Solved: Access switch remotely from different VLAN - Page 2

teemufrosen · ‎02-02-2015

Hello everyone!

I study CCNA and I'm kind of stuck with a network scenario, and hope to receive some feedback on what I could be doing wrong. This truly is a great forum and I have spent many hours getting answers to my questions. But for this scenario I have not found answers...

Scenario: I have a network with 1 router, two switches and 4 different VLANs. I want to be able to communicate with the switch remotely, and have set up an IP address on VLAN 99 for remote management. I have set up a trunk that carries all traffic from all VLANs between my switches and set up a router with subinterfaces for each VLAN.
I can access the switches remotely from hosts connected to VLAN 99, but not from the other VLANs. However I can SOMETIMES ping between the VLANs (set up static IP on the computers with a default gateway to the subinterfaces IP they are connected to on the router). So really my problem is probably more related to the fact that I can not ping between VLANs correctly.

Below is link with PT file including configurations so that we can distinguish what is wrong with my configuration. Any feedback is (obviously) highly appreciated as I can not get answers through searching.

http://www.speedyshare.com/Jns7S/roas.pkt

Kind regards,
Teemu

Jon Marshall · ‎02-04-2015

L3 vlan interface just means the subinterfaces on the router.

What you are seeing is to do with proxy arp which is enabled by default.

When you either -

1) set no default gateway on the switch

or

2) set an incorrect gateway on the switch

you are relying on proxy arp on the router to provide a mac address to the arp request from the switch.

So what happens is you telnet from a remote client ie. not on the switch management subnet and the router sends the packet to the switch.

To return the packet the switch has to send the packet to it's default gateway.

If one is configured, no matter what it is it sends an arp request for the default gateway IP.

If no default gateway is configured it sends an arp request for the client IP.

Either way the vlan 99 interface on the router receives this request as it is a broadcast. If the IP address in the request is from a subnet configured on any of the router interfaces then the router simply responds with the mac address of the interface the request was received on.

The switch receives this response and sends the return packets to the router interface.

And the router then sends the packet back to the client.

If you disable proxy arp on the vlan 99 interface then it won't work unless you configure the correct default gateway on the switch ie. the IP address of the vlan 99 subinterface on the router.

If you want to test this with different default gateways or no default gateway you must clear the arp cache on the switch every time you make a change otherwise you get inconsistent results because the switch has the mac address in it's arp cache.

To disable proxy arp on your subinterface just go to the vlan 99 subinterface and type -

"no ip proxy-arp"

you only need to do it on that subinterface.

Jon

teemufrosen · ‎02-05-2015

Thank you Jon for your detailed explanation.

You just introduced me to proxy arp, and I think I fully understand it all now. Broadcast stays within it's network and vlan while and proxy arp allows arp queries to reach other vlans.
I appreciate if you can confirm or correct above.

Kindly,
Teemu

Jon Marshall · ‎02-05-2015

Teemu

Proxy arp doesn't send queries to other vlans.

If the switch has no gateway or the wrong gateway it still sends an arp request for it.

If there is no gateway configured the switch is asking for the mac address of the remote client.

If there is a gateway configured but it is the wrong one the switch is asking for the mac address of that gateway.

Neither IP address is on the switches subnet.

The switch is in vlan 99 so the vlan 99 subinterface on the router receives the request.

The router does not forward this request.

If the router has any interface configured with an IP address from the same subnet as the IP in the arp request then it will respond with the mac address of the interface the request was received on, vlan 99 in this case.

But it doesn't forward the request on because it doesn't need to.

The switch receives the mac address of the vlan 99 subinterface. It doesn't know this isn't the real mac address for the IP in the request.

When the switch sends the actual packet back to the remote client the vlan 99 interface receives this and does forward that on because the destination IP is the remote client.

Note proxy arp only works if the router has an interface in the same IP subnet as the IP in the request.

If it didn't it wouldn't respond.

It works in your setup because all the interfaces are on the same router so whichever gateway you use or no gateway, as long as the router has an interface from the same IP subnet, the router can respond.

Hope that makes it clearer.

Jon

teemufrosen · ‎02-07-2015

Jon

Thank you very much for your explanation, I really appreciate your help. After controlling this with a friend and read more about it, I think I got it. And the answer I marked correct is still the most correct answer.

I was eager in my previous post, I meant arp requests and not broadcast, and instead of vlans I meant networks.

Kind regards,
Teemu

Jon Marshall · ‎02-02-2015

What port on which switch is 192.168.1.101 connected to ?

What port on which switch is 192.168.50.100 connected to ?

Were the default gateways of the devices set to the corresponding IPs on the router ?

Jon