Solved: l3 switch not routing traffic out on some vlans

a.kennedy80 · ‎11-11-2015

Hi All

Im hoping someone here might be able to lend a hand

bit of infrastructure background:

So ive got a two sites that ive inherited that are linked together via a point to point virgin link.

The link is fine and clients on both sides can communicate. routing in general seems fine.

for our internet we use a transparent bridge that sits in between our core switches and the firewall.

site 'a' has no servers etc, clients connect over the link to get to all server infrastructure at site b and this is where our internet connection is.

The problem i'm experiencing is site 'a' has various vlan setups, so let say vlans 104, 114 and 115 can all get out to the internet fine but vlan 116 can only get to the internet if i manually insert some proxy detials into the browser (the proxy being our transpatent bridge). Its as if it doesnt know where to route internet traffic on this particular vlan.

Ive looked at the switch configs and for the life of me cannot work out whys this is happening and was hoping someone might be able to offer a hand?

I cannot see any acl's or router-map's.

is there anything else i can check?

Would it help if i posted my configs?

Any help or advice would be greatfully recieved

Thanks

Alan

Jon Marshall · ‎11-11-2015

Is the proxy server at site B ?

If so then assuming these subnets are meant to have direct access to the internet ie. they are allowed on the firewall then check -

1) has NAT been setup for these subnets ?

2) does the firewall have routes for these subnets ?

Jon

View solution in original post

Masoud Pourshabanian · ‎11-11-2015

Hello,

What is 10.20.0.1? Is it a firewall? Please share you firewall config. Which ip do set on your client to test?

Problem might be access-list or NAT on firewall for VLAN IPs.

Replace sensitive information such as user and password and some part of public IP with X.

Masoud,

View solution in original post

Jon Marshall · ‎11-11-2015

Alan

From a client in a working vlan what does a traceroute to an internet IP show ?

And the same from a non working client.

Note the traceroute might well not complete due to your firewall but it should at least show us if it is getting there.

In additon assuming you are using private IPs something must be doing NAT.

What is that device and has it been setup for the non working IP subnets ?

Jon

a.kennedy80 · ‎11-11-2015

Hi

a traceroute from both a working vlan and non working vlan show it leaving via gateway of last resort . So they literally go via 10.20.0.2 and then *.*.* presumably cos the next hop is the firewall from there.

i'm honestly not sure about the private ip's. Are you talking about the firewall or when its leaving site 'a' via the virgin point to point?

The firewall is an asa. But i dont actually think its getting that far as the transparent bridge doesnt show any logs of it attempting to pass through.

will my configs help?

Alan

Jon Marshall · ‎11-11-2015

Your configs may help but if you are routing between sites then you should see more than one hop in your traceroutes ie. you should see your local switch and then the core switch in the other building.

Are you routing locally on the switch at site A or are all the default gateways on the switch at site B ?

Jon

a.kennedy80 · ‎11-11-2015

as i was plugged directly into the switch at site 'a' all i see is it hopping direclty to the core switch in the main building which in turn has the transparent bridge plugged into it so there wouldnt be anymore hops. The next hop would be the firewall which doesnt show.

hope that makes sense

how can i send you my configs? just upload?

thanks

Alan

Jon Marshall · ‎11-11-2015

You can add as attachments.

Pinging from the switch is not really what you need to do.

I need you to ping from a client because when you ping from a switch it does not show the first hop.

Jon

a.kennedy80 · ‎11-11-2015

sorry that was a ping/tracert from a client.

but the client is plugged directly into the l3 switch, which in turn has the virgin link in it. there was litarally one hop

hopefully the configs make more sense

Alan

Jon Marshall · ‎11-11-2015

Okay I am confused.

You said in your traceroute the first hop was 10.20.0.2 but if you are doing a traceroute from a client in site A you would never see that as a hop.

What you should see is

1) the client's default gateway which should be on the site A switch

then

2) 10.20.0.1 which is the other end of the link

so can you explain ?

Jon

a.kennedy80 · ‎11-11-2015

hi jon

apologies, i'm not acutally at said site so i'm trying to recall what i actually did see.

the vlan in question is 116.

so i think i actually saw first hop being 10.19.116.254 and then 10.20.0.1 and then *.*.*

so if i'm connected to vlan 104 for example internet is fine, so is 194 but when on 116 i can only get the internet if i manually type in a proxy into the browser rather than leaving it transparent.

Alan

Jon Marshall · ‎11-11-2015

Is the proxy server at site B ?

If so then assuming these subnets are meant to have direct access to the internet ie. they are allowed on the firewall then check -

1) has NAT been setup for these subnets ?

2) does the firewall have routes for these subnets ?

Jon

a.kennedy80 · ‎11-12-2015

hi

yes proxy is at site b

i think the nat is a very good shout, i will test today.

thanks for your help

Masoud Pourshabanian · ‎11-11-2015

Hello,

What is 10.20.0.1? Is it a firewall? Please share you firewall config. Which ip do set on your client to test?

Problem might be access-list or NAT on firewall for VLAN IPs.

Replace sensitive information such as user and password and some part of public IP with X.

Masoud,

a.kennedy80 · ‎11-12-2015

nat is a very good shout.

i will test today

Masoud Pourshabanian · ‎11-11-2015

I see another issue in your config. It is unrelated to your problem, but worth mentioning.

You have the same VLAN names on both site with Trunk interface between, but you use differenet IP addresses for each VLAN on your sites. You have VLAN 116 on site A and another VLAN 116 on site B, but different IPs. It means all L2 traffic generated on VLAN 116 on site A goes to site B with no purpose because there is no IP in that range. And also the from Site B to A.

The extra traffic increases your P2P link traffic and also CPU usage on your client.

Masoud

a.kennedy80 · ‎11-12-2015

Hi

the reason we have vlan 116 on both sites is because this vlan is for byod wifi and we run the wifi using the same hive manager.

We then have them on different subnets so we can identify which site the traffic is coming from as the web filter we use tags it using the subnet.

can you think of a better way?

thanks

Alan