3560 Routing from SVI to Routed Protocol

walter.ramirez · ‎06-10-2011

Hi guys,

I have 2 3560G (connected via a etherchannel-trunk link). Both of them connected to a Stack 3750 via fiber.

Originally, I have: HSRP in the LAN (30 VLANs) and VLAN 2 for the swiches (3560Gx2 and 3750) using HSRP too. Static route. No routed ports. Everything was working fine.

However, due of STP one of the fiber is BLOCKED.

So the idea was to remove Vlan2 and converted to routed port and configure static routes (or OSPF later) in order to make load balance (but that's another story).

3560-A ===(Vlan2)=====3750

|| ||

(Trunk, vla2 allowed) (stacked)

|| ||

3560-B===(vlan 2)======3750

I made the following changed: I removed VLAN2, and configured routed ports instead. I can ping among the routers. However, the user (connected behind the 3560s) cannot ping to a subnet behind 3750. Tested using tracert from the user, 3560 is not even responding the first hop; however I can ping standby IP and the physical IP for both (3560).

It was not a routing issue either. There was a default route pointing to 3750. Also made an extended ping in 3560 and it worked.

For some reason, the user cannot ping to a subnet behind 3750 but he can ping to 3560 (standby IP, physical IPs).

The funny thing is the user can ping to another subnet in the 3560.

(*) Only change was: no switchport, ip address x.x.x.x y.y.y.y

3560-A ===(subnet1/30)=====3750

|| ||

(Trunk)+Subnet3/30 (stacked)

|| ||

3560-B====(subnet2/30)=====3750

I rolled back and due this is in production I cannot test again.

Does anybody have a clue?????

Summary of the problem (after changing a SVI port to a routed port):

1) The user (behind 3560) cannot ping to a subnet connected in 3750.

2) The user can ping to any subnet in the 3560.

3) Extendend ping in 3560 to subnect connected in 3750 works....meaning default route is OK.

4) In the tracert, the 3560 is not even answered (based on the wireshark).

5) The user can ping to all Standby, Physical IP in 3560.

Can somebody help me????

WR.

Reza Sharifi · ‎06-11-2011

Hi Walter,

<1) The user (behind 3560) cannot ping to a subnet connected in 3750.>

This a because you need a static route on the 3750 to the user subnet behind the 3560

in this example 172.16.1.0/24 is the user subnet (on the 3750)

ip route 172.16.1.0 0.0.0.255 next-hop ip address which is on the 3560

HTH

walter.ramirez · ‎06-11-2011

For sure there's a static route in the 3750. The extended ping in the 3560 is working.

Also, the 3560 is not answering back the tracert coming from the user (behind the 3560); 3560 is the first hop.

Thanks,

WR.

Reza Sharifi · ‎06-11-2011

if you do a "sh ip route" on the 3750, do you see the route for the user subnet behind the 3560?

walter.ramirez · ‎06-11-2011

Yes, static route is there (in 3750). The extened ping works!!.

User --> (L2 Swiches) --> 3650 (L3 - HSRP) --> 3750 (L3)--> subnetA

The User cannot ping to the subnet (after the port was converted from Vlan port to routed port).

The user can ping to Standby IP, physical IP in 3650.

The first hop in the tracert is not responding....which is the 3650.

Extended ping from 3650 to subnetA works.

Why????

WR.

Reza Sharifi · ‎06-11-2011

on the L2 switch, all you need is default network. On the L3 switch (3560) you need a static route for subnetA. On the L3 switch (3750), you need static route for user subnet (behind L2 switch)

example:

User --> (L2 Swiches) --> 3650 (L3 - HSRP) --> 3750 (L3)--> subnetA

192.168.1.0/24 10.10.10.1 /30 10.10.10.2 172.16.1.0/24

on 3560 (L3 - HSRP)

ip route 172.16.1.0 255.0.0.0 10.10.10.2

on 3750 (L3)

ip route 192.168.1.0 255.0.0.0 10.10.10.1

HTH

Jon Marshall · ‎06-12-2011

Walter

What is the next-hop for the static route on the 3750 ? Your diagram shows -

3560(L3 -HSRP) -> 3750

what do you mean by L3 HSRP ?

Jon

walter.ramirez · ‎06-12-2011

Hi HTH,

There's no problem with the static route. As I said, the extended ping works. In your example I can ping from the router from 192.168.1.0/24 to 172.16.1.0/24. But I cannot ping from the user itself.

Hi Jon,

In 3750 I have a default route going to an ASA (Internet), a static route going back to 3560 (for subenets connected to 3560).

The 3560/3750 both are L3 switches, and they are in the same broadcast domain running HSRP (only in 3560). 3750 is a stack switch.

The problem appeared when I changed the port from port-based Vlan (subnet /29) to routed port (3 subnet of /30). The user cannot ping to a subnet connected to stacked 3750.

WR

walter.ramirez · ‎06-12-2011

BEFORE: I'm running HSRP for VLAN 1, 2 and 3. Everything was working. But in VLAN 2, I'm using one of the link due of STP.

