Solved: Re: ISR 4331 Sub-interfaces and Incomplete ARP

Tori_Ok. · ‎02-26-2019

I need some assistance figuring our what's happening on the setup in figure below:

Observation/Description:

The ISR is unable to ping the laptop and AP-19, and vice versa.
The laptop and AP-19 can both ping each other.
ARP entries on the ISR for the laptop and and AP show as incomplete. While pinging from the AP or Laptop, I see the ARP requests being received on both G0/0/1 and G0/0/2, but the ARP debug shows WRONG CABLE.
Further down, there is a chain of un-managed switches to which other APs are connected. The ISR 4331 is able to ping all of those APs. In order to ping AP-20/AP-21, I added the following host routes for the APs:

ip route 10.23.91.20 255.255.255.255 GigabitEthernet0/0/2.220
ip route 10.23.91.21 255.255.255.255 GigabitEthernet0/0/2.220

I am not sure the exact physical configuration of un-managed switches beyond SW1, or how many there are.

Help Needed:

I'm unable to understand why ARP for AP-19 does not work. Does anyone have any explanation for this? Any pointers on how to get ISR to communicate with AP-19 over SW1 would be also appreciated.

Thanks

Richard Burts · ‎02-26-2019

The first clue to the issue is the arp message about wrong cable. That indicates that the arp request was received on an interface and the source address of the arp request was in a different subnet from the subnet of the interface receiving the arp request. So why is the subnet different? The diagram is clear that the IP of the pc is in the same subnet as the IP of the sub interface. The issue is that the switch connecting them is an unmanaged switch. So when the switch receives the packet from the PC (in this case the arp request) it forward the frame untagged. So the router receives the arp request not on the sub interface but on the physical interface, which is in a different subnet.

If you want the router to use sub interfaces and vlans then you can not have unmanaged switches providing connectivity.

HTH

Rick

HTH

Rick

View solution in original post

Tori_Ok. · ‎03-01-2019

I finally concluded that the unmanaged switch (SW1) forwards simply forwards any frames it receives (tagged or untagged). The managed switches which support 802.1Q tag their frames before sending to the ISR4331, hence their ability to function without any problem. I spoke with the AP manufacturer, and was shown how to configure the AP to tag its frames properly. Once this was resolved, the AP was able to respond to pings from the ISR.

Your previous explanation covered why the laptop was not reachable as well. SW1 does not perform tagging and the ISR 4331 will not process packets without any of its known encapsulation tags.

Thanks for all contributions and explanations.

View solution in original post

Jaderson Pessoa · ‎02-26-2019

Hello,

When you applied sub. interfaces on your router, you input the encapsulation dot1q, right?

I can see in your design that your switch directly attached on your router, is not a manage switch, if you need using this model of (ROUTER ON A STICK), you need create a vlan to separate the traffic between these networks.

or i'm not understood your problem.

Best Regards.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Tori_Ok. · ‎02-26-2019

Yes, I have the encapsulation dot1q on all sub-interfaces. For example

interface GigabitEthernet0/0/2.90
 encapsulation dot1Q 90
 ip address 10.23.91.253 255.255.254.0
 ip nat inside
 ip pim sparse-mode
 zone-member security Private_Zone
 no cdp enable

My understanding is that from the perspective of an un-managed switch, the vlan tags which performs no tagging, vlan tags would be useless.

Jon Marshall · ‎02-26-2019

You may as well just have one vlan and one IP subnet as you can see from the routes you added ie. it is just one big vlan outside of the router.

You could of course use multiple secondary IPs on the same router interface if you wanted to use multiple subnets but it is still just one vlan.

Jon

Richard Burts · ‎02-26-2019

The first clue to the issue is the arp message about wrong cable. That indicates that the arp request was received on an interface and the source address of the arp request was in a different subnet from the subnet of the interface receiving the arp request. So why is the subnet different? The diagram is clear that the IP of the pc is in the same subnet as the IP of the sub interface. The issue is that the switch connecting them is an unmanaged switch. So when the switch receives the packet from the PC (in this case the arp request) it forward the frame untagged. So the router receives the arp request not on the sub interface but on the physical interface, which is in a different subnet.

If you want the router to use sub interfaces and vlans then you can not have unmanaged switches providing connectivity.

HTH

Rick

HTH

Rick

Tori_Ok. · ‎02-26-2019

Thanks for your response. Please, I need further clarification if you can. Although I have not shown it, there are a few managed (supporting vlan tagging) switches connected to the SW1 and there are several other vlans whose traffic is being forwarded across SW1. Do you have any explanation as to why an unmanaged switch would forward traffic for some vlans correctly and not for others? Everything else in the network is L2 except the ISR4331 which is routing between all the different subnets. This means all traffic goes through the physical connection at SW1.

Also, what is the explanation for being able to get connectivity to the far-out APs: AP-31, AP-32, AP-20 and AP-21. These have different tags.

Richard Burts · ‎02-26-2019

I do not know enough about your environment to be able to give much good advice. Here are some thoughts which might shed some light on this.

- you show us information about the sub interfaces on G0/0/2. But we do not know anything about how the physical interfaces G0/0/1 and G0/0/2 are configured. Since the physical interfaces are probably the ones that would receive untagged frames their addressing might be significant.

- we do not know anything about SW1, including we do not know what SW1 would do if it received a tagged frame. Would it simply look at the destination mac address and do layer 2 forwarding? Or would it consider the tagged frame to be not legitimate and discard the tagged frame?

- if there are some managed switches that have been configured with vlans and if their uplink is configured as a trunk then it is possible that some of the frames being forwarded to the router might be tagged and received on the appropriate sub interface.

- some of the remote APs are in subnets other than 10.23.91. If proxy arp is enabled on the interfaces on the router then when the remote AP arps for its gateway it is possible that the router responds to the arp request which would enable communication to be successful.

HTH

Rick

HTH

Rick

Tori_Ok. · ‎03-01-2019

I finally concluded that the unmanaged switch (SW1) forwards simply forwards any frames it receives (tagged or untagged). The managed switches which support 802.1Q tag their frames before sending to the ISR4331, hence their ability to function without any problem. I spoke with the AP manufacturer, and was shown how to configure the AP to tag its frames properly. Once this was resolved, the AP was able to respond to pings from the ISR.

Your previous explanation covered why the laptop was not reachable as well. SW1 does not perform tagging and the ISR 4331 will not process packets without any of its known encapsulation tags.

Thanks for all contributions and explanations.

Richard Burts · ‎03-01-2019

Thanks for the update. I am glad to know that you have found a way to have the APs tag their frames and that this has solved your issue. I am glad that my explanations were helpful. Thank you for marking this question as solved. This will help other participants to identify discussions that have helpful information.

HTH

Rick

HTH

Rick