12-31-2022 09:09 AM
Hello,
Here is a C2960-XR, ip routing is enabled, two SVI are created and IP are given, two vlans are created and are appearing in the vlan database, but still cannot ping a machine in a vlan from a machine in an another vlan. whait is missing?
Any idea would be much appreciated.
01-01-2023 09:46 AM
already shared above. copeying here again
C:\Users\PC2>tracert 192.168.100.100
Tracing route to 192.168.100.100 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 192.168.200.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * ^C
01-01-2023 10:14 AM - edited 01-01-2023 10:23 AM
https://ccie-or-null.net/2013/07/25/routing-on-a-cisco-2960-catalyst-switch/
check the SDM you use before run ip routing in SW.
01-01-2023 10:29 AM
Already checked SDM before opening this conversation but there was no Lanbase selection, there are some other things that I dont remember their names anyway I had tried them all and reboot after selecting each one but none of them made it to work.
01-01-2023 11:53 AM
Switch#show IP arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.100.1 - 3c41.0e7d.8e41 ARPA Vlan100
Internet 192.168.100.100 0 8c16.4566.5872 ARPA Vlan100
Internet 192.168.200.1 - 3c41.0e7d.8e42 ARPA Vlan200
Internet 192.168.200.200 1 cc96.e572.e045 ARPA Vlan200
usually the the Age is 5 min (300 sec.)
I see age equal 0
so can you clear arp table and try again ?
01-01-2023 01:20 PM
It is maximum age that is 5 min. The age shown in this output is not max age but is how long the entry has been in the table. Age of 0 means it was just learned and would be quite valid.
This discussion is becoming quite puzzling. The posted output of show ip route shows the 2 subnets as connected interfaces, ip routing is enabled, show arp on switch shows that it sees both hosts in the correct subnet with the correct mac address. Output from the hosts shows that it sees its correct gateway. The tracert output shows that it gets to the switch but not get through the switch.
I asked "Can you confirm that the switch is able to ping each connected device specifying the source address as the SVI of the other vlan?" and would like to know the answer.
Also can you check which SDM template is being used?
01-01-2023 11:34 PM
the switch is able to ping both machines.
SDM info is here:
Switch#sh sdm prefer
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 16K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 5.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1K
number of IPv6 unicast routes: 5.25K
number of directly-connected IPv6 addresses: 4K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.25K
number of IPv6 security aces: 0.5K
Switch#
Switch(config)#sdm prefer
default Supports both IPv4 and IPv6 Routing
ipv4 Supports IPv4 Routing with larger scale
vlan Supports layer-2 with larger scale
as seen there is no LANBASE in the SDM prefer options, however I have tried IPV4 and VLAN and rebooted after selecting each one but it didn't make anysense.
currently the SDM it is on DEFAULT.
01-01-2023 11:25 PM - edited 01-01-2023 11:30 PM
Tried older version of IOS 15 that was released on 2018 but this one didn't solve the issue too.
01-02-2023 12:06 AM
ok it worked. the issue was the windows firewall. disabling the firewall completely in both machines made the ping work. but the strange thing is when icmp is allowed on the windows firewall it was allowing ping only when both computers are in the same vlan which made me think it was not the windows firewall that is blocking the icmp packets.
Many thanks to everyone who offered help.
01-02-2023 01:52 AM
I think we all suspect of Windows firewall but you mention in before that you trunoff it.
anyway glad this issue solve.
good luck.
01-02-2023 07:35 AM
end device has any Firewall and it is disabled ? - this has been asked in the first stage.
But you misleading us mentioned as below :
end gadget has any Firewall and it is handicapped ?>>>> NO FIREWALL, THEY CAN PING EACH OTHER WHEN THEY ARE IN A similar Organization.
So have not touched back on the end device side.
Glad you were able to finally reach the goal of success - we always suggest providing correct information - since we can not visualize what is configured there. we take your input as valid information.
01-02-2023 08:52 AM
Thanks for the update. Interesting that it turned out to be an issue with firewall. We kept looking for issues on the switch and could not find any and now we know why.
It is not uncommon for a firewall to be more trusting of traffic that originated from the local (inside) subnet and more strict about traffic that originates from remote (outside) subnets. This explains why ping was successful when both hosts were in same subnet and failed when hosts were in different subnets,
01-02-2023 02:03 AM
well I didn't turn it off but instead I had allowed ping in windows firewall in inbound icmp ecorequest 1pv4 so it was allowing ping in the same subnet but apparently its not allowing on different subnet. kind of strange behavior from windows firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide