Re: Cannot ping router on native VLAN

Mokhalil82 · ‎10-24-2018

Hi

I have a simple setup for testing purposes. PC > Switch > Router

VLAN 1 network is 192.168.1.0/24

So by default VLAN 1 is the native VLAN.

The PC is configured statically with 192.168.1.50/24 with a gateway of 192.168.1.1

The switchport for the PC is configured as an access port in VLAN 1

The uplink to the router is configured as a trunk port allowing all VLANs

The switch itself is configured with a mgmt SVI in VLAN 1 of 192.168.1.10/24

The router interface is configured as a trunk allowing all VLANS with a VLAN 1 SVI (192.168.1.1/24)

The router is the root bridge and all ports on the switch are in spanning tree forwarding.

So why can the PC ping the switch, but not the router? The switch can ping both the PC and the router.

The router is managed by the ISP but I have the configs and its just a trunk port with the SVI, however HSRP is configured, probably as their template config as there is not a secondary router. So it gateway IP is virtual, but I cannot ping the physical IP either.

My feeling is this is something to do with the native VLAN 1, as I also alongside this setup configured the same using VLAN 10, as the ISP router already has a VLAN 10 SVI and that works fine. It just does not work on VLAN 1.

I have done the basics, ie sh int status and all ok, sh ip int br, all are up up, spanning tree is forwarding for all interfaces and vlans and no blocked ports, sh int gig xxx, sh int gig xxx switchport etc

I can get the ISP to change the VLAN but just curious why it does not work on VLAN 1.

TIA

Jon Marshall · ‎10-24-2018

Can you post just the interface configuration of the router interface connecting to your switch.

Jon

Mokhalil82 · ‎10-24-2018

Here is the router interface config

interface GigabitEthernet2
description xxx
switchport mode trunk
no ip address
duplex full
speed 1000

interface vlan 1

description XXX
ip address 192.168.219.2 http://255.255.255.0
ip access-group NME-PROTECT in
no ip redirects
no ip unreachables
no ip proxy-arp
standby 99 ip 192.168.219.4
standby 99 priority 105
standby 99 preempt
standby 99 authentication XXX
standby 99 track 99 decrement 10

I have turned ip routing on and off the switch to no avail.

I have checked the inbound ACL and it is not denying icmp or any traffic from this LAN subnet.

Its the LAN facing subnet, so is a /24 and not a /30, but I understand I could route on my switch and have a /30 with the ISP, but im just curious why on the native VLAN I cannot ping the gateway but can on another VLAN.

I am speaking with the ISP today and will get them just to change the VLAN tag and I will do the same on my side to see if it starts working

pieterh · ‎10-24-2018

you have access to the ISP router config?

check if this also uses /24 subnet on the vlan1 interface

but I expect it will have a /30 subnet and as such can only be reached by your local router vlan1

this subnet is only used for interconnect the ISP router with a local router on your side

and the ISP router does not respond to any addresses outside 192.168.1.0 - 192.168.1.4

My expected setup is you need to add a router in your network with two interfaces

(or enable routing on the switch and use this as a router with two SVI's in two vlans)

- 192.168.1.2/30 on the ISP side

- 192.168.2/0/24 (or any other) on your local network

paul driver · ‎10-24-2018

Hello

You should be able to ping the router from the pc, If your isp router is proving the intervlan routing then disable any ip routing on the switch if it is enabled..

conf t
no ip routing

Can you show the arp entries on the router

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pieterh · ‎10-24-2018

your ISP router has

interface vlan 1

   ip address 192.168.219.2 http://255.255.255.0
   ip access-group NME-PROTECT in
   standby 99 ip 192.168.219.4

I guess the "http://" here is some typo?

but this output shows this has NO SVI on vlan 1 with address 192.168.1.1

and what traffic does the access-group NME-PROTECT allow ?

The PC is configured statically with 192.168.1.50/24 with a gateway of 192.168.1.1

-> the default gateway on the client should be pointing to the hsrp address 192.168.219.4

Mokhalil82 · ‎10-24-2018

Sorry I forgot to mention the fact that i was using 192.168.1.x as an example on this forum but yes everything is actually on 192.168.219.0/24 in reality

The NME-PROTECT just denies certain ISP public networks

The issue is VLAN related, as I have spoke to the ISP and as soon as we change the VLAN every from 1 to 100, it all just works

Richard Burts · ‎10-24-2018

Glad to know that when you changed to vlan 100 that it worked.

HTH

Rick

HTH

Rick

Mokhalil82 · ‎10-24-2018

Hi Rick

What i was trying to understand in this post was why did it not work on VLAN 1. By just changing to VLAN 100 it works.

Must be something to do with the native VLAN I would guess

Richard Burts · ‎10-24-2018

I agree that it would be nice to understand why the original configuration did not work. We do not have enough consistent information about how the router was configured to be able to answer that question. If we had opportunity for more troubleshooting it would have been interesting to look at the arp tables from the router, from the switch, and from the PC. That might have provided some clue about the problem.

HTH

Rick

HTH

Rick