Solved: Hello,I am having a similar

SalientsysIT · ‎09-02-2015

Issue: My clients won't talk across VLANS. They talk fine to one another if they are within their VLAN. My clients cannot ping any gateways except the VLAN they reside in. Meaning if they are in VLAN 1 they can ping 0.1 all day, but not any other VLAN interface gateways. They cannot ping clients in other VLANs. Which makes sense because they can't hit the gateway....

All of the switches can ping any VLAN interface gateway from CLI. All of the switches can ping any client on any VLAN from CLI.

2x 4500's in VSS setup (so one switch for our intents and purposes)

ip routing is enabled ( i don't actually see it when i do a show run, but if i do no ip routing, then do a show run I see "no ip routing". Also sh ip route works)

My VLAN interfaces have IP's set and the VLAN's themselves exist.

sh vlan(4500)

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Te1/1/5, Te1/1/6, Te1/1/7
Te1/1/8, Te1/1/9, Te1/1/10
Te1/1/11, Te1/1/12, Te1/1/13
Te1/1/14, Te1/1/15, Te1/1/16
Te2/1/5, Te2/1/6, Te2/1/7
Te2/1/8, Te2/1/9, Te2/1/10
Te2/1/11, Te2/1/12, Te2/1/13
Te2/1/14, Te2/1/15
2 QA active
3 Manufacturing active
4 Security active
5 VLAN0005 active
12 Test active Te2/1/16
32 QAFiber active
1002 fddi-default act/unsup

sh vlan (2960x1)

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/8, Gi1/0/9, Gi1/0/12
Gi1/0/20, Gi1/0/23, Gi1/0/24
Gi1/0/25, Gi1/0/26, Gi1/0/27
Gi1/0/28, Gi1/0/29, Gi1/0/30
Gi1/0/31, Gi1/0/32, Gi1/0/33
Gi1/0/34, Gi1/0/35, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi1/0/47, Gi1/0/48
2 IntegrationQA active Gi1/0/10, Gi1/0/11, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/21, Gi1/0/22, Gi1/0/36
3 Manufacturing active Gi1/0/5
4 Security active Gi1/0/6
5 VLAN0005 active Gi1/0/4
12 Test active
32 QAFiber active Gi1/0/7

sh vlan(2960x2)

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi1/0/47, Gi1/0/48
2 IntegrationQA active
3 Manufacturing active Gi1/0/5
4 Security active Gi1/0/6
5 VLAN0005 active
12 Test active Gi1/0/4
32 QAFiber active Gi1/0/7
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

sh ip route output (4500)

Gateway of last resort is not set

172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.18.0.0/21 is directly connected, Vlan32
L 172.18.0.1/32 is directly connected, Vlan32
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Vlan1
L 192.168.0.1/32 is directly connected, Vlan1
192.168.103.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.103.0/24 is directly connected, Vlan2
L 192.168.103.1/32 is directly connected, Vlan2
192.168.104.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.104.0/24 is directly connected, Vlan3
L 192.168.104.1/32 is directly connected, Vlan3
192.168.105.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.105.0/24 is directly connected, Vlan4
L 192.168.105.1/32 is directly connected, Vlan4
192.168.109.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.109.0/24 is directly connected, Vlan5
L 192.168.109.1/32 is directly connected, Vlan5
192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.122.0/24 is directly connected, Vlan12
L 192.168.122.1/32 is directly connected, Vlan12

Switches all reside on VLAN1.

0.1 = 4500

0.3 = 2960x (1)

0.4 = 2960x (2)

2 Clients.

One on VLAN 5 (109.0) port 4 of a 2960

One on VLAN 12 (122.0) port 4 of other 2960

The links between the switches are trunked.

te1/1/1 - 1/1/2 and te2/1/1 - 2/1/2 are VSS trunks.

