Re: Question about my routing topology - Did i forget something?? (Static routes)

pozoteleco · ‎08-16-2019

Hi everybody;

I have the following scenario (IP's are fake, is only orientative example):

Laptop ------ WLC -------- Switch 1 ------- CORE

Ip Address DHCP Pool Int Vlan 44 int vlan 3

192.168.45.231 192.168.44.0 192.168.44.2 192.168.3.1/24

255.255.254.0 255.255.254.0 255.255.254.0

GW GW Int vlan 3

192.168.44.2 192.168.44.2 192.168.3.4/24

Vlan 44 Vlan 44 default router to:

Management vlan 10 192.168.3.1

192.168.10.90/24

Default GW for vlan 10 Management vlan 10

192.168.10.22/24 192.168.10.22/24

From the test laptop i am able to ping his GW 192.168.44.2 and the IP 192.168.3.4 but i am not be able to ping the CORE Ip address 192.168.3.1.

From the Switch 1, obviously i can ping the IP 192.168.3.1 from the Core, and even i can ping 192.168.3.1 source 192.168.44.2

On switch 1 i use this static route for the return of traffic:

routing to return WLC traffic:

ip route 192.168.44.0 255.255.254.0 192.168.10.90

On Core i use this static route:

ip route 192.168.44.0 255.255.254.0 192.168.3.4

What's wrong? I forgot something? I only use in this case static routes.

Giuseppe Larosa · ‎08-16-2019

Hello pozoteleco,

you have a WIFI portion of the network and a wired portion of the network.

Can you tell us how the AP communicates with the WLC ?

is the AP using an IP in 192.168.10.0/24 subnet and using a CAPWAP tunnel to send user frames to the WLC ?

If this is the case the user traffic exits from the WLC after de-encapsulation of CAPWAP

For switch 1 WIFI users are directly connected on VLAN 44 and their MAC addresses are learned via the WLC port in Vlan 44.

You can check this with show ip arp 192.168.45.231 on switch1 it should provide the laptop MAC address learned in Vlan 44 via the port connecting to the WLC

if this is the case you don't need the following static route on switch1, because this subnet is directly connected on Vlan 44 as the SVI config suggests.

>> ip route 192.168.44.0 255.255.254.0 192.168.10.90

Hope to help

Giuseppe

pozoteleco · ‎08-16-2019

You are right, AP's is connecting through CAPWAP tunnel. Every traffic come from WLC.

On other hand,yes, i am able to see the IP and the mac address of Laptop in Switch 1. Even i am able to ping laptop's Ip address. But if i try to do it the from Core, is not possible.

In Core i have the IP route 192.168.44.0 255.255.254.0 192.168.3.4
S 192.168.44.0/23 [1/0] via 192.168.3.4

Giuseppe Larosa · ‎08-16-2019

Hello pozoteleco,

your routing entry on Core switch looks like correct:

>> S 192.168.44.0/23 [1/0] via 192.168.3.4

For the core switch there is no difference between a wired host and a WIFI host. And also for switch1.

Try to put a wired client in Vlan 44 connected to switch1 and see if routing is working on it.

check the PC default gateway settings using

route print on windows shell

check also if there is a firewall active on the laptop (but it should block also when pinging 192.168.3.4)

Hope to help

Giuseppe

pozoteleco · ‎08-16-2019

I simulated the scenario in GNS3 and everything is working fine, as i estimated. Could it be Access-list politics ??

Thank you so much for your help.

Giuseppe Larosa · ‎08-17-2019

Hello pozoteleco,

you can easily discover if an ACL is applied on the core switch on SVI Vlan3:

show run int vlan3

or

show ip int vlan3

Hope to help

Giuseppe

pozoteleco · ‎08-19-2019

There is an access-list, but i think it doesn't involve the problem:

ip access-list extended ACL_Security_Filter
permit udp 192.168.10.224 0.0.0.31 host 192.168.10.4 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 192.168.3.2 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.13.1 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.14.1 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 192.168.50.2 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.114.1 eq ntp
deny udp any host 192.168.10.4 eq ntp
deny udp any host 192.168.3.2 eq ntp
deny udp any host 10.102.13.1 eq ntp
deny udp any host 10.102.14.1 eq ntp
deny udp any host 192.168.50.2 eq ntp
deny udp any host 10.102.114.1 eq ntp
permit ip any any
permit icmp any any
permit igmp any any
!

Giuseppe Larosa · ‎08-19-2019

Hello pozoteleco,

the extended ACL is not blocking traffic coming from subnet 192.168.44.0/23 thanks to the permit ip any any statement.

There are no explicit deny statements before for the 192.168.44.0/23 subnet.

it is applied inbound ?

I mean

int Vlan 3

ip access-group ACL_Security_Filter in

Hope to help

Giuseppe

JavierRodriguezMiras9985 · ‎08-19-2019

Yes, anyway it's still not working.

I tried to connect my laptop directly to Switch 1 with IP address 192.168.45.231/23 with Gateway 192.168.44.2. in switch 1, the interface i have connected the laptop is interface mode access vlan 44. I am able to ping the gateway 192.168.44.2, from switch 1 i am able to ping 192.168.45.231 address. In this step, everything is working fine.

2 Step, i tried to ping the 192.168.3.4 (inter vlan 3 of switch 1) i am able to ping it, the same in switch 1 making a ping source

3 Step, i tried to ping 192.168.3.1 (inter vlan 3 of Core) i am not be able to, impossible... the same from the opposite site...
I disabled ACL to try it. And nothing works...

i think i will open a case in Cisco TAC.