09-17-2019 04:20 AM
I thought I'd best be able to illustrate my issue with a collection of ping commands:
MY_SWITCH#ping XX.YY0.41.131 source XX.YY0.48.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
MY_SWITCH#ping XX.YY0.48.10 source XX.YY0.41.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
MY_SWITCH#ping XX.YY3.255.6 source XX.YY0.41.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
MY_SWITCH#ping XX.YY3.255.6 source XX.YY0.48.1
Success rate is 0 percent (0/5)
MY_SWITCH#ping XX.YY0.41.131 source XX.YY3.255.5
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
MY_SWITCH#ping XX.YY0.48.10 source XX.YY3.255.5
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
As you can see ONLY ONE ping command fails. This is my issue. Communication from a particular VLAN to one particular other one just doesn't work. This is an existing network I have started working and I have set up the new VLAN which fails to reach the particular VLAN. For reference here are some VLAN IDs to explain the IPs above:
The ping illustration shows that:
I've looked at trunk ports, etherchannels and ACLs and cannot see anything that would suggest VLAN30 has no access to VLAN10.
Switches involved are C3750s and C2960 with VLAN via VTP.
Anyone have any suggestions as to where I should look. I'm more than happy to re-check anything I already have!
Many thanks in advance!
Solved! Go to Solution.
09-18-2019 09:47 AM - edited 09-18-2019 09:48 AM
Hi,
Wow have I learnt a lot in the last few days!!!
My problem is solved! There was nothing wrong with the switch or the configuration.
The ISP gateway (as I guessed) was the issue. It turns out the ISP enforce a local IP range because they provide the service as part of a larger intranet. Therefore the subnets available to me were limited and I had created a VLAN just outside of the allowed range. Therefore packets from my new VLAN subnet were being dropped!
I now have access to an extended range and internet connectivity is working fine!!
Thanks again for your help Mark.
09-17-2019 04:32 AM
09-17-2019 05:26 AM
Hi Mark,
Thanks for the reply. I think it might be L2 from what you say. Here are pings from SVIs on L3 core switch:
MY_SWITCH#ping XX.YY3.255.5 source XX.YY0.41.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
MY_SWITCH#ping XX.YY3.255.5 source XX.YY0.48.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
MY_SWITCH#ping XX.YY0.41.1 source XX.YY3.255.5
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
MY_SWITCH#ping XX.YY0.41.1 source XX.YY0.48.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
MY_SWITCH#ping XX.YY0.48.1 source XX.YY3.255.5
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
MY_SWITCH#ping XX.YY0.48.1 source XX.YY0.41.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
The original pings were all carried out on the core switch too.
Not entirely sure how to check whether there is any blocking via STP. Could you point me to command at all?
There are no firewalls present within network. The L2 switch is trunked directly into the L3 switch.
The only other thought I had was that the host I am trying to ping inside VLAN1 is the site's gateway router, so I wonder if it is configured to only accept traffic from certain IP subnets? I unfortunately cannot check this as it is controlled by the ISP.
09-17-2019 06:04 AM
09-17-2019 09:22 AM
Hi Mark,
I've just read this (not tried it yet) but wanted to say a massive thanks for taking the time to reply in such detail!
I'll try it out tomorrow and feedback.
Cheers,
09-18-2019 01:09 AM
Hi Mark,
I've not tried the laptop thing because I'm working remotely at present. But since I am running the ping commands on the L3 switch the firewall thing doesn't factor right?
In terms of the physical paths. Same as above. All my testing is taking place on the one L3 switch stack. There are no trunks involved at present.
I did check STP and it looks like you showed in example. Couldn't see any issues.
I did one other bit of testing. I created another new VLAN (say 50) and set it up with IP XX.YY0.49.1 255.255.255.240. I didn't configure any ports so there were no physical devices involved. I then again ran the ping test from this new VLAN to the interface (XX.YY3.255.5) on VLAN10 and it passed just like when VLAN30 is the source. So the interface for the VLAN is fine.
I then tried to ping the XX.YY3.255.6 with source XX.YY0.49.1 and it failed just like VLAN 30 does.
For good measure I pinged XX.YY3.255.6 with the source set as 4 other existing VLAN interfaces and they all passed!!
So all I can think is that somewhere there is some setting that permits traffic from those existing VLANs through to VLAN10 or some access list that prevents it. But all defaults show nothing of the sort. There are no specific default gateways and no access lists active on any ports that affect the IP ranges I am dealing with.
To give a bit more detail XX.YY.255.6 is set as a broad default gateway for all the IPs I am dealing with through this IP route command: XX.YY0.0.0/16 [1/0] via XX.YY3.255.6. And yet I cannot get on the internet from VLAN 30!
The one test that can prove whether my theory about IP ranges being blocked entirely by the router at address XX.YY3.255.6, is the laptop test that you proposed!!
I really do need to do this and I will as soon as I get down there again.
Still. Any other thoughts?
Thanks,
09-18-2019 01:31 AM
09-18-2019 09:47 AM - edited 09-18-2019 09:48 AM
Hi,
Wow have I learnt a lot in the last few days!!!
My problem is solved! There was nothing wrong with the switch or the configuration.
The ISP gateway (as I guessed) was the issue. It turns out the ISP enforce a local IP range because they provide the service as part of a larger intranet. Therefore the subnets available to me were limited and I had created a VLAN just outside of the allowed range. Therefore packets from my new VLAN subnet were being dropped!
I now have access to an extended range and internet connectivity is working fine!!
Thanks again for your help Mark.
09-18-2019 10:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide