cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2762
Views
0
Helpful
15
Replies

Flat network layer 2 issues

howithink
Level 1
Level 1

I need help. We are in the process of changing a large  L2 network. Everything terminates into a single small FW. The IP range is 172.16.10.0/22 so the end of the port configured on the FW is 172.16.10.1/22. This is where everything terminates. 

 

Now we want to remove this function from the FW and introduce a L3 device with a vlan which i created called VLan4 and the ip address i assigned to it is 172.16.10.1/22. Also made necessary route changes to send traffic to FW and out. 

 

I was hoping that when we unplug the cable from the FW and into the L3 that everything will work, but it is not. I am getting Arp incomplete. It looks like behind the L3 there are other devices (hubs/switches) and when i do show cdp neigh, my port on L3 shows as connected to 2 different devices. 

 

What am i doing wrong?

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

How is these L3 Switch configured, what is the other network device connected to this switch ?

 

have you clear the ARP and tested. Post the configuration.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

All devices in the field are on cisco 6500 switches using fiber, but in a L2 configuration. There are no vlans, everything is one large default vlan. At the very end of it, there is one single cable coming off and into (right now) a small FW which is used as the default route meaning all devices in the field have their default route as the ip of this port on the FW. 

 

What i wanted to do was to remove this FW and introduce a L3 so to expand with VLANs in the future. I did create a generic vlan on the L3 with the same ip as the port on the FW, but when i assign a port as access to that vlan and connect to that port, I am unable to ping any devices in the filed. I get Arp incomplete. When i statically assign an ip address to a laptop and plug into another port on the L3 in the same vlan for testing, i can ping between the laptop and the port of course. 

 

no i did not clear arp. Will attempt to do that later this week. 

What device/switch you want to do the layer-3 routing? Is that switch connected to all other switches? Do you have a diagram of your network?

It appears that in your current environment everything is set up in the default vlan (vlan 1) and now you want to move to a different VLAN (vlan x) and use the same IP subnet (172.16.10.1/22). If this is the case, you need to create an SVI for the new vlan, give it an IP address, and move all your devices from vlan 1 to this new vlan. Once all that is working, you can simply remove the firewall. If this is a production environment and you are connecting to the Internet, I don't recommend you removing the firewall. 

HTH

 

I have attached a crude design of what the existing network looks like and the new proposed design. Like i said, i removed the existing old FW and introduced a cisco FW along with a new Cisco L3 switch and created vlans on that switch. The customer is giving me a single cable which i connected to the L3 switch and the arp comes back as incomplete. in fact when you run show cdp neigh on the L3 switch, it shows that my L3 port is connected to 2 different switches when in fact its only connected to one silly switch.

 

i have attached my L3 config here:


interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport trunk allowed vlan 2
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 3
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 172.16.1.2 255.255.255.0
!
interface Vlan3
ip address 172.16.10.1 255.255.252.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip ssh time-out 90
ip ssh version 2
!

 

Which port on the new L3 switch connects to the customer switch ? 

 

Jon

Port 4 for now. I did not include other ports in this config, but there are 6 ports total added to this vlan so customer can plug into any of these 6. but for not we only have port 4 we're working with. 

 

And the customer cannot ping 172.16.10.1 ? 

 

Note as mentioned the customer may well need to clear their arp cache as they will have the old firewall mac address for that IP address. 

 

Jon

This is something i have not tried yet because our window was very small for troubleshooting. I will be trying this again next week since i have a small window. I will clear arp on my L3 and i will ask customer to clear arp on the netgear switch if possible. 

Other than that, does my design and config look ok? I mean i have tried this at other places and never had any issues before, plus this is very simple design and config. please advise. 

 

Should work fine as far as I can see. 

 

As long as the port connecting to the customer switch is an access port in vlan 3 and port on the customer switch is an access port then any traffic arriving at your switch is placed into vlan 3 which is what you want (technically you are joining vlan 1 and 3 but there are no loops) .

 

Don't forget that your new firewall will obviously need routes back to the customer vlans/IP subnets which obviously the old firewall did not. 

 

Jon

The firewall is all set. I can ping from the fw to this L3 switch and to a lapotp (connected to one of the other ports on the L3 in same vlan). I can ping from laptop all the way up to FW and from the switch i can ping 8.8.8.8 so all the routes are set.

 

Will ask customer to reboot their netgear to see if that will clear the arp and hopefully this will fix the issue. 

 

What about the wierdness i saw when i run show cdp neigh on this switch? It shows port 4 connected to 2 different downstream switches. Will this cause an issue or will clearing the arp take care of this as well?

 

You see this with CDP when there are hubs etc in the path but without knowing exactly what the customer is doing dfficult to say. 

 

Clearing the cache is done on the clients not the switch because it is all L2 on the switches until they reach your L3 switch. 

 

Jon

 

Just had a quick search and it would appear the timeout for windows etc. is very low so unlikely to be that. 

 

Not sure why that is not working but it is not going to be caches on the switches as far as I can tell. 

 

Jon

Not to complicate things here, but in the very near future, i will be doing an IP change for all the devices in the field (well the customer will change their ips of these devices). I was thinking that in this vlan3 right now its assigned 172.16.10.1/22,  i will also assign my new ip of 172.16.100.1/22. So they way as they change ips in the field, we dont lose connection to any of these devices. i know cisco doesn't like this but not sure what else to do. 

 

So in the end this vlan will have the following:

ip address 172.16.10.1 255.255.252.0

ip address 172.16.100.1 255.255.252.0 secondary

 

that shoudld work correct?

 

 

Never used secondary IPs on SVIs before but as far as I know it should work. 

 

Jon

Review Cisco Networking for a $25 gift card