Te1/1/3 - go to the same 2960 (x1)

Te2/1/3

Te1/1/4 - go to the same 2960 (x2)

Te2/1/4

show int trunk output: (4500)

Port Mode Encapsulation Status Native vlan
Te1/1/3 on 802.1q trunking 1
Te1/1/4 on 802.1q trunking 1
Te2/1/3 on 802.1q trunking 1
Te2/1/4 on 802.1q trunking 1
Po5 on 802.1q trunking 1
Po10 on 802.1q trunking 1

Port Vlans allowed on trunk
Te1/1/3 1-4094
Te1/1/4 1-4094
Te2/1/3 1-4094
Te2/1/4 1-4094
Po5 1-4094
Po10 1-4094

Port Vlans allowed and active in management domain
Te1/1/3 1-5,12,32
Te1/1/4 1-5,12,32
Te2/1/3 1-5,12,32
Te2/1/4 1-5,12,32
Po5 1-5,12,32

Port Vlans allowed and active in management domain
Po10 1-5,12,32

Port Vlans in spanning tree forwarding state and not pruned
Te1/1/3 1-5,12,32
Te1/1/4 1-5,12,32
Te2/1/3 1-5,12,32
Te2/1/4 1-5,12,32
Po5 none
Po10 none

Show ip int brief output: (partial) (4500)

Vlan1 192.168.0.1 YES NVRAM up up
Vlan2 192.168.103.1 YES manual up up
Vlan3 192.168.104.1 YES manual up up
Vlan4 192.168.105.1 YES manual up up
Vlan5 192.168.109.1 YES manual up up
Vlan12 192.168.122.1 YES manual up up
Vlan32 172.18.0.1 YES manual up up

sh vtp status output: (4500) (Not sure if this is related somehow, but VTP is turned off) (Yes my VLAN's exist on the 2960's. Only one VLAN interface exists on the 2960's. It's "int vlan 1" for the switches to talk to one another on.

VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : Domainnamehere
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 0200.0000.000a
Configuration last modified by 192.168.0.1 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode : Off

sh arp (4500)

Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.18.0.1 - 0008.e3ff.fc28 ARPA Vlan32
Internet 192.168.0.1 - 0008.e3ff.fc28 ARPA Vlan1
Internet 192.168.0.3 43 dceb.9473.7fc0 ARPA Vlan1
Internet 192.168.0.4 41 dceb.9473.7d40 ARPA Vlan1
Internet 192.168.103.1 - 0008.e3ff.fc28 ARPA Vlan2
Internet 192.168.104.1 - 0008.e3ff.fc28 ARPA Vlan3
Internet 192.168.105.1 - 0008.e3ff.fc28 ARPA Vlan4
Internet 192.168.109.1 - 0008.e3ff.fc28 ARPA Vlan5
Internet 192.168.109.133 33 0024.e8f6.d288 ARPA Vlan5 (client)
Internet 192.168.122.1 - 0008.e3ff.fc28 ARPA Vlan12
Internet 192.168.122.69 8 0024.e8f1.2b7c ARPA Vlan12 (client)

sh arp (2960x1)

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 42 0008.e3ff.fc28 ARPA Vlan1
Internet 192.168.0.3 - dceb.9473.7fc0 ARPA Vlan1
Internet 192.168.0.69 156 0024.e8f1.2b7c ARPA Vlan1 (Old client address on VLAN 1)

sh arp (2960x2)

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 43 0008.e3ff.fc28 ARPA Vlan1
Internet 192.168.0.4 - dceb.9473.7d40 ARPA Vlan1
Internet 192.168.0.69 158 0024.e8f1.2b7c ARPA Vlan1 (Old client address on VLAN 1)

I've watched a few videos and did some reading but had no luck figuring out what the heck. I'll be happy to provide information or show my configs. Not sure what I've done wrong here but any help would be appreciated.

Iulian Vaideanu · ‎09-02-2015

It wood look like a classic case of the clients having missing or improperly configured default routes if it weren't for the part where any switch can ping any client anywhere...

View solution in original post

Iulian Vaideanu · ‎09-02-2015

It wood look like a classic case of the clients having missing or improperly configured default routes if it weren't for the part where any switch can ping any client anywhere...

SalientsysIT · ‎09-02-2015

Hrm, I did not... realize I needed to set routes on my clients.

This works now, no issue. Thank you.

Question, and perhaps it's a dumb one.

Is there no other way to utilize the 4500x switch and accomplish inter-VLAN routing without adding routes to my client machines? I honestly thought with ip routing enabled I wouldn't need routes on my clients. It's fair to say I misunderstood. But can this not be handled on the switch end using the 4500 and 2960x's ?

edit: Wait.. did you mean i need to set routes on the switches? It's working when i do route add from DOS on the clients..

