cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8201
Views
65
Helpful
28
Replies

Host -> L3 -> L2 switch SVI, no default gateway set but able to get response - why ?

SJ K
Level 5
Level 5

Hi all,

 

I have the following below setup initially to test VTP, but decided to test my basic knowledge on SVI and switch mangement IP and gateway.

I have a PC connected to a layer 3 switch at port FA0/2 which belong to VLAN 10.  (Gateway @ host is set as 192.168.3.1)

On L3 switch, there are 2 VLANs setup (10 and 20) with the interface/SVI ips as 192.168.3.1 and 192.168.4.1 respectively.

IP routing is turn on on the L3 switch.

There is a trunk going from L3 switch fa0/1 to L2 swtich fa0/1

 

On the layer 2 switch (2950),  2 VLANs are created as well (192.168.3.2, 192.168.4.2) as shown above.  I did not set any default gateway.

------------------------------------------------------------

 

q1) My initial test was that I am able to get from Host 1 to VLAN10 on the L2 switch as they all belong to the same VLAN and subnet - done.

And later to test that I am not able to get from Host 1 to VLAN20 on L2 switch even if I have turn on IP routing on the L3 switch, because I have not set any default gateway on the L2 switch.

and I tried 

PC>telnet 192.168.4.2
Trying 192.168.4.2 ...Open

User Access Verification

Password:
Switch>

Why ? Is my understanding wrong ;(.. How does L2 switch reply to the 3.1 without a gateway set ?

 

q2) On a L2 switch which allow multiple VLANs and SVIs to be created but only 1 default gateway to be set, can I say that we can only access the L2 management IP which is on the same subnet as the default gateway set

 

(e.g. VLAN 50 - 192.168.50.1/24)

        VLAN 60 - 192.168.60.1/24

DEFAULT GATEWAY - 192.168.50.2) - We can only access the L2 switch on 192.168.50.1 from another network even though there is a route to .60.1 because the only way for the switch to get back is through its default gateway.  -- am i right ?

 

q3) Does a frame get retag inside a L3 switch, when it is route from a network to another ? e.g.  a frame designated to network 192.168.4.2 enter access port which belong to VLAN 10. L3 switch then routed the packet to VLAN 20 (through SVI 192.168.4.1 interface) , does the packet can reframe with VLAN tag 20 ?

 

Regards,
Noob

28 Replies 28

Oh.  Thanks.  I think I understand the question better now.

I believe the 2950 would reply back at layer 2 and the 3560 would route it back to the pc.  However, since both vlans are up, it does seem a little confusing.  If it could use the other vlan to respond back, then the layer 2 switch is routing.  (Should not be happening)

 

To test, I would disconnect the trunk and ping vlan 20  with a source of vlan 10 and vice versa.  If successful, the 2950 PT is acting as a layer 3 switch.  I would verify that both vlans are up after disconnecting the trunk.  They may need the vlans configured on a port and up in order for the vlans to remain up.

 

If my logic is correct?

I believe the 2950 would reply back at layer 2 and the 3560 would route it back to the pc.

Well you may well be right and I could be totally wrong, wouldn't be the first time :-)

But my understanding is that when the return packet is passed down the TCP/IP stack on the 2950 when it gets to the IP layer it then needs to either -

1) resolve the destination IP address to a mac address if on the same subnet

or

2) resolve the destination IP address of it's default gateway if on a different subnet

as it doesn't have a default gateway set then all it can do is arp out for the PC's IP address and that's why I said without proxy arp I couldn't see it working unless the arp was being sent out on the same vlan as the PC.

Jon

Hey Jon,

No, you were right and I just wasn't thinking. :)

 

It will not respond back without resolving the ip to a mac.  Or use the default gateway.

Hi Jon,

So the only way I can see this working is that the 2950 believes the PC is on the same IP subnet which must mean it is using it's vlan 10 SVI IP address and because of this it can simply L2 switch the traffic back to the PC.

q1) But isn't Telnet TCP, meaning it is connection oriented ? I am not sure if it would work if I have attempted connection via 3.3 to .4.2, but the return frame/packet is from 3.2 to 3.3 - will TCP do such checks ? if yes, how am i able to establish connection base on the above assumption.