AFTER: I remoed Vlan 2, and configured 3 subnets (/30) instedad. So I can load balance with OSPF or static route. However, after the changed, a user in Vlan 1 cannot ping a subnet in Vlan 3. The user can ping to both physical 3560 IP and the standby IP. Also, the User can ping to another user in another vlan (inside the 3560).

On top of that, the extended ping in 3560 working (pinging from Vlan 1 to Vlan 3). So the static routes are OK.

For some reason, the 3560 cannot from a svi port to a routed port. 3560 are routing Inter-vlan only.Does it make sense????

Note: the changes were pretty much simple: no switchport, ip add.

WR.

Keith.Barker_2 · ‎06-17-2011

Hi Walter,

In your new topology, can you supply me with the following information?

For VLAN 1:

IP subnet range

default gateway address

Type of interface that is the default gateway (SVI or L3 port)

For VLAN 3:

IP subnet range

default gateway address

Type of interface that is the default gateway (SVI or L3 port)

And the output of "show ip route" from the 3560A, and 3560B

Thanks,

Keith

walter.ramirez · ‎06-20-2011

Hi Keith,

Changes were done in production. Sorry, rolled back.

However, to answer your question:

VLAN1 (3560A):

interface Vlan1

ip address 10.1.28.2 255.255.255.0

standby 1 ip 10.1.28.1

standby 1 priority 200

standby 1 preempt delay minimum 30

int G0/45

no switch

ip address 192.168.255.26 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.255.25

VLAN1 (3560B):

interface Vlan1

ip address 10.1.28.3 255.255.255.0

standby 1 ip 10.1.28.1

standby 1 priority 190

int G0/45

no switch

ip address 192.168.255.30 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.255.29

VLAN 3 (3750)

interface Vlan3

ip address 10.100.1.0 255.255.255.0

inter G1/1/1

description TO-3560A

no switchport

ip address 192.168.255.25 255.255.255.252

inter G2/1/1

description TO-3560B

no switchport

ip address 192.168.255.29 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.255.1 (ASA to Internet)

ip route 10.1.28.0 255.255.255.0 192.168.255.26 (Back to 3560-A).

I don't have the "show ip route", but definetely I could see something like:

3560A: S* 0.0.0.0/0 [1/0] via 192.168.255.25

3560B: S* 0.0.0.0/0 [1/0] via 192.168.255.29

So before the change, using a tracert I can see the first hop was 10.1.28.2 (Physical IP for 3560A).

After the change, first hop was not responding. Even though, I could ping to 10.1.28.1, 10.1.28.2 and 10.1.28.3

Thanks,

WR

glen.grant · ‎06-17-2011

1. When it was working was the 3560 doing all the routing and the 3750 was basically a L2 switch ? Once you went to routed links , vlan 3 is isolated on 3750 and the 3750 would have to have routing turned on with ospf and the correct network statement added so it could talk to the 3560 .

So vlan 1 routing is done at the 3560 and vlan 3 routing would have to be done at the 3750 . OSpf network statements would have to be added for all the /30 links on the 3560 and the 3750 side also . If using statics then you would need a static on the 3560 for the vlan 3 ip address range pointing to the other end of both /30 routed links to the 3750 . Vice versa on the 3750 for the vlan 1 address range on the 3750 you would need a static pointing to the other ends of the /30 routed links to the 3560 . Also vlan 3 would not be able to use hsrp because it is now isolated on the 3750 and the routing for that vlan has to be on the 3750 due to the routed links.

walter.ramirez · ‎06-20-2011

Hi Glen,

1. When it was working was the 3560 doing all the routing and the 3750 was basically a L2 switch ? Once you went to routed links , vlan 3 is isolated on 3750 and the 3750 would have to have routing turned on with ospf and the correct network statement added so it could talk to the 3560 .

--> Both 3560 and 3750 are L3 .

--> Implemented static routes.

So vlan 1 routing is done at the 3560 and vlan 3 routing would have to be done at the 3750 . OSpf network statements would have to be added for all the /30 links on the 3560 and the 3750 side also . If using statics then you would need a static on the 3560 for the vlan 3 ip address range pointing to the other end of both /30 routed links to the 3750 . Vice versa on the 3750 for the vlan 1 address range on the 3750 you would need a static pointing to the other ends of the /30 routed links to the 3560 . Also vlan 3 would not be able to use hsrp because it is now isolated on the 3750 and the routing for that vlan has to be on the 3750 due to the routed links.

--> I did it, but it was not working.

Thanks,

WR.

CSCO11151677 · ‎06-20-2011

Hi WR

Are you able to ping from user pc to outside interface of 3560 and inside interface of 3750?

192.168.255.26 & 25 and 29 & 30?

Thanks

Vignesh...

CSCO11151677 · ‎06-20-2011

Hope users are using default gateway...(I have faced similar issue in wintel server ILO interface where wintel team wont assign default gateway)...

if users are using unix system ...pls check the root print of the system...