cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
5
Helpful
8
Replies

Question about my routing topology - Did i forget something?? (Static routes)

pozoteleco
Level 1
Level 1

Hi everybody;

 

I have the following scenario (IP's are fake, is only orientative example):

 

    Laptop                  ------        WLC                           --------     Switch 1                      -------          CORE

 

Ip Address                                DHCP Pool                                     Int Vlan 44                                           int vlan 3

192.168.45.231                       192.168.44.0                                 192.168.44.2                                 192.168.3.1/24

255.255.254.0                         255.255.254.0                               255.255.254.0

GW                                           GW                                                Int vlan 3

192.168.44.2                           192.168.44.2                                 192.168.3.4/24

Vlan 44                                     Vlan 44                                          default router to:

                                                Management vlan 10                       192.168.3.1

                                                192.168.10.90/24

                                                 Default GW for vlan 10                 Management vlan 10

                                                 192.168.10.22/24                        192.168.10.22/24

                                                                                                      

 

From the test laptop i am able to ping his GW 192.168.44.2 and the IP 192.168.3.4 but i am not be able to ping the CORE Ip address 192.168.3.1.

 

From the Switch 1, obviously i can ping the IP 192.168.3.1 from the Core, and even i can ping 192.168.3.1 source 192.168.44.2

 

 

On switch 1 i use this static route for the return of traffic:

routing to return WLC traffic:

ip route 192.168.44.0 255.255.254.0 192.168.10.90

 

On Core i use this static route:

ip route 192.168.44.0 255.255.254.0 192.168.3.4

 

What's wrong? I forgot something? I only use in this case static routes.

 

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello pozoteleco,

you have a WIFI portion of the network and a wired portion of the network.

 

Can you tell us how the AP communicates with the WLC ?

is the AP using an IP in 192.168.10.0/24 subnet and using a CAPWAP tunnel to send user frames to the WLC ?

 

If this is the case the user traffic exits from the WLC after de-encapsulation of CAPWAP

 

For switch 1 WIFI users are directly connected on VLAN 44 and their MAC addresses are learned via the WLC port in Vlan 44.

You can check this with show ip arp 192.168.45.231 on switch1 it should provide the laptop MAC address learned in Vlan 44 via the port connecting to the WLC

 

if this is the case you don't need the following static route on switch1, because this subnet is directly connected on Vlan 44 as the SVI config suggests.

 

>> ip route 192.168.44.0 255.255.254.0 192.168.10.90

 

Hope to help

Giuseppe

 

You are right, AP's is connecting through CAPWAP tunnel. Every traffic come from WLC.

On other hand,yes, i am able to see the IP and the mac address of Laptop in Switch 1. Even i am able to ping laptop's Ip address. But if i try to do it the from Core, is not possible.

In Core i have the IP route 192.168.44.0 255.255.254.0 192.168.3.4
S 192.168.44.0/23 [1/0] via 192.168.3.4

Hello pozoteleco,

your routing entry on Core switch looks like correct:

 

>> S 192.168.44.0/23 [1/0] via 192.168.3.4

 

For the core switch there is no difference between a wired host and a WIFI host. And also for switch1.

Try to put a wired client in Vlan 44 connected to switch1 and see if routing is working on it.

 

check the PC default gateway settings using

route print on windows shell

 

check also if there is a firewall active on the laptop (but it should block also when pinging 192.168.3.4)

 

Hope to help

Giuseppe

 

I simulated the scenario in GNS3 and everything is working fine, as i estimated. Could it be Access-list politics ??

Thank you so much for your help.

Hello pozoteleco,

you can easily discover if an ACL is applied on the core switch on SVI Vlan3:

 

show run int vlan3

 

or

show ip int vlan3

 

Hope to help

Giuseppe

 

There is an access-list, but i think it doesn't involve the problem:

ip access-list extended ACL_Security_Filter
permit udp 192.168.10.224 0.0.0.31 host 192.168.10.4 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 192.168.3.2 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.13.1 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.14.1 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 192.168.50.2 eq ntp
permit udp 192.168.10.224 0.0.0.31 host 10.102.114.1 eq ntp
deny udp any host 192.168.10.4 eq ntp
deny udp any host 192.168.3.2 eq ntp
deny udp any host 10.102.13.1 eq ntp
deny udp any host 10.102.14.1 eq ntp
deny udp any host 192.168.50.2 eq ntp
deny udp any host 10.102.114.1 eq ntp
permit ip any any
permit icmp any any
permit igmp any any
!

Hello pozoteleco,

the extended ACL is not blocking traffic coming from subnet 192.168.44.0/23 thanks to the permit ip any any statement.

There are no explicit deny statements before for the 192.168.44.0/23 subnet.

 

it is applied inbound  ?

I mean

int Vlan 3

ip access-group ACL_Security_Filter in

 

Hope to help

Giuseppe

 

Yes, anyway it's still not working.

I tried to connect my laptop directly to Switch 1 with IP address 192.168.45.231/23 with Gateway 192.168.44.2. in switch 1, the interface i have connected the laptop is interface mode access vlan 44. I am able to ping the gateway 192.168.44.2, from switch 1 i am able to ping 192.168.45.231 address. In this step, everything is working fine.

2 Step, i tried to ping the 192.168.3.4 (inter vlan 3 of switch 1) i am able to ping it, the same in switch 1 making a ping source

3 Step, i tried to ping 192.168.3.1 (inter vlan 3 of Core) i am not be able to, impossible... the same from the opposite site...
I disabled ACL to try it. And nothing works...

i think i will open a case in Cisco TAC.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco