Solved: Why Extended PING Only

JKwan · ‎12-13-2019

I use two L3 switches for connecting two sites on MPLS. Each switch has a GE port configured as routed interface connecting to a CE from the provider. OSPF routing appears to be working. Endpoint computers of one location can see those of the other. We can even transfer files from one computer to another over the MPLS circuit.

From the console port of the 3750 switch in Site 1 , I am able to ping the VLAN1 interface of the switch in Site 2. However, I cannot ping any endpoint computers there unless I use the extended PING command and specify the VLAN1 interface IP of the 3750 as source. What puzzles me more is that the 3650 switch in Site 2 does not have this problem. I am able to ping any computers in Site 1 over the WAN link with no issues.

Do I make any mistakes in the configuration? Is there any way to avoid the use of extended ping on the Cisco 3750?

Here is the config for each:

Site 1 - Cisco 3750 Switch

!
ip routing
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.10.100.106 255.255.255.252
!
interface Vlan1
ip address 172.20.5.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.10.100.104 0.0.0.3 area 0
network 172.20.5.0 0.0.0.255 area 0
!
ip classless
!

Site 2 - Cisco 3650 Switch

!
ip routing
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.10.200.106 255.255.255.252
!
interface Vlan1
ip address 172.20.2.10 255.255.255.0
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 10.10.200.104 0.0.0.3 area 0
network 172.20.2.0 0.0.0.255 area 0
!

Georg Pauwen · ‎12-14-2019

Hello,

for the sake of verification I checked what the default is for older IOS versions such as the one you are running, but even with a 12.x version, the default still is that a PING is sourced from the outgoing interface. You could actually check with your ISP to find out if they block ICMP traffic on their equipment.

View solution in original post

balaji.bandi · ‎12-14-2019

in that case worth check with MPLS provider have any block route available with your point to point interface..looks something missing at PE / P end.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎12-14-2019

Can you post full configuration and show ip route output ? from 3750 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JKwan · ‎12-14-2019

See below for the full config and sh ip route results.

Site 1 - Config

Using 1642 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Site1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$zWsK$7e5J5eOLqI.ejwGbvZBjM/
enable password Cisco
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-12s
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-4133154048
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4133154048
revocation-check none
rsakeypair TP-self-signed-4133154048
!
!
crypto pki certificate chain TP-self-signed-4133154048
certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.10.100.106 255.255.255.252
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface Vlan1
ip address 172.20.5.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.10.100.104 0.0.0.3 area 0
network 172.20.5.0 0.0.0.255 area 0
!
ip classless
ip http server
ip http secure-server
!
!
!
!
vstack
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end

Site 2 - Config

Using 4349 out of 2097152 bytes
!
! Last configuration change at 18:17:34 UTC Fri Dec 13 2019
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname Site2
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$cPLE$3pDQerptPWf6EgQ.0Oy8/
enable password 7 1407015A0F05242A372132
!
no aaa new-model
switch 1 provision ws-c3650-24ts
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3780696503
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3780696503
revocation-check none
rsakeypair TP-self-signed-3780696503
!
!
crypto pki certificate chain TP-self-signed-3780696503
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username s2admin password 7 0216170ABCD08070120708
!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
speed 1000
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.10.200.106 255.255.255.252
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 172.20.2.10 255.255.255.0
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 10.10.200.104 0.0.0.3 area 0
network 172.20.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.20.2.1
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
line vty 5 15
password 7 0212370A080701205F4708
login
!
!
!
!
!
!
!
end

Site1 - Show IP Route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O E2 2.2.2.2 [110/1] via 10.10.100.105, 13:56:47, GigabitEthernet1/0/2
172.20.0.0/24 is subnetted, 2 subnets
O E2 172.20.2.0 [110/1] via 10.10.100.105, 13:56:47, GigabitEthernet1/0/2
C 172.20.5.0 is directly connected, Vlan1
10.0.0.0/30 is subnetted, 3 subnets
C 10.10.100.104 is directly connected, GigabitEthernet1/0/2
O E2 10.10.200.104
[110/1] via 10.10.100.105, 13:57:39, GigabitEthernet1/0/2
O E2 10.10.200.100
[110/1] via 10.10.100.105, 16:10:18, GigabitEthernet1/0/2

