cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1713
Views
0
Helpful
9
Replies

Inter-vlan routing issues (one device isn't pingable from one VLAN, is pingable from others).

zittastanislav
Level 1
Level 1

Greetings network wizards, 

I'm facing an interesting issue in our enterprise network.

There is management VLAN. There are various devices in management VLAN (e.g. WLC controllers, SVIs for management on our catalysts, interfaces for management of servers, ...). 

There are also other VLANs (office100, office101, printers, technology, ...). I'm unable to ping one device on our management VLAN from office VLAN. From all other VLANs, the ping works fine.

In terms of CLI (where a.b.c.d is problematic destination addres in management VLAN): 

ping a.b.c.d. source vlan 20 = success

ping a.b.c.d source vlan 50 = success

ping a.b.c.d source vlan 90 = success

ping a.b.c.d source vlan 101 = failure

The ping is launched from either of our two L3 switches and the a.b.c.d address belongs to computer shown in the bottom of the picture. 

The excerpt of our physical topplogy can be seen below. 

The L3 switches depicted above are our two 4506 catalyst switches with SVIs for our multiple VLANs. There is also HSRP group for each VLAN on our L3 switches. 

I checked all the relevant data structures (arp, mac, fib, adjacency tables) and everything seems OK. What is also worth to mention, is the fact, that the IP address of the switch shown in the bottom of the picture is in same VLAN as the device represented by PC attached to the switch in the bottom. That management SVI of the switch is pingable and working regardless of the source VLAN. 

Any help would be appreciated. 

 

Best regards, 

SZ

9 Replies 9

Walter Astori
Level 1
Level 1

I think that your L3 switch (core) are configured below :

interface Vlan 20, interface vlan 50, interface vlan 90 and interface vlan 101

In your distribution switch you configure the trunk port and in your access switch you configure the access port. Did you try to execute a traceroute command from vlan 101 to a.b.c.d ?

 

Hi Walter, thanks for your reply. 

 

Yes, you're absolutely correct. My L3 switches are configured as you stated.

I tried to traceroute the destination address from L3 core switches with various source addresses (including the address of VLAN101) interface. Unfortunately, traceroute always times out (I get no response) regardless of the source interface. I get no response even in cases, when source address is one of the addresses, which is able to ping the nasty a.b.c.d. client. 

Simply said: When traceroute is launched, it doesn't get any response regardless of the source address. On the other hand, ping is OK (except the case, when source interface is VLAN101 - after all, this is why I started this thread). 

I can't use the PCs in VLAN101 for traceroute, because I'm not onsite and remote access is not possible. The CLI of Catalysts has to be sufficient for me. 

Update: Colleague, who is onsite, tried to tracert the device with a.b.c.d address and packets were dropped on L3 core switches on VLAN101 SVI. 

 

Best regards, 

SZ

 

Hi SZ,

Kindly check the vlan gateway that you pointing towards in your svi vlans.

Regards,

Gurudath

Hi Guru, 

The gateway in the device behaving strangely is correct for sure. I assume this, because the device is pingable from 20 different subnets, but it isn't pingable from the only one (VLAN101). All the devices in VLAN101 have correct default gateway. I can say that for sure. 

Best regards, 

SZ

HI SZ,

I Think all the devices are pingable from l3 switch..

the problem with pc is because usually pc gateway will be firewall or a proxy which will be provided by DHCP server. In such cases will not be defining routes.so packets are getting drop and not pingable...this chances are high...kindly check..

TRY TO PUT SOME STATIC IP OF OTHER VLANS TO PC..IT WILL BE WORKING.

Regards,

Gurudath K S

 

vishal vyas
Level 1
Level 1

Please do below configuration

######Core Switch 

vlan 101

name MGMT

!

interface vlan 101

ip address x.x.x.x x.x.x.x

no shut

!

ip routing

!

i

interface gi x/x (connecting to other switches)

switchport mode trunk 

switchport trunk allowed vlan 20,50,90,101

!

###########################################

 

#### dist switchs ######

!

interface gi x/x (connecting to other switches)

switchport mode trunk 

switchport trunk allowed vlan 20,50,90,101

!

###########################################

Please check that vlan 101 is created on all the switches.

# show spanning-tree vlan 101

# show vlan

 

Hi, 

I'm afraid, that the configuration you posted above won't solve my issues. It is so because of following packet flow: 

Ping from VLAN 101 (office) to VLAN 900 (management) flows to either of my L3 switches. L3 switch takes a look at the destination IP addres and assumes, he should use VLAN900. Thus, he uses VLAN900 SVI, encapsulates the frame to VLAN900 802.1q frame and sends it out of the appropriate trunk (the appropriate trunk is identified by destination IP address and corresponding MAC address). 

Please, keep in mind that the topology is only excerpt and other switches are physically present, too (but not shown here). These other switches have clients from VLAN101 attached and these clients can easily ping the access switch (VLAN900) shown in the picture, but they're unable to ping the PC (VLAN900) attached to the same access switch. PC's switchport is assigned to correct VLAN. The frame coming from VLAN101 from another switch (not shown in picture) is rerouted at L3 switch and is put on trunk as VLAN900 frame. Then it flows down to the access switch. STP and trunks are fine ... because: 

If I had STP issue or trunk misconfiguration in place, I wouldn't be able to reach the access switch (from whatever VLAN). In my current situation, I'm able to reach it easily. 

Best regards, 

SZ

Please do following, and let me know the result

ping x.x.x.x (vlan 900 IP) source x.x.x.x (vlan 101 IP)

ping x.x.x.x (PC in vlan 900 IP) source x.x.x.x (vlan 101 IP)

Hi, thank you for your quick reply. 

As soon as I get to work tomorrow, I'll try it and let you know. But according to my current experience with this problem, I'm sure, that both pings will work, unless one of the participants is the problematic PC. 

Best regards, 

SZ

Review Cisco Networking for a $25 gift card