Routing: LAN Uplink routing issue. - Page 2

jamesallen36 · ‎12-13-2011

Hi all,

I have finished creating a new layer 3 switching environment at work which is working well but is not considered production yet. While we are not ready to fully cut over to the new LAN, we do need to make that network accessible from the current production LAN. It appears that I have the new LAN partially accessible but only one direction.

Symptoms -

From the legacy network, I am able to ping any IP within the new LAN
From a switch in the new LAN, I can ping any address in the legacy LAN
From a host within a VLAN from the new network, I CANNOT ping hosts by IP in the legacy network. Trace route tests never pass the switch.

Legacy network -

192.137.0.0 /23

I have the routes for all new networks added in our existing gateway which happens to be an IPCop device. The IPCop device has an IP of 192.137.0.152.

New Network -

192.168.0.0 /21

My new LAN switch that I am uplinking into the legacy network -

IP Routing is turned up obviously since all of the VLANs are working.
I configured the Legacy VLAN on the new switch with a VLAN interface which is 192.137.0.35.
I configured an interface within the Legacy VLAN on the new switch, so now I can ping 192.137.0.35.
Then I set my default route on the new switch set to the IPCop gateway of 192.137.0.152. (ip route 0.0.0.0 0.0.0.0 192.137.0.152)

So in theory it seems like everything is almost working but for some reason hosts within any new VLAN in the new switch are not being passed into the legacy network.

Can anyone shed some light on what I am missing? It is probably something stupid I am overlooking.

jamesallen36 · ‎12-14-2011

This is just one switch with the config, although I have another switch running HSRP on all of the VLAN interfaces. When I about ready to do the cutover to the new LAN altogther, I plan to switch to just using the stackwise cables instead of HSRP so that would go away. But for now, I didn't think that my HSRP config would cause any issues.

The ports that have trunking enabled on them even though they are members of a VLAN are ports configured on non-routable VLANs for iSCSI storage. Per EMCs instructions, they wanted those ports set up as trunks.

Yes, that VLAN 110 is the only VLAN on the dumb switches although for them they obviously don't have a VLAN number assigned but it is a flat network there. VLAN 110 is just defined from the new switch and it is linked into that network. Port Gi1/0/24 is the only port in VLAN 110 and is plugged directly into the flat legacy network with a crossover cable directly into one of the dumb switches.

jamesallen36 · ‎12-14-2011

Also, I ran sh arp command and the switch has a record of the addresses and MACs I am trying to reach and displays them in the correct VLAN even though they are out in the unmanaged VLAN network. So this is why the switch can ping them, but if this is a valid VLAN why can't I get to the hosts except from the switch directly. Weird!

Mar 1 03:05:47.738: %SYS-5-CONFIG_I: Configured from console by consolearp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.137.0.5 0 1078.d2e9.a0ae ARPA Vlan110