 

q2) I try removing my gateway on windows and set the same IP (dhcp assigned previously) as static, remove arp records and try to ping to unknown networks.  It shows PING:transmit failure. Only when i ping to local network (same subnet/3rd octet), then it will send out arp request.  Hence it's not exactly the same as per what you have mentioned earlier that ARP requests will be send out if no gateway is set (over here, it will only arp out if it is on the network)

Does all TCP/IP stack behave this way, or it is just windows ?

 

q3) Thinking back of the analogy earlier -> if there are no gateway set and device will just arp out. It meant that if i have 2 devices (no GW set) on different subnet connected together on the same switch/VLAN, i am able to ping to each other. - As device A will just ARP broadcast who has device B's IP directly and since Device B is on the same broadcast domain, will receive it and reply.  - I tried on my PT and it failed though. Is my understanding wrong ?

 

Regards,
Noob

q1) very different concept. Each layer works independently of each other (mostly) so TCP's connection oriented setup is nothing to do with the layers below it.

A device must do an IP lookup to work out where to send the packet and this is at the IP layer.

q2) when you tested with your PC did you have proxy arp enabled on the L3 SVI ie did you do a packet capture to see if the PC was sending out an arp ?  

Jon

Hi Jon,

 

Thank you for your reply. Appreciate them.

 

For q1) As you mentioned that the L2 switch might be returning back via VLAN 10 hence the src ip will be 192.168.3.2 instead.

However, for the telnet connection request, it is trigger via 3.1 to 4.2. Hence when it see a packet (connection acknowlegement etc during handshake) coming back from src 3.2 instead of 4.2. Will the connection be drop then or will it deem it as another session etc ?  

The reason is because we are able to establish telnet connection already so i believe the upper layers are already hit

 

 

q2) For q2), i did not test it out with the L3 switch. I just use my home PC (192.168.1.67) and remove its gateway. Then i run wireshark to capture and start to ping to 8.8.8.8, it shows PING:transmit fail; there is no wireshark capture on ARP request. When i ping to 192.168.1.68, yes, there is ARP request capture on the wireshark.   Hence i wonder if arp request to a different network will be sent if there is no gateway set.

 

 

q3) Thinking back of the analogy earlier -> if there are no gateway set and device will just arp out. It meant that if i have 2 devices (no GW set) on different subnet connected together on the same switch/VLAN, i am able to ping to each other. - As device A will just ARP broadcast who has device B's IP directly and since Device B is on the same broadcast domain, will receive it and reply.  - I tried on my PT and it failed though. Is my understanding wrong ?

 

Regards,

Noob

q1) it would only work if the source IP of the switch was 192.168.4.2 but the arp was sent out from the switch on the PC's vlan.

That is the only way I can see it working.

Bear in mind this could be a bug in PT ie. you should not be able to have two SVIs up at the same time.

q2) it may differ dependant on the OS, can't say for sure

q3) I only have access to an online lab (not real kit)  but I just tested this and the ping worked fine ie. same vlan but different IP subnets.

It should because as you say the sending device will simply send an arp for the other device and if they are in the same vlan the receiving device will see the request and respond.

If I had real kit to test with I would but unfortunately I don't at the moment so can't say for sure.

Jon

Dear all,

The mystery is solved. After spending 2 hours looking at the simulation packet flow. But i am not able to explain why it works that way.

===========================================================

L2 switch did receive the telnet request coming from 3.3.

When it wants to reply -

1st) the L2 switch thinks that 3.3 is in the same subnet as it is -- not sure why

2nd) Next it send an ARP broadcast request out using SVI 10 (src ip 3.2) requesting for 3.3 Mac addresses.

L3 switch receive and process it, but did not revert the MAC address as proxy-arp is disabled.  It then broadcast it out to remaining port in the VLAN.

Host1 receive the ARP request and responded to 3.2; having the L3 switch sending it out via the trunk link to L2 switch. (no routing involved)

3rd) L2 switch receive the arp reply, build up the remaining respond TCP packet for telnet and send out the frame with 4.2 as SRC and 3.1 as destination and most importantly, the destination MAC address is 3.1 mac address and not 4.1 SVI mac address (hence, there will be again no routing)!

