Re: 4500x interVLAN. Clients can't ping clients on some different VLAN

Adrian Ardelean · ‎02-24-2022

Hello,

I have a strange situation on my 4500X.

Clients from some VLANs cannot access resources on several VLANs.

I have this:

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.99.99.0/24 is directly connected, Vlan55
L 10.99.99.1/32 is directly connected, Vlan55
172.16.0.0/16 is variably subnetted, 18 subnets, 5 masks
C 172.16.0.0/26 is directly connected, Vlan3
L 172.16.0.1/32 is directly connected, Vlan3
C 172.16.5.0/24 is directly connected, Vlan1
L 172.16.5.1/32 is directly connected, Vlan1
C 172.16.6.0/26 is directly connected, Vlan10
L 172.16.6.1/32 is directly connected, Vlan10
C 172.16.20.0/24 is directly connected, Vlan8
L 172.16.20.1/32 is directly connected, Vlan8
C 172.16.100.0/22 is directly connected, Vlan2
L 172.16.100.1/32 is directly connected, Vlan2
C 172.16.150.0/24 is directly connected, Vlan223
L 172.16.150.1/32 is directly connected, Vlan223
C 172.16.155.0/26 is directly connected, Vlan50
L 172.16.155.1/32 is directly connected, Vlan50
C 172.16.200.0/24 is directly connected, Vlan222
L 172.16.200.1/32 is directly connected, Vlan222
C 172.16.250.0/28 is directly connected, Vlan250
L 172.16.250.1/32 is directly connected, Vlan250
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan9
L 192.168.1.1/32 is directly connected, Vlan9

From VLAN 55 I can only access VLAN9, cannot access any VLAN with IP starting with 172.16.

Also, VLAN 55 is not accessible from any source with 172.16 IPs but VLAN 9 is.

Should I attach the running config also?

Any ideas?

Thanks a lot!

Adrian

Flavio Miranda · ‎02-24-2022

Hi

Yeah, show running config would help a lot.

Adrian Ardelean · ‎02-24-2022

Attached

balaji.bandi · ‎02-24-2022

can you post

show version

show ip interface brief

show ip route (post full output)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Adrian Ardelean · ‎02-24-2022

Attached.

Thanks!

balaji.bandi · ‎02-24-2022

ok thank you for the information, before we proceed further, on the switch are you able to ping locallly configured all the VLAN interface IP address ?

Vlan1 172.16.5.1
Vlan2 172.16.100.1
Vlan3 172.16.0.1
Vlan8 172.16.20.1
Vlan9 192.168.1.1
Vlan10 172.16.6.1
Vlan50 172.16.155.1
Vlan55 10.99.99.1
Vlan222 172.16.200.1
Vlan223 172.16.150.1
Vlan250 172.16.250.1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Adrian Ardelean · ‎02-24-2022

Absolutely!

Thanks!

balaji.bandi · ‎02-24-2022

From VLAN 55 I can only access VLAN9, cannot access any VLAN with IP starting with 172.16.

Also, VLAN 55 is not accessible from any source with 172.16 IPs but VLAN 9 is.

where is end device connected ? what iP address of the device ? and what IP trying to Ping from device ?

also post show ip arp

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Adrian Ardelean · ‎02-24-2022

Tried to ping from 10.99.99.99 to 172.16.x.x. and also from 172.16.250.2 to 10.99.99.99. Both not working.

Pinging 192.168.1.x from both IP above - working.

Georg Pauwen · ‎02-24-2022

Hello,

the PBR policy maps applied to the SVIs with 172.16.x.x interfaces send everything to 172.16.x.x next hops, thereby overriding any other routing. That is probably the reason for the behavior you are seeing.

Remove the policy routing from the interface to check if that solves the issue, then review what you are trying to achieve with these route maps:

interface Vlan222
description WiFi-IT
ip address 172.16.200.1 255.255.255.0
--> no ip policy route-map NET-ITWIFI

Adrian Ardelean · ‎02-24-2022

Tried with PBR off, same thing.

paul driver · ‎02-24-2022

Hello
The reason would say this could be down to the current policy based routing applied to the L3 interfaces of that switch which is policy routing certain traffic from within.

Example of just one policy however you have multiple:

access-list 150 deny ip any 172.16.0.0 0.0.255.255
access-list 150 deny ip any 192.168.1.0 0.0.0.255
access-list 150 deny ip any 10.20.30.0 0.0.0.255
access-list 150 deny ip any 10.20.33.0 0.0.0.255
access-list 150 permit ip any any

route-map NET-5 permit 10
match ip address 150
set ip next-hop 172.16.5.253

interface Vlan250
description Ferguson
ip address 172.16.250.1 255.255.255.240
ip policy route-map NET-250

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Adrian Ardelean · ‎02-24-2022

I use PBR for Internet access (I have a fortigate and I set the next hop to it).

Access between VLANs are different, e.g. from VLAN 3 I need to access VLAN 9 but from VLAN 2 don't.

I will try to clear all PBR on Sunday (it's a production environment) and see what's happening.

Thanks!

Kind regards,

Adrian

Adrian Ardelean · ‎02-27-2022

Hi Paul,

You were right. The moment I removed the ip policy on vlan1 it was reachable from vlan55.

I guess I have to alter somehow the policies, I guess I should start with inter vlan routing with no restrictions but I really need Internet access via FortiGate on almost each vlan. I'm not quite sure how the route-map policy should look like..

Thank you.

Adrian.

Georg Pauwen · ‎02-27-2022

Hello,

I don't know what the entire configuration of your layer 3 switch looks like, but why do you need PBR at all ? By default, all Vlans can reach each other. For Internet access, all you need is a default route towards the Forigate.

If you need to restrict inter-Vlan access, you can use extended access lists...

4500x interVLAN. Clients can't ping clients on some different VLANS