Jon Marshall · ‎09-02-2015

It may be a terminology thing but you don't need routes on your clients.

The client should have a default gateway which is the IP of SVI IP address on the 4500 for their vlan but that should be handed out with DHCP.

The L3 switch should do all the routing between vlans ie. the client simply sends any traffic to remote subnets to it's default gateway.

And you don't need to add routes for any vlans local to the 4500 ie. it will automatically route between connected IP subnets.

Jon

SalientsysIT · ‎09-02-2015

So I don't have DHCP configured, i'm just dropping static addresses in there that match the interfaces VLAN. I can do the DHCP config, didn't think it would really matter as long as I properly addressed the client devices.

Example the windows client ipconfig (my other client resides on 122.0)

192.168.109.133

255.255.255.0

192.168.109.1

if I add to this windows client

route add 192.168.122.0 mask 255.255.255.0 192.168.109.1

it can talk to everything on the 122.0 network (aka vlan5) which is where my other client is sitting. If this isn't there it doesn't work.

So the connectivity is there? I just have something ... wrong? Do I need to add routes anywhere? What am I missing, this looks absurdly easy in every configuration I've seen.

enable ip routing, create vlans, create vlan interfaces, assign IP's to interfaces, verify trunks between switches, verify no shutdown on interfaces.

Jon Marshall · ‎09-02-2015

You should not need to add that route.

Your client should automatically send any traffic for remote subnets to it's default gateway.

The fact that when you add the route it works suggests the switch is routing otherwise it still wouldn't work.

It sounds more like your clients are not using their default gateway but I can't see why that would be the case at the moment.

Jon

SalientsysIT · ‎09-02-2015

Yeah, I originally had not thought I would need to, then it worked so I thought perhaps i'm the one who's confused about how this works.

Without the route the clients can ping their own gateway.

Also without the route they can talk to other clients on the same VLAN.

So it seems like they hit their gateway? it just won't send traffic to the other VLAN interfaces.

meh... maybe I should just factory them and try again.... i'll setup DHCP first.. see what that does...

Iulian Vaideanu · ‎09-03-2015

You only need a default route, not individual routes for all the 192.168. subnets. A default route is also pretty impossible to live without if at some point in the future the client needs to access a wider range of resources (like the Internet :)).

That is, either "route add 0.0.0.0 mask 0.0.0.0 192.168.109.1" (for the client example you provided) or just fill in the "default gateway" field in the TCP/IP properties window for the client's network connection.

SalientsysIT · ‎09-03-2015

Yeah, I for sure have the default gateway field filled out.... In fact I can ping the gateway of the VLAN interface that physical port resides on as long as the Static IP i assign matches that configured VLAN interface.

103.8 for example can hit 103.1 no problem. It can also hit other clients on the 103.0 network

It however cannot hit 0.1, 105.1, 122.1, or 104.1 VLAN interface gateways.

I just can't ping other VLAN interface gateways I can ping mine fine. The switches can ping everything from CLI. So... yep.

Iulian Vaideanu · ‎09-03-2015

Does 103.8 have 103.1 listed as "Default Gateway" when running "route print" from the command prompt?

SalientsysIT · ‎09-03-2015

Hello,

So I figured it out. The issue was a multi-homing issue. I'm configuring this remotely. Staff moves cables when necessary. Then I verify on the switches things are in their correct place. In this instance I was utilizing 2 laptops to do the configuration. Both connected to the Test network on different switches where i'm doing the Configuration above. The other a wireless connection that I'm connected to across the corp. network. Had someone disable the wireless and do some tests annnnd LO.. everything could ping everything perfectly on my test network. My fault for not realizing it was trying to send everything out of the wireless. DOH, so to speak. Apologies for wasting anyone's time.

Robin Swan · ‎09-03-2015

Hello,

I am having a similar problem. However, my SVI's won't even go to the "up up" state. They are all at the "down down" state. As a result, the machine I have on the access port on the neighboring device can't ping any of the SVI's on the Distribution switch which is a 4500x 16 port with ipbase. each switch can see and ping each other, but the distribution sw can't even see the directly connected subnets of the SVI's.

I hope you can understand this.

4500x InterVLAN routing. Clients can't ping clients on different VLANS?