4th) L3 switch receive the frame and switch it PC0.

I am not sure what VLAN number got tag to the frame when it is coming out of the L2 switch. But judging from the behaviour, it seems to be using VLAN10 with 4.2 as the SRC IP.  Reason being, if it is using VLAN 20, then how can the switch just take the frame and send it out of VLAN 10 access port .  -- edited confirmation (check the packet tracer and it is using 0xa as its TCI/VLAN identifier - which is VLAN 10)
 
 

So Jon is spot-on. Perfect~!~!

=======================================================

Hence my last 2 questions are

 

q1) Does each VLAN has its own MAC address table and uses it own MAC address table?

(Assuming that is 1 master table with all the mac address and its respective VLANs stored all together)

a.b.c.d vlan10

d.e.f.g vlan 20

Can the switch take a frame tagged with VLAN 20 but (with destination a.b.c.d@VLAN10), reference the "MASTER" table and see that a.b.c.d is at VLAN10 and just "Switch" the frame over to exit at whatever port associated with a.b.c.d @ VLAN 10 ? or  it will only reference the MASTER table + VLAN20 and will not see a.b.c.d entry at all.

 

q2) Lastly, during the tracing of the packets, i realized the SVI's mac address used when sending out frame are the same for 3.1 and 4.1 and it is also the same for 3.2 and 4.2. Is this normal ?

 

Regards,
Noob

 

Good work on the testing :-)

q1) we covered this in another thread and the answer is we are not entirely sure as it is internal to the switch and Cisco don't publish this sort of information.

Again I would stress what you are seeing here is more likely a bug in PT and not what you would expect to see in real kit so drawing conclusions as to how things work from this may be misleading.

q2) not sure I follow, can you clarify ?

Jon

Hi Jon,

Thanks for the reply.

 

For q1) let me rephrase - upon receiving a frame tag with vlan 20, will the switch just match all mac addresses and exit port associated with/for vlan 20 only ? (what if there is a mac address that match the destination mac in the frame but it is on vlan10).  -- My gut feeling is that it will not see the matching mac address as it  only checks ports associated with vlan 20.

 

For q2)

When host computer .3.3 send the tcp packet designated to 4.2 to its gateway (which is the SVI at 3.1), the frame destination mac address is 0001.9748.DC84.

When the packet got routed in the L3 gateway to exit from the 4.1 (SVI), the source mac address of the frame is also 0001.9748.DC84.

It seems like the SVI vlan 10 and the SVI for vlan 20 are having the same mac address.

Not sure if it is normal.

 

Regards,
Noob

q1) yes it will only consider ports in vlan 20. How it does this is as I said not entirely clear.

q2) some switches do use the same mac address for all their L3 interfaces, some don't.

It varies.

Jon

Hi Jon,

 

Duly noted.

Thanks.

 

Regards,

Noob.

Hi Jon,

Thanks for replying.

When a device has no default gateway set then it will arp out for every IP address it wants to send traffic to because it thinks everything is local

Does it means even though the device/receiving SVI is on 192.168.4.0/24 subnet, it will send a arp request for 192.168.3.3 's mac address if no gateway is set on the switch ?

 

Does it also means that if I have proxy arp enabled on my router, I can setup devices without setting any gateway IP ? as all arp request will be broadcast and the router will replied it mac address instead if it has router to the designated network. ?

 

The things is you shouldn't be able to have both SVIs up on the 2950 because it is a L2 switch

Does it mean that for a L2 switch, I am only to have 1 SVI / connection to a subnet at anyone time; which means that the default gateway has to be on the same subnet as the SVI's.

 

Regards,
Noob

A L2 switch acts as an end device, see my last post to Charles, so yes it will arp out for all IPs without a default gateway set.

Re. the proxy arp question - yes you can but no you shouldn't :-)

Re. the L2 switch question, yes only one SVI and it should only ever be used for managing the switch and not as the default gateway for end users in the same vlan.

The default gateway for the switch itself should be on the same IP subnet and is, more often than not, the SVI IP address for that vlan on a L3 switch.

Jon