02-21-2014 02:14 AM - edited 03-07-2019 06:20 PM
hello community
i have a strange behavior in my switch environment..
i have a 3750x switch stack which is the core switch in my network
there are some 2960s client switches with port-channel connected to that core switch
the core switch have different vlan interfaces. vlan1 for workstations and servers, vlan506 for management.
the client switches only have an management vlan interface (id506) - the native vlan1 is shutdown.
as i say, servers and workstations are located in vlan1. when i connect from a workstation, which have an ip address from vlan1, to the client switch and take an configuration backup using tftp on that workstation, the client switch insert an arp entry for this workstation - located in vlan1 - where the client switch dosent have an ip address..
when i troubleshoot this problem, i first see the mac address from the core switch vlan 506 interface and the ip address from the client in the arp table.
after few minutes the switch change the mac address to the real mac of the client..
this is strange because of arp.. the switch should not have arp entries from a layer3 interface in which he dosent have an ip adress.. am i right??
thank you in advance for your help, best regards and stay happy!
michael
02-21-2014 07:34 AM
Michael
Does the client switch have a default gateway configured ie. an IP in vlan 506 pointing to the VLAN 506 IP on the 3750 ?
If not can you post the output of "sh ip int vlan 506" from the 3750 ?
Jon
02-21-2014 08:59 AM
hi Jon
Yes he have!
config client switch:
*****************************************
interface Vlan506
ip address 172.25.6.8 255.255.255.0
!
ip default-gateway 172.25.6.254
*****************************************
config core switch:
*****************************************
interface Vlan506
ip address 172.25.6.1 255.255.255.0
standby 1 ip 172.25.6.254
standby 1 priority 115
standby 1 preempt
standby 1 authentication md5 key-string 7 xxxxxxxxxxx
*****************************************
i have also tried to deactivate proxy-arp on the core switch - but no affects..
regards - michael
02-21-2014 10:22 AM
Hi Michael
I can see we were thinking along the same lines ie. proxy arp
I'm not sure what is happening then. Your understanding is correct ie. a switch with only one SVI should only have arp entries for other devices within that vlan including it's default gateway. It should not have any arp entries for devices from remote subnets as it would simply use it's default gateway to get to them.
Jon
02-21-2014 10:35 AM
ok Jon, nevertheless thank you!
02-21-2014 10:37 AM
Michael
Just one quick check.
Is the native vlan the same on both sides of the trunk link. If not STP should kick in but you never know.
Jon
02-21-2014 10:58 AM
yes Jon, it is. but one particularity, i have not vlan1 set as native vlan in case of vlan hopping prevention.
i have added a dummy vlan 1001 and use this as native vlan, so all other vlans are tagged..
i am not sure if i understand how STP should cause this problems..
02-21-2014 11:02 AM
Sorry what i meant was if you had accidentally configured the 2960 end of the trunk link to have a native vlan of 506 but the 3750 end to have a native vlan of 1 this could account for the arp getting through to the client.
You still shouldn't have seen what you did but i just wanted to rule out any issues.
The bit about STP was simply to say if the native vlan doesn't match it should actually block that vlan on the link that's all.
I wasn't suggesting the issue you are seeing was down to STP.
Jon
02-21-2014 11:09 AM
ok, i understand.
the native vlan configuration is on both sites the same.
the STP dont block a vlan as i see in the database
02-21-2014 12:24 PM
Hello
possible ip.icmp.redirects?
try turning this off and test?
res
paul
Sent from Cisco Technical Support Android App
02-21-2014 12:29 PM
hi Paul
i would like to try this but i dont know how to do.
can you tell me the commands?
regards - michael
02-21-2014 12:39 PM
Hello
int xxx (svi)
no ip redirects
res
paul
Sent from Cisco Technical Support Android App
02-21-2014 12:42 PM
thank you Paul, i try this on monday!
do i have interrupts after adding this command?
02-21-2014 12:47 PM
Hi Paul
I understand what you are saying about redirects but for that to work wouldn't the 2960 also need a L3 SVI in vlan 1 up/up as well. It only has an SVI in vlan 506 so even if it did get redirected it couldn't send it direct because it doesn't have an interface in that vlan,
It may be i am mssing something so not saying you are wrong.
Jon
02-21-2014 12:59 PM
Hello
cannot see how.you would on the information you provided.
res
paul
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide