Re: Wiered connectivity happening

Wonxie · ‎02-22-2024

Hi,

I have a core switch 6509 on core. It has many SVI for intervlan routing. we have defined a vlan on it for guest (vlan id 202) with no svi defined on it. A port in access mode in vlan202 is connected to a separate ISP ONT for internet connectivity. this guest vlan is transported from core switch to other switches and then broadcasted via APs.

I have a client subnet whose svi is defined on above core switch and clients from that subnet (e.g. vl50) are able to ping a client on guest vlan 202.

There is no SVI for vl 202 on core, i.e. gatway for guest vlan is defined on isp ont.

However i cannot ping the client ip from core switch sourcing the traffic from the gateway ip of vlan50 while a client from this subnet can ping the guest ip.

When I checked checked in Wireshark from client on vlan 50, the mac address for ip from guest vlan id is showing as a mac on core switch. that mac as per below results belongs to all vlans but not for vlan 202.

sh mac address-table | i 000f.3501.1800

* 11 000f.3501.1800 static No - Router
* 9 000f.3501.1800 static No - Router
* 15 000f.3501.1800 static No - Router
* 13 000f.3501.1800 static No - Router
* 26 000f.3501.1800 static No - Router
* 27 000f.3501.1800 static No - Router
* 24 000f.3501.1800 static No - Router
* 25 000f.3501.1800 static No - Router
* 30 000f.3501.1800 static No - Router
* 31 000f.3501.1800 static No - Router
* 28 000f.3501.1800 static No - Router
* 29 000f.3501.1800 static No - Router
* 18 000f.3501.1800 static No - Router
* 17 000f.3501.1800 static No - Router
* 20 000f.3501.1800 static No - Router
* 21 000f.3501.1800 static No - Router
* 40 000f.3501.1800 static No - Router
* 42 000f.3501.1800 static No - Router
* 45 000f.3501.1800 static No - Router
* 46 000f.3501.1800 static No - Router
* 33 000f.3501.1800 static No - Router
* 35 000f.3501.1800 static No - Router
* 34 000f.3501.1800 static No - Router
* 37 000f.3501.1800 static No - Router
* 36 000f.3501.1800 static No - Router
* 39 000f.3501.1800 static No - Router
* 38 000f.3501.1800 static No - Router
* 58 000f.3501.1800 static No - Router
* 48 000f.3501.1800 static No - Router
* 49 000f.3501.1800 static No - Router
* 50 000f.3501.1800 static No - Router
* 102 000f.3501.1800 static No - Router
* 101 000f.3501.1800 static No - Router
* 203 000f.3501.1800 static No - Router
* 200 000f.3501.1800 static No - Router
* 206 000f.3501.1800 static No - Router
* 207 000f.3501.1800 static No - Router
* 204 000f.3501.1800 static No - Router
* 205 000f.3501.1800 static No - Router
* 210 000f.3501.1800 static No - Router
* 215 000f.3501.1800 static No - Router
* 254 000f.3501.1800 static No - Router

I have added null 0 route for that client subnet and till communication is possible.

sh ip route 192.168.18.0 255.255.255.0
Routing entry for 192.168.18.0/24
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

Any idea what's happening here ?

balaji.bandi · ‎02-22-2024

There should be some where these routes are learning able to reach each other,

try traceroute and find out what hops they going to complete the reachability.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Wonxie · ‎02-22-2024

Here is the trace result. i am tracing from a subnet whose svi is defined on core switch.(vl50,ip 10.11.15.x/24). Note i am getting timeouts for first hop. but when i trace any other ip from my pc on vl50 e.g i get the first hop ip that is svi on core sw.

tracert -d 192.168.18.75

Tracing route to 192.168.18.75 over a maximum of 30 hops

1 * * * Request timed out.
2 3 ms 29 ms 7 ms 192.168.18.75

balaji.bandi · ‎02-24-2024

Looks for me 1st hop aware that route - so you need to do Wireshark,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-22-2024

even if there is no SVI for guest VLAN if the SW use ISP router as default route then the inter-vlan happened in ISP router not in 6500 SW

MHM

Wonxie · ‎02-22-2024

the isp router/ont has two interfaces one wan side connected to their network for internet access and the other is lan side which is acting as gateway for vl 202 it has 192.168.18.1 ip assigned to it.

there is no svi for vl 202 on core swi.

no route to 192.168.18.0/24 or any ip for this subnet on core switch.

moreover the isp ont has no route for any 10.11.15.0/24 subnet back. its simple ont that is nating lan side to wan side .thats it.

MHM Cisco World · ‎02-25-2024

host in VLAN 50 need to connect to guest in VLAN 202
the Path will be
the Host send to GW which is SVI in Core SW, the Core SW use default route toward ISP router the ISP router have prefix connect to Core and SVI of VLAN 202 so it can Inter-VLAN, and reply to host in VLAN50.
how can isolation this traffic ? you need to apply ACL in ISP router direction IN for any source from VLAN50 to VLAN202 the traffic will drop
MHM

Wonxie · ‎02-26-2024

host in VLAN 50 need to connect to guest in VLAN 202
the Path will be
the Host send to GW which is SVI in Core SW, the Core SW use default route toward ISP router the ISP router have prefix connect to Core and SVI of VLAN 202 so it can Inter-VLAN, and reply to host in VLAN50.
how can isolation this traffic ? you need to apply ACL in ISP router direction IN for any source from VLAN50 to VLAN202 the traffic will drop

the core is not using default route as i have below route defined

ip route 192.168.18.0 255.255.255.0 Null0

sh ip route 192.168.18.75
Routing entry for 192.168.18.0/24
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

guest has only an interface in core switch in vlan 202 no svi defined on core . the isp route has 2 interfaces one physically connected to core switch which is in vlan 202. the other interface of isp router is connected via fiber optic to isp network directly. and default route on isp router will forward all traffic to isp network.

MHM Cisco World · ‎02-26-2024

First inter-vlan can happened between

Vlan vlan' vlan direct connect ' vlan static route etc.

The null0 should be working if

The mask is correct

There is no pbr override rib

There is any NAT change IP

MHM

Wonxie · ‎02-26-2024

Intervlan cannot happen on isp router which is actually ONT.

one interface of isp router which is having the gateway ip of 192.168.18.1 and the other has a live ip which is physically isolated from our network. and it points to isp network. so no way for intervaln there.

Giuseppe Larosa · ‎02-24-2024

Hello @Wonxie ,

the traffic sourced from VLAN 50 matches the following entry:

* 50 000f.3501.1800 static No - Router

because no SVI is defined on VLAN 202 the destination traffic will follow the default route.

Now, if you want to silently drop traffic to the guest subnet you need a static route to null0 on the C6509 for the guest subnet

>> I have added null 0 route for that client subnet and till communication is possible.

You need a static to null0 for the destination guest subnet not for the source address of VLAN 50.

Try to do this and you should be able to solve this.

Hope to help

Giuseppe

Wonxie · ‎02-26-2024

please see above reply .

i already have a null0 route and its matched for that subnet.

Wonxie · ‎02-27-2024

this is resolved it was one of aruba instant ap that had local routing enabled in it.

I disabled that and it worked.

Thanks a lot for your support

@MHM Cisco World @Giuseppe Larosa @balaji.bandi

MHM Cisco World · ‎02-27-2024

Friend

You are so welcome

MHM