM Cisco World · ‎01-18-2024

VLAN 200 is transit (transit is term only)
NOW
in FW
1- you need to be sure that there is static route for each VLAN (other than VLAN200) toward the VLAN 200 SVI of SW
2- you need to be sure that VLAN is add to NAT (dynamic NAT)
3- you need to sure that the traffic is allow via ACL in FW
MHM

View solution in original post

M02@rt37 · ‎01-18-2024

@srantheman2024

From your Fortigate, please do

get router info routing table detail 192.168.10.254

Provide the output please.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎01-18-2024

Hello @srantheman2024

Do you check the icmp flow on the firewall ? It is not deny ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

srantheman2024 · ‎01-18-2024

The firewall is 192.168.200.254. I can only reach it from VLAN 200. All rules are set to allow ALL just to get this setup and going.

9300L_Core#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/31/39 ms
9300L_Core#ping 8.8.8.8 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....
Success rate is 0 percent (0/5)

M02@rt37 · ‎01-18-2024

@srantheman2024

On your Firewall do you see ICMP echo request from 192.168.10.254 to 8.8.8.8 ?

On your Firewall do you have static routes towards subnets hosted on your C9300 ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

srantheman2024 · ‎01-18-2024

So you think the issue is the firewall? Right now it only has a gateway of last resort for 0.0.0.0 to the ISP Public IP. The firewall is Fortinet so I can reach out to their support if you feel it is needed. Just wanted to make sure the Cisco portion is correct before I engage their support.

Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.200.254 3 msec 1 msec 1 msec
2 192.168.12.1 1 msec 2 msec 1 msec
3 192.0.0.1 1 msec 2 msec 1 msec
4 192.0.0.1 20 msec 17 msec 17 msec
5 192.0.0.1 22 msec 24 msec 15 msec
6 192.0.0.1 15 msec 17 msec 16 msec
7 * * *
8 192.0.0.1 22 msec 15 msec 15 msec
9 192.0.0.1 13 msec 11 msec 18 msec
10 10.160.107.106 19 msec 13 msec 15 msec
11 10.177.57.84 15 msec 16 msec 21 msec
12 10.177.21.22 [MPLS: Label 24451 Exp 1] 24 msec 20 msec 20 msec
13 10.177.11.192 [MPLS: Label 24484 Exp 1] 22 msec 18 msec 25 msec
14 10.164.178.201 21 msec 29 msec 20 msec
15 142.250.175.48 29 msec 27 msec 24 msec
16 * * *
17 8.8.8.8 30 msec 32 msec 30 msec

9300L_Core#traceroute 8.8.8.8 source vlan 10
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *

MHM Cisco World · ‎01-18-2024

So you config VLAN SVI in SW and config VLAN 200 as transit VLAN
are you run ip routing ?

MHM

srantheman2024 · ‎01-18-2024

I am running ip routing on the switch.

9300L_Core#sh run | include ip routing
ip routing
9300L_Core#sh run | include ip route
ip route 0.0.0.0 0.0.0.0 192.168.200.254
9300L_Core#

Each VLAN has an SVI attached to it.

For Transit VLAN, how do I configure it? I don't see it as any option.

MHM Cisco World · ‎01-18-2024

VLAN 200 is transit (transit is term only)
NOW
in FW
1- you need to be sure that there is static route for each VLAN (other than VLAN200) toward the VLAN 200 SVI of SW
2- you need to be sure that VLAN is add to NAT (dynamic NAT)
3- you need to sure that the traffic is allow via ACL in FW
MHM

M02@rt37 · ‎01-18-2024

@srantheman2024

From your Fortigate, please do

get router info routing table detail 192.168.10.254

Provide the output please.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi · ‎01-18-2024

You need to provide how is your configuration connected port to uplink side.

as you have VLAN 200 working that is SVI configured on the Switch

Vlan200 192.168.200.253

below output failed because uplink IP .254 does not know how to return back.

9300L_Core#ping 192.168.200.254 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....

You need to have static route back all the subnet towards 192.168.200.253 from your firewall that is connected to the internet.

suggest to post Cat 9200 switch config as below :

show run
show ip interface brief
show ip arp
show interface status

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help