08-19-2019 07:56 AM
I have a remote site that has 2 switch Ether channeled together.
Layer 3 Switch 1
1 WS-C3560V2-48PS 12.2(50)SE5
Layer 2 Switch 2
2 WS-C3550-48-SMI Version 12.2(37)SE
EtherChannel Load-Balancing Configuration: src-mac
Ports 1-4 on both sides are connected Group Port-channel Protocol Ports 1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) Fa0/3(P) Fa0/4(P)
When I try and ping the SVI from the firewall I get no reply, I of cource can ping it from the layer 3 as it is directly connected.
What is strange is I can ping through the ether channel with no issues, all devices on the layer 2 are reachable from the firewall.
Thanks
Solved! Go to Solution.
08-20-2019 12:34 PM
In reading through the discussion I find there is one more thing to clarify. You comment that switch 1 default gateway was set incorrectly to 10.64.71.10 and that you changed it to 10.64.71.1. Technically you are probably correct that it was incorrectly set. (part of the confusion is that we have no idea what is at 10.64.71.10 or why that was set as default-gateway) But changing it to 10.64.71.1 is not a solution. That address is the IP of your vlan interface. And it makes no sense to try to set your default gateway to one of your own addresses. The default gateway is by definition an address that is remote to your device.
And as I explained in my previous response it really does not make any difference how the default-gateway is configured (or whether it is configured at all) when ip routing is enabled. When ip routing is enabled the switch will ignore whatever is configured as default-gateway and looks for a default route. You have a correct configured static default route and that is what is used on this switch.
Do not be confused that default gateway and default route look similar. They are, in fact, quite different. default gateway is used when the switch is operating in layer 2 mode and default route is used when the switch is operating in layer 3 mode.
HTH
Rick
08-19-2019 08:15 AM
08-19-2019 09:57 AM
Ok let me clarify:
Firewall <=Layer 3 interface=> GTHICSWCDC01 <=Etherchannel layer 2=> GTHICSWCDC02
GTHICSWCDC01 is a layer 3 switch Vlan678 10.64.71.1
GTHICSWCDC02 is a layer 2 switch Vlan678 10.64.71.50
interface Vlan678
ip address 10.64.71.1 255.255.255.128
no ip redirects
no ip unreachables
From GTHICSWCDC01 I can ping GTHICSWCDC02 without issue.
From the Firewall I can ping GTHICSWCDC01 without issue.
From the Firewall I can't ping GTHICSWCDC02 vlan678 ip 10.64.71.50
From the Firewall I can ping everything connected to GTHICSWCDC02
thanks
08-19-2019 10:35 AM
Your layer-2 switch (GTHICSWCDC02) needs a default gateway pointing to the layer-3 switch IP.
ip default-gateway 10.64.71.1
HTH
08-19-2019 11:14 AM
We are trying to diagnose a problem and to suggest solutions without having enough information from the original poster to be able to accurately understand the issue. The original poster has not provided details of how the firewall connects to the L3 switch. We are assuming that it is a routed link not in 10.64.71 but we have no details to confirm this. Assuming that this is true then it is necessary for the L2 switch to have configured an ip default-gateway. We are guessing that this has not been done but we lack details to confirm this. I agree with my colleagues that the most likely issue is that L2 switch does not have a default gateway configured. But it would be very helpful if the original poster would provide details (especially the config of the L2 switch) to allow us to verify our assumptions.
HTH
Rick
08-19-2019 01:27 PM - edited 08-19-2019 01:36 PM
Attached is the config from both switches. Yes firewall is routed interface on GTHICSWCDC01 port1.
Firewall interface 10.64.71.250
Routed interface 10.64.71.249.
As I just previously posted I noticed that GTHICSWCDC01 default gateway was wrong. Really not sure why it was set to ip 10.64.71.10. I have changed it to 10.64.71.1 but issue still persist.
Any insight would be great.
thanks
08-20-2019 08:23 AM
Thank you for posting the configs. I find them very helpful. They do demonstrate that switch 2 does have ip default-gateway configured to point to the upstream gateway. So much of our previous speculation was not on the mark. What the config does show is that ip routing is enabled. Your description of the environment was that switch 2 was a layer 2 switch. But enabling ip routing makes it a layer 3 functioning switch. And a layer 3 functioning switch may have ip default-gateway configured but it ignores it. I see no routes configured. If you do show ip route on switch 2 I am confident that it will indicate that it has a locally connected subnet but that there is no default route. So this is the real problem. We have a switch functioning as layer 3 but with no default route/no default gateway. To solve your issue you should either configure a static default route on switch 2 or you should disable ip routing (we do not know much about your network and therefore can not know if there is any good reason to have ip routing enabled on switch 2, but based on the very little that we do know I would suggest removing ip routing).
HTH
Rick
08-20-2019 12:34 PM
In reading through the discussion I find there is one more thing to clarify. You comment that switch 1 default gateway was set incorrectly to 10.64.71.10 and that you changed it to 10.64.71.1. Technically you are probably correct that it was incorrectly set. (part of the confusion is that we have no idea what is at 10.64.71.10 or why that was set as default-gateway) But changing it to 10.64.71.1 is not a solution. That address is the IP of your vlan interface. And it makes no sense to try to set your default gateway to one of your own addresses. The default gateway is by definition an address that is remote to your device.
And as I explained in my previous response it really does not make any difference how the default-gateway is configured (or whether it is configured at all) when ip routing is enabled. When ip routing is enabled the switch will ignore whatever is configured as default-gateway and looks for a default route. You have a correct configured static default route and that is what is used on this switch.
Do not be confused that default gateway and default route look similar. They are, in fact, quite different. default gateway is used when the switch is operating in layer 2 mode and default route is used when the switch is operating in layer 3 mode.
HTH
Rick
08-21-2019 09:30 AM
Richard,
So I did a no ip routing and I can now ping the switch across the WAN. I total missed the that configuration, I was more focused on the Etherchannel configuration.
Since I still talk with my predecessor I'll ask him what he was thinking!!
thanks
08-21-2019 12:36 PM
Thanks for letting us know that you now have it working. It is easy to miss a detail like ip routing, especially if you are focusing on the possibility that the issue involved Etherchannel. I am glad that our suggestions pointed you in the right direction. Thank you for marking this question as solved. This will help other participants to identify discussions which have helpful information.
HTH
Rick
08-19-2019 01:18 PM
Reza,
So my default gateway on GTHICSWCDC02 is set to 10.64.71.1 what I just noticed is that on GTHICSWCDC01 the default gateway is 10.64.71.10.
Not sure why my predecessor set it like that, only reason I posted this on the forums is that I could't get RANCID to back up the config on GTHICSWCDC02. Never thought to look at GTHICSWCDC01, this could explain some other anomalies I have seen at this site over the last year.
I'll change the gateway and review.
stein9700
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide