Solved: Hi CharlesI'm not sure you

SJ K · ‎05-11-2015

Hi all,

I have the following below setup initially to test VTP, but decided to test my basic knowledge on SVI and switch mangement IP and gateway.

I have a PC connected to a layer 3 switch at port FA0/2 which belong to VLAN 10. (Gateway @ host is set as 192.168.3.1)

On L3 switch, there are 2 VLANs setup (10 and 20) with the interface/SVI ips as 192.168.3.1 and 192.168.4.1 respectively.

IP routing is turn on on the L3 switch.

There is a trunk going from L3 switch fa0/1 to L2 swtich fa0/1

On the layer 2 switch (2950), 2 VLANs are created as well (192.168.3.2, 192.168.4.2) as shown above. I did not set any default gateway.

------------------------------------------------------------

q1) My initial test was that I am able to get from Host 1 to VLAN10 on the L2 switch as they all belong to the same VLAN and subnet - done.

And later to test that I am not able to get from Host 1 to VLAN20 on L2 switch even if I have turn on IP routing on the L3 switch, because I have not set any default gateway on the L2 switch.

and I tried

PC>telnet 192.168.4.2
Trying 192.168.4.2 ...Open

User Access Verification

Password:
Switch>

Why ? Is my understanding wrong ;(.. How does L2 switch reply to the 3.1 without a gateway set ?

q2) On a L2 switch which allow multiple VLANs and SVIs to be created but only 1 default gateway to be set, can I say that we can only access the L2 management IP which is on the same subnet as the default gateway set

(e.g. VLAN 50 - 192.168.50.1/24)

VLAN 60 - 192.168.60.1/24

DEFAULT GATEWAY - 192.168.50.2) - We can only access the L2 switch on 192.168.50.1 from another network even though there is a route to .60.1 because the only way for the switch to get back is through its default gateway. -- am i right ?

q3) Does a frame get retag inside a L3 switch, when it is route from a network to another ? e.g. a frame designated to network 192.168.4.2 enter access port which belong to VLAN 10. L3 switch then routed the packet to VLAN 20 (through SVI 192.168.4.1 interface) , does the packet can reframe with VLAN tag 20 ?

Regards,
Noob

Jon Marshall · ‎05-11-2015

Hi Charles

I'm not sure you are missing anything, it's more a weird behaviour of PT.

The 2950 when it receives the packet behaves as a PC would ie. it compares the destination IP (the PC) with it's own IP address and subnet mask to work out if they are on the same subnet or not.

This is where the confusion is because the 2950 has two SVIs up so how does it know which interface IP to use ie.

if it uses the vlan 10 SVI then it works out it is in the same subnet and so can simply switch the traffic back at L2 no need for a default gateway.

if it uses the vlan 20 SVI then it works out it is in a different subnet so needs to use it's default gateway.

But it doesn't have a default gateway so it would simply arp out for the PC's IP address and this would only work if the L3 switch had proxy arp enabled on the vlan 20 SVI which it doesn't.

So the only way I can see this working is that the 2950 believes the PC is on the same IP subnet which must mean it is using it's vlan 10 SVI IP address and because of this it can simply L2 switch the traffic back to the PC.

If it used the vlan 20 SVI IP address it's arp would simply be ignored by the L3 switch if proxy arp is disabled.

This is guesswork though as you shouldn;t be able to have two SVIs up on the 2950 in the first place.

Jon

View solution in original post

Jon Marshall · ‎05-11-2015

q1) it would only work if the source IP of the switch was 192.168.4.2 but the arp was sent out from the switch on the PC's vlan.

That is the only way I can see it working.

Bear in mind this could be a bug in PT ie. you should not be able to have two SVIs up at the same time.

q2) it may differ dependant on the OS, can't say for sure

q3) I only have access to an online lab (not real kit) but I just tested this and the ping worked fine ie. same vlan but different IP subnets.

It should because as you say the sending device will simply send an arp for the other device and if they are in the same vlan the receiving device will see the request and respond.

If I had real kit to test with I would but unfortunately I don't at the moment so can't say for sure.

Jon

View solution in original post

Charles Hill · ‎05-11-2015

Hello,

A 2950 (layer 2)switch only allows one active SVI at a time, so when you attempt to bring up a SVI, the current SVI will shut down, which is what I believe is occurring.

As long as your trunking is set up properly, you can reach hosts in multiple vlans on the 2950, but not the SVIs. The layer 3 switch will handle the routing.

Hope this helps,

Please rate helpful posts.

Thanks.

SJ K · ‎05-11-2015

Hi Charles,

Thanks for the reply but I do not think thats the case here. With the 2950 as a standalone, i am able to setup multiple VLANs and SVIs and I am able to access the different SVIs (IPs) for management purpose in the same switch.

But over here right now is I have different SVIs setup on the L2 switch but I forsee that if i access the SVI from another network, even though there is a route down to the SVI it wouldn't have a route back as there is only 1 default gateway to be set and i didn't set any. So how does the L2 switch reply back. ;/

Regards,
Noob

glen.grant · ‎05-12-2015

If this is on PT then you are probably running into a bug in PT which is notorious for being buggy. On a real 2950 you cannot nor will it let you have more than a single SVI in the "up" state . This is because the SVI is to manage the switch only and has nothing to do with any routing of packets on the switch . The default gateway is also just to manage the switch when you telnetting in from a subnet other than the management subnet of the switch . It also has nothing to do with any routing of packets which is done up on the 3650 .The 3650 is your "routing " switch so any default gateway settings on clients would point to the L3 SVI address on the 3650 for the subnet. If its letting you have more than 1 SVI up on the 2950 then thats a bug .

davy.timmermans · ‎05-11-2015

For Q1)

Can you add the following command to SVI 20 on the 2950:

no ip proxy-arp

and let me know you're still able to logon?

edit: could you try to configure it on the SVI 20 of the 3560? + clear ip arp from privilege mode

q3)

your question is that if a packet sourced eg. from vlan 10 with destination vlan20, if the packet will be encapsulated with vlan 20?

