12-13-2010 09:38 AM - edited 03-10-2019 12:14 PM
My LAN consits of a 2960 switch and a 1841 router. The switch is trunked to the router's Fa2 switchport using several VLANs.
There is an ip printer - lets name it P1 - connected to a switch port on the router, and that switchport is configured as an access port in VLAN10.
The issue, is that not any hosts are able to ping the P1 printer from the same vlan through the switch.
However, i can ping the printer both from the swith and the router. Also, the printer's mac address and ip address can be found in
the mac and arp table on both devices (i mean the router and the switch).
There is another printer - call it P2 - connected to the 2960 switch, and not the router. I can succesfully ping this printer.
Since the switch did not have any free port, I changed the cable connection of P1 and P2. Now P1 is connectd to the switch
and P2 is cnnected to the router. This configuration resulted so that I could ping both P1 and P2 ! Why ?
And, if that would not be enough, I have another printer - P3 - also connected to the router and I also cannot ping it !
Debugging arp on the router and the switch shows that arp requests get to the switch but not to the router, and I do not know why.
Of course, arp responses never come back. The switch does not apply ACLs or VLAN filtering
Any idea please ?
12-14-2010 04:50 AM
franklaszlo,
You have 2 gateways in vlan 10, on both the router & switch have SVI for vlan 10 so which gateway IP on the PC's trying to ping the printer on the router? also what is the gateway address on the printer? The switch is using "ip default-gateway 192.168.10.254" what is .254? Ths .254 shouldnt really matter since you are ping devices in the same broadcast domain (same vlan)!
Why not just have the router taking care of inter-vlan routing? no need to have vlan 10 SVI on the switch!!! Just trunking vlan 10 between router and switch is enough - see below for config example.
Also you've got ip "access-group acl_vlan10_in in" applied to the vlan 10 SVI on the router! what is that doing cause i dont see the ACL entries in the config!
On the router
interface FastEthernet2.0.1
encapsulation dot1q 10
ip address 192.168.10.250 255.255.255.0
On switch
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
Francisco.
12-14-2010 07:21 AM
Thanks Francisco.
I think this is a L2 issue and has nothing to do with gateways. Just as you also pointed out, the devices in quiestion are all in the same ip network and broadcast domain. Therefore,I think that your original question " which gateway IP on the PC's trying to ping the printer" is not relevant. The PCs have no reason to contact the gateway to get to te printer.
Considering gateways, the switch's SVI in VLAN10 serves management purposes only. As beeing an L2 swith, it would not route traffic anyway (no inter-vlan-routing capability), but a management ip is needed. The router's Vlan10 interface routes traffic only for very restricted hosts, not the entire network ( I eleminated ACLs from the config because i do not think it is iteresting regarding the problem. However, the acl in question starts with permit icmp any any).
The .254 address is the real gateway on the network and it is an ISA server. The ISA server's public interface connected to a different VLAN on the router and so the internet. The whole network uses more VLANs but as I told, I do not think this is an L3 issue, so I eleminated that from the config to make the picture more clear. Of course, I can include it if you believe it helps.
Thanks,
Laszlo
12-21-2010 11:48 AM
Laszlo
I agree with your logic that the systems are on the same L2 broadcast domain that they should never contact the gateway to communicate. However I have seen in many cases that IP Proxy Arp is enabled on a firewall or router and it will indeed cause this type of behavior.
Essentially the proxy arp device will give the printer his mac address and all packets will be sent to him thus causing your symptoms. Proxy ARP is a L2 function.
Please check your L3 device and ensure that proxy arp is disabled. See if the problem fades.
12-22-2010 04:40 AM
Thanks for your suggestions, but I have solved the issue in the meantime, see my latest post.
Regards,
Laszlo
12-14-2010 05:16 AM
Hi,
Can you post ipconfig/all from .253 and .252 as well as route print.
Can you post traceroute to all printers from .253 and .252
Can you post sh ip route and sh arp from router-switch as well as show mac-address-table dynamic on 2960.
Can you also sniff on the 2 servers while pinging and have you got different behaviour when pinging the servers from router with source address of printers
directly connected.
Regards.
12-14-2010 08:19 AM
Hi,
packet capture is missing, but here are the outputs you asked for. I hope the posted images can be read.
12-21-2010 11:37 AM
I have solved the problem, but I do not really understand the solution.
It was the guilty of vlan pruning. It was not a mistake, I switched on VTP vlan pruning on purpose for vlans 2-1002.
As far as I a know, this should have worked, shouldn't have ? VTP should have been able to detect,
that switchports are up and active for vlan 10 on he router.
I am just curious if this has been a configuration error or not ? Any idea ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide