cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2024
Views
90
Helpful
16
Replies

4500x interVLAN. Clients can't ping clients on some different VLANS

Adrian Ardelean
Level 1
Level 1

Hello,

I have a strange situation on my 4500X.

Clients from some VLANs cannot access resources on several VLANs.

I have this:

 

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.99.99.0/24 is directly connected, Vlan55
L 10.99.99.1/32 is directly connected, Vlan55
172.16.0.0/16 is variably subnetted, 18 subnets, 5 masks
C 172.16.0.0/26 is directly connected, Vlan3
L 172.16.0.1/32 is directly connected, Vlan3
C 172.16.5.0/24 is directly connected, Vlan1
L 172.16.5.1/32 is directly connected, Vlan1
C 172.16.6.0/26 is directly connected, Vlan10
L 172.16.6.1/32 is directly connected, Vlan10
C 172.16.20.0/24 is directly connected, Vlan8
L 172.16.20.1/32 is directly connected, Vlan8
C 172.16.100.0/22 is directly connected, Vlan2
L 172.16.100.1/32 is directly connected, Vlan2
C 172.16.150.0/24 is directly connected, Vlan223
L 172.16.150.1/32 is directly connected, Vlan223
C 172.16.155.0/26 is directly connected, Vlan50
L 172.16.155.1/32 is directly connected, Vlan50
C 172.16.200.0/24 is directly connected, Vlan222
L 172.16.200.1/32 is directly connected, Vlan222
C 172.16.250.0/28 is directly connected, Vlan250
L 172.16.250.1/32 is directly connected, Vlan250
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan9
L 192.168.1.1/32 is directly connected, Vlan9

 

From VLAN 55 I can only access VLAN9, cannot access any VLAN with IP starting with 172.16.

Also, VLAN 55 is not accessible from any source with 172.16 IPs but VLAN 9 is.

 

Should I attach the running config also?

Any ideas?

Thanks a lot!

Adrian

 

16 Replies 16

Hi

Yeah, show running config would help a lot.

Adrian Ardelean
Level 1
Level 1

Attached

balaji.bandi
Hall of Fame
Hall of Fame

can you post

 

show version

show ip interface brief

show ip route (post full output)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Adrian Ardelean
Level 1
Level 1

Attached.

Thanks!

ok thank you for the information, before we proceed  further, on the switch are you able to ping locallly configured all the VLAN interface IP address ?

Vlan1 172.16.5.1
Vlan2 172.16.100.1
Vlan3 172.16.0.1
Vlan8 172.16.20.1
Vlan9 192.168.1.1
Vlan10 172.16.6.1
Vlan50 172.16.155.1
Vlan55 10.99.99.1
Vlan222 172.16.200.1
Vlan223 172.16.150.1
Vlan250 172.16.250.1

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Adrian Ardelean
Level 1
Level 1

Absolutely!

Thanks!

From VLAN 55 I can only access VLAN9, cannot access any VLAN with IP starting with 172.16.

Also, VLAN 55 is not accessible from any source with 172.16 IPs but VLAN 9 is.

where is end device connected ? what iP address of the device  ?  and what IP  trying to Ping from device ?

 

also post show ip arp

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tried to ping from 10.99.99.99 to 172.16.x.x. and also from 172.16.250.2 to 10.99.99.99. Both not working.

Pinging 192.168.1.x from both IP above - working.

Hello,

 

the PBR policy maps applied to the SVIs with 172.16.x.x interfaces send everything to 172.16.x.x next hops, thereby overriding any other routing. That is probably the reason for the behavior you are seeing.

 

Remove the policy routing from the interface to check if that solves the issue, then review what you are trying to achieve with these route maps:

 

interface Vlan222
description WiFi-IT
ip address 172.16.200.1 255.255.255.0
--> no ip policy route-map NET-ITWIFI

Tried with PBR off, same thing.

Hello
The reason would say this could be down to the current policy based routing applied to the L3 interfaces of that switch which is policy routing certain traffic from within.

 

Example of just one policy however you have multiple:

access-list 150 deny ip any 172.16.0.0 0.0.255.255
access-list 150 deny ip any 192.168.1.0 0.0.0.255
access-list 150 deny ip any 10.20.30.0 0.0.0.255
access-list 150 deny ip any 10.20.33.0 0.0.0.255
access-list 150 permit ip any any

route-map NET-5 permit 10
match ip address 150
set ip next-hop 172.16.5.253

interface Vlan250
description Ferguson
ip address 172.16.250.1 255.255.255.240
ip policy route-map NET-250


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I use PBR for Internet access (I have a fortigate and I set the next hop to it).

Access between VLANs are different, e.g. from VLAN 3 I need to access VLAN 9 but from VLAN 2 don't.

I will try to clear all PBR on Sunday (it's a production environment) and see what's happening.

 

Thanks!

 

Kind regards,

Adrian

Hi Paul,

 

You were right. The moment I removed the ip policy on vlan1 it was reachable from vlan55.

I guess I have to alter somehow the policies, I guess I should start with inter vlan routing with no restrictions but I really need Internet access via FortiGate on almost each vlan. I'm not quite sure how the route-map policy should look like..

 

Thank you.

 

Adrian.

Hello,

 

I don't know what the entire configuration of your layer 3 switch looks like, but why do you need PBR at all ? By default, all Vlans can reach each other. For Internet access, all you need is a default route towards the Forigate.

 

If you need to restrict inter-Vlan access, you can use extended access lists...

Review Cisco Networking for a $25 gift card