Yes, at the first layer 3 hop (default gateway vlan 10), the destination will be checked (vlan 20). The packet will be encapsulated with tag 20 if the packet needs to pass a trunk to reach its destination.

SJ K · ‎05-11-2015

Hi Davy,

There is no ip proxy -arp option in the L2 switch interface vlan 20.

I tried it on the vlan 20 on the L3 switch but i am still able to ping and telnet from Host computer 192.168.3.3 to 192.168.4.2 with no default gateway set on the L2 switch.

Actually. I have the gateway of Host set at 192.168.3.1 (VLAN 10 svi) on the L3 switch. Even if there is proxy arp set, how can the L2 switch response to 3.1 without any default gateway set ?

Regards,
Noob

Charles Hill · ‎05-11-2015

"I tried it on the vlan 20 on the L3 switch but i am still able to ping and telnet from Host computer 192.168.3.3 to 192.168.4.2 with no default gateway set on the L2 switch."

The layer 3 switch routes the ping and telnet traffic from vlan 10 to 20, then the traffic is sent over the trunk to the layer 2 switch.

If you show ip int brief on the layer 2 switch, does all your SVIs show up and up?

SJ K · ‎05-11-2015

Hi Charles,

Yes. Both are up on the L2 switch

Vlan10                 192.168.3.2     YES manual up                    up
Vlan20                 192.168.4.2     YES manual up                    up

I understand that the L3 switch has done the routing from .3.3 to 4.2 (from vlan 10 to vlan 20). I believe the outgoing frame to the L2 switch will still contain 3.3 as its src ip and dest ip as 4.2.

But how does the L2 switch know how to get back to 3.2 without any default gateway set ? What destination mac address it is going to use ?

Regards,
Noob

Jon Marshall · ‎05-11-2015

Can you do the following -

1) clear the arp cache on the L2 switch. Easiest way is to bounce the trunk ie. shut/no shut

2) disable proxy arp on vlan 20 (which you may already have done) then try your ping

if you get a reponse then repeat the above steps in the same order but disable proxy arp on vlan 10 as well as vlan 20.

Then try ping again.

Make sure you have cleared the arp cache on the 2950 between each change.

Jon

SJ K · ‎05-11-2015

Hi Jon,

As instructed, i clear arp and reload all switches

L2#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.3.2             -   0007.EC0E.209B  ARPA   Vlan10
Internet  192.168.4.2             -   0007.EC0E.209B  ARPA   Vlan20

L3#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.3.1             -   0001.9748.DC84  ARPA   Vlan10
Internet  192.168.4.1             -   0001.9748.DC84  ARPA   Vlan20

I have disable ip proxy arp on the L3 switch as I cannot find any options to do so on the L2. I also done it on both SVIs because the previous try (just disable on VLAN20) failed -- ping still get through

interface Vlan10
 ip address 192.168.3.1 255.255.255.0
 no ip proxy-arp
!
interface Vlan20
 ip address 192.168.4.1 255.255.255.0
 no ip proxy-arp
!

Now back to my host,

PC>ping 192.168.4.2

Pinging 192.168.4.2 with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 192.168.4.2: bytes=32 time=0ms TTL=255
Reply from 192.168.4.2: bytes=32 time=0ms TTL=255

Ping statistics for 192.168.4.2:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Still able to ping though.

Can I know how does proxy arp got to play a part in this ? is it involved in the request or reply process ?

Regards,
Noob

Jon Marshall · ‎05-11-2015

Is this using PT ?

Can you post a "sh ip route" from your 2950 ?

Jon

SJ K · ‎05-11-2015

Hi Jon,

Yeap. I am using packet tracer.

I can't issue sh ip route on my 2950.

Below is the show ip route on the L3.

L3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.3.0/24 is directly connected, Vlan10
C    192.168.4.0/24 is directly connected, Vlan20
L3#

Regards,
Noob

Jon Marshall · ‎05-11-2015

The things is you shouldn't be able to have both SVIs up on the 2950 because it is a L2 switch.

On your L3 switch both SVIs would be up.

So I'm wondering if you are seeing some behaviour different than you would with real equipment.

When a device has no default gateway set then it will arp out for every IP address it wants to send traffic to because it thinks everything is local.

And proxy arp on your L3 switch would then respond (if enabled).

But you are seeing something different here.

Jon

Charles Hill · ‎05-11-2015

Hey Jon,

I feel like I'm missing something here.

Everything is working correct?

PC>telnet 192.168.4.2
Trying 192.168.4.2 ...Open

User Access Verification

Telnet or ping traffic that originates from the pc, is sent to the default gateway, which is on the layer 3 switch. The layer 3 routes the traffic over to vlan 20 and forwards the traffic to the layer 2 switch. The layer 2 switch responds to the traffic and uses the layer 3/int vlan 20 mac address as the destination mac.

I"m sure I'm missing something here or misunderstanding something. What am I missing?

LIke you said, normally only one SVI would not be up.

Thanks.

Jon Marshall · ‎05-11-2015