Site2 - Show IP Route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/1] via 10.10.200.105, 00:40:47, GigabitEthernet1/0/2
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O E2 10.10.100.100/30
[110/1] via 10.10.200.105, 00:40:47, GigabitEthernet1/0/2
O E2 10.10.100.104/30
[110/1] via 10.10.200.105, 00:40:47, GigabitEthernet1/0/2
C 10.10.200.104/30 is directly connected, GigabitEthernet1/0/2
L 10.10.200.106/32 is directly connected, GigabitEthernet1/0/2
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.20.2.0/24 is directly connected, Vlan1
L 172.20.2.10/32 is directly connected, Vlan1
O E2 172.20.5.0/24
[110/1] via 10.10.200.105, 00:40:47, GigabitEthernet1/0/2

JKwan · ‎12-14-2019

I did a show ip route [target] to find out the outgoing interface. It was defaulted to the routed interface connected to the CE router. To be able to ping the target, I had to specify the VLAN1 as the source IP on 3750. The 3650 switch in Site 2 also uses the same outgoing interface but there is no need to use extended PING.

========================

Site1#sh ip route 172.20.2.14

========================
Routing entry for 172.20.2.0/24
Known via "ospf 1", distance 110, metric 1
Tag 65500, type extern 2, forward metric 1
Last update from 10.10.100.105 on GigabitEthernet1/0/2, 14:13:46 ago
Routing Descriptor Blocks:
* 10.10.100.105, from 10.10.100.105, 14:13:46 ago, via GigabitEthernet1/0/2
Route metric is 1, traffic share count is 1
Route tag 65500

=============================

Site1#ping 172.20.2.14 source vlan1

=============================

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.2.14, timeout is 2 seconds:
Packet sent with a source address of 172.20.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/52/58 ms

Georg Pauwen · ‎12-14-2019

Hello,

make sure that the fact that both WAN interfaces in what you have posted have the same IP address is not a typo. Other than that, the only real reason I can see for the PING to be dropped is when it gets dropped by an intermediate MPLS router...

S1

interface GigabitEthernet1/0/2
no switchport
ip address 10.10.100.106 255.255.255.252

S2

interface GigabitEthernet1/0/2
no switchport
ip address 10.10.200.106 255.255.255.252

balaji.bandi · ‎12-14-2019

@Georg Pauwen i may be missed here ...but the 3rd octet is different right ? one is 100 and another one 200.

i only see the difference on your config route (which was working without extended ping was - ip route 0.0.0.0 0.0.0.0 172.20.2.1)

The other one working with extended ping don't have a route in place..not sure how your network connection. ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-14-2019

Hello,

good catch Balaji...

When I look at the routing tables. I don't see an L route for S1:

L 10.10.100.106/32 is directly connected, GigabitEthernet1/0/2 --> not there

This should be there as for S2:

L 10.10.200.106/32 is directly connected, GigabitEthernet1/0/2

It looks like you are running a very old IOS version on S1. Try and see if you can configure 'ip cef' globally on S1.

JKwan · ‎12-14-2019

Yes, the IOS on switch1 is quite old. This switch is just used for testing. I am going to copy the config to a newer switch when go-live.

JKwan · ‎12-14-2019

>>ip route 0.0.0.0 0.0.0.0 172.20.2.1

I have had a default route on these 2 switches before but later removed them for trouble-shooting. It did not make any difference whether this static router was there or not.

I guess one of the MPLS router might have blocked it then.

Georg Pauwen · ‎12-14-2019

Hello,

for the sake of verification I checked what the default is for older IOS versions such as the one you are running, but even with a 12.x version, the default still is that a PING is sourced from the outgoing interface. You could actually check with your ISP to find out if they block ICMP traffic on their equipment.

balaji.bandi · ‎12-14-2019

in that case worth check with MPLS provider have any block route available with your point to point interface..looks something missing at PE / P end.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JKwan · ‎12-15-2019

I will definitely raise the question with my provider. Other than the nuisance of having to specify the source IP when PINGing site2 from the site1 switch, there is no connectivity or routing issues. Therefore, I have switched over to the new circuit yesterday and completed testing with endpoint devices. Everything worked as expected.

Thanks to everyone for your insight. That eased my concern.