A simple ping issue - Page 2

franklaszlo · ‎12-13-2010

My LAN consits of a 2960 switch and a 1841 router. The switch is trunked to the router's Fa2 switchport using several VLANs.

There is an ip printer - lets name it P1 - connected to a switch port on the router, and that switchport is configured as an access port in VLAN10.

The issue, is that not any hosts are able to ping the P1 printer from the same vlan through the switch.

However, i can ping the printer both from the swith and the router. Also, the printer's mac address and ip address can be found in

the mac and arp table on both devices (i mean the router and the switch).

There is another printer - call it P2 - connected to the 2960 switch, and not the router. I can succesfully ping this printer.

Since the switch did not have any free port, I changed the cable connection of P1 and P2. Now P1 is connectd to the switch

and P2 is cnnected to the router. This configuration resulted so that I could ping both P1 and P2 ! Why ?

And, if that would not be enough, I have another printer - P3 - also connected to the router and I also cannot ping it !

Debugging arp on the router and the switch shows that arp requests get to the switch but not to the router, and I do not know why.

Of course, arp responses never come back. The switch does not apply ACLs or VLAN filtering

Any idea please ?

francisco_1 · ‎12-14-2010

franklaszlo,

You have 2 gateways in vlan 10, on both the router & switch have SVI for vlan 10 so which gateway IP on the PC's trying to ping the printer on the router? also what is the gateway address on the printer? The switch is using "ip default-gateway 192.168.10.254" what is .254? Ths .254 shouldnt really matter since you are ping devices in the same broadcast domain (same vlan)!

Why not just have the router taking care of inter-vlan routing? no need to have vlan 10 SVI on the switch!!! Just trunking vlan 10 between router and switch is enough - see below for config example.

Also you've got ip "access-group acl_vlan10_in in" applied to the vlan 10 SVI on the router! what is that doing cause i dont see the ACL entries in the config!

On the router

interface FastEthernet2.0.1

encapsulation dot1q 10

ip address 192.168.10.250 255.255.255.0

On switch

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

Francisco.

franklaszlo · ‎12-14-2010

Thanks Francisco.

I think this is a L2 issue and has nothing to do with gateways. Just as you also pointed out, the devices in quiestion are all in the same ip network and broadcast domain. Therefore,I think that your original question " which gateway IP on the PC's trying to ping the printer" is not relevant. The PCs have no reason to contact the gateway to get to te printer.

Considering gateways, the switch's SVI in VLAN10 serves management purposes only. As beeing an L2 swith, it would not route traffic anyway (no inter-vlan-routing capability), but a management ip is needed. The router's Vlan10 interface routes traffic only for very restricted hosts, not the entire network ( I eleminated ACLs from the config because i do not think it is iteresting regarding the problem. However, the acl in question starts with permit icmp any any).

The .254 address is the real gateway on the network and it is an ISA server. The ISA server's public interface connected to a different VLAN on the router and so the internet. The whole network uses more VLANs but as I told, I do not think this is an L3 issue, so I eleminated that from the config to make the picture more clear. Of course, I can include it if you believe it helps.

Thanks,

Laszlo

letsgomets · ‎12-21-2010

Laszlo

I agree with your logic that the systems are on the same L2 broadcast domain that they should never contact the gateway to communicate. However I have seen in many cases that IP Proxy Arp is enabled on a firewall or router and it will indeed cause this type of behavior.

Essentially the proxy arp device will give the printer his mac address and all packets will be sent to him thus causing your symptoms. Proxy ARP is a L2 function.

Please check your L3 device and ensure that proxy arp is disabled. See if the problem fades.

franklaszlo · ‎12-22-2010

Thanks for your suggestions, but I have solved the issue in the meantime, see my latest post.

Regards,

Laszlo

cadet alain · ‎12-14-2010

Hi,

Can you post ipconfig/all from .253 and .252 as well as route print.

Can you post traceroute to all printers from .253 and .252

Can you post sh ip route and sh arp from router-switch as well as show mac-address-table dynamic on 2960.

Can you also sniff on the 2 servers while pinging and have you got different behaviour when pinging the servers from router with source address of printers

directly connected.

Regards.

Don't forget to rate helpful posts.

franklaszlo · ‎12-14-2010

Hi,

packet capture is missing, but here are the outputs you asked for. I hope the posted images can be read.

franklaszlo · ‎12-21-2010

I have solved the problem, but I do not really understand the solution.

It was the guilty of vlan pruning. It was not a mistake, I switched on VTP vlan pruning on purpose for vlans 2-1002.

As far as I a know, this should have worked, shouldn't have ? VTP should have been able to detect,

that switchports are up and active for vlan 10 on he router.

I am just curious if this has been a configuration error or not ? Any idea ?