Internet 192.137.0.35 - 70ca.9ba2.43c6 ARPA Vlan110

Internet 192.137.0.132 0 70f3.9514.c0e4 ARPA Vlan110

Internet 192.137.0.152 0 0004.7611.aaee ARPA Vlan110

Internet 192.137.0.170 0 782b.cb22.fae9 ARPA Vlan110

Internet 192.137.1.95 0 70f3.9514.c127 ARPA Vlan110

Internet 192.168.1.1 - 70ca.9ba2.43c1 ARPA Vlan101

Internet 192.168.1.2 10 70ca.9b2d.8d41 ARPA Vlan101

Internet 192.168.1.15 16 0050.568e.19a7 ARPA Vlan101

Internet 192.168.1.50 3 14fe.b5cb.70cd ARPA Vlan101

Internet 192.168.1.51 3 14fe.b5cb.75cb ARPA Vlan101

Internet 192.168.1.52 3 14fe.b5cb.778d ARPA Vlan101

Internet 192.168.1.100 0 14fe.b5cb.7166 ARPA Vlan101

Internet 192.168.1.101 0 14fe.b5cb.6e96 ARPA Vlan101

Internet 192.168.1.187 0 5cff.3506.7539 ARPA Vlan101

Internet 192.168.1.254 - 0000.0c07.ac01 ARPA Vlan101

Internet 192.168.8.1 - 70ca.9ba2.43c2 ARPA Vlan102

Internet 192.168.8.254 - 0000.0c07.ac02 ARPA Vlan102

Internet 192.168.16.1 - 70ca.9ba2.43c3 ARPA Vlan103

Internet 192.168.16.254 - 0000.0c07.ac03 ARPA Vlan103

Internet 192.168.40.1 - 70ca.9ba2.43c4 ARPA Vlan106

Internet 192.168.40.254          -   0000.0c07.ac06 ARPA   Vlan Mar 1 03:05:47.738: %SYS-5-CONFIG_I: Configured from console by consolearp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 192.137.0.5             0   1078.d2e9.a0ae ARPA   Vlan110
Internet 192.137.0.35            -   70ca.9ba2.43c6 ARPA   Vlan110
Internet 192.137.0.132           0   70f3.9514.c0e4 ARPA   Vlan110
Internet 192.137.0.152           0   0004.7611.aaee ARPA   Vlan110
Internet 192.137.0.170           0   782b.cb22.fae9 ARPA   Vlan110
Internet 192.137.1.95            0   70f3.9514.c127 ARPA   Vlan110
Internet 192.168.1.1             -   70ca.9ba2.43c1 ARPA   Vlan101
Internet 192.168.1.2            10   70ca.9b2d.8d41 ARPA   Vlan101
Internet 192.168.1.15           16   0050.568e.19a7 ARPA   Vlan101
Internet 192.168.1.50            3   14fe.b5cb.70cd ARPA   Vlan101
Internet 192.168.1.51            3   14fe.b5cb.75cb ARPA   Vlan101
Internet 192.168.1.52            3   14fe.b5cb.778d ARPA   Vlan101
Internet 192.168.1.100           0   14fe.b5cb.7166 ARPA   Vlan101
Internet 192.168.1.101           0   14fe.b5cb.6e96 ARPA   Vlan101
Internet 192.168.1.187           0   5cff.3506.7539 ARPA   Vlan101
Internet 192.168.1.254           -   0000.0c07.ac01 ARPA   Vlan101
Internet 192.168.8.1             -   70ca.9ba2.43c2 ARPA   Vlan102
Internet 192.168.8.254           -   0000.0c07.ac02 ARPA   Vlan102
Internet 192.168.16.1            -   70ca.9ba2.43c3 ARPA   Vlan103
Internet 192.168.16.254          -   0000.0c07.ac03 ARPA   Vlan103
Internet 192.168.40.1            -   70ca.9ba2.43c4 ARPA   Vlan106
Internet 192.168.40.254          -   0000.0c07.ac06 ARPA   Vlan

Reza Sharifi · ‎12-14-2011

Can you verify if there is default gateway configured on these hosts?

darren.g · ‎12-14-2011

James Allen wrote:

Posting a diagram per Darren's request -

http://i117.photobucket.com/albums/o49/0xploit/RoutingIssue-1.jpg

Trying to get the routing tables and other stuff as well.

James.

OK, looking at this, your "legacy" network is run via a dumb switch, which means that the ONLY way for devices on this network to communicate to your other networks is via the IPCop device, because the IPCop device is the default router for these hosts.

Which means your IPCop device *must* be able to communicate with the "new' networks via the link on the new layer 3 switch. The IPCop device has to have a route to ALL the subnets on the other side of the link to the new network - in a Cisco world (I've never heard of IPCop, so I have no idea who makes it or how to configure it) you'd need something like this on the IPCop device

ip route 192.168.0.0 255.255.248 0 192.137.0.35

ip route 192.168.8.0 255.255.248.0 192.137.0.35

etc etc for *every* subnet you have defined as an SVI in your new switch. You could then add a default route on your new switch pointing to the IPCop device allowing internet access.

I'm with the other guys regarding your HSRP configurations - I can't see why you need them when you've only got one switch (HSRP is about providing a redundant router - which you can't really do with only one layer 3 device), so you're only adding overhead to the switch by running processes which aren't needed - I'd delete that configuration unless you plan on putting in a separate layer 3 switch to run the second HSRP node for each VLAN SVI on.

I think the lack of communication between your "legacy" network and the "new" networks comes down to the fact that anything conencted tot he "dumb' switches on the legacy network will be trying to route to them via the IPCop device - and unless it knows where to forward the packets, they'll just get dropped. The ability to ping tot he legacy network from the Cisco switch is because you *have* an IP address in the legacy network which will be used as the source for the PING, so the devices will know how to return packets to it - if you tried (from the Cisco switch) to ping a host ont he legacy network but used one of the SVI IP addresses as the source (ping source ), I expect that would fail as well.

Cheers.

jyoung · ‎12-14-2011

Jim,

You see the ARPs because the switch has an address in the legacy LAN and therefor has layer 2 connectivity to the legacy LAN. From your new LAN subnets you cannot ping the legacy LAN because the legacy LAN has no clue where to send the replies. You have to add static routes for the new subnets into IPcop to be able to communicate with the legacy LAN. Have you added the routes in IPcop? IPcop is a Linux based proxy server. Here is the static route for command line Linux: "route add -net 192.168.55.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth1". You will need to add a route for each new subnet to the new switch IP.

FYI: You shouldn't route to another ip in the same subnet because it sends unnecessary icmp redirects back to each host every time it uses the route. It will work temporarily though.

Sent from Cisco Technical Support iPhone App

jamesallen36 · ‎12-15-2011

Thanks to everyone for all the help. I think the IPCop device has been screwing me this whole time but I ended up finding a workable solution in the end here.

I pointed hosts to my new switch as their gateway (before it was the IPCop) and then I add a default route on the switch that points to the IPCop. Now I am able to get to all of the new VLANs, the legacy network and the internet so all is good.

Thanks again to everyone for the help.