Solved: intervlan communication on 6500

Wassim Aouadi · ‎07-13-2011

Hi,

I have a 2 6509 VSS system. I created vlans 25 and 15. I can not ping from SVI 25 to SVI 15.

Here are the configs:

interface Vlan15

ip address 10.100.2.126 255.255.255.128

ip verify unicast source reachable-via rx

ip helper-address 172.16.5.28

ip helper-address 172.16.5.29

ip helper-address 172.16.5.14

no ip redirects

no ip proxy-arp

ip flow ingress

interface Vlan25

ip address 10.100.7.126 255.255.255.128

ip verify unicast source reachable-via rx

ip helper-address 172.16.5.28

ip helper-address 172.16.5.29

ip helper-address 172.16.5.14

no ip redirects

no ip proxy-arp

ip flow ingress

TNSWCRCS01A2#ping

Protocol [ip]:

Target IP address: 10.100.7.126

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.100.2.126

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.100.7.126, timeout is 2 seconds:

Packet sent with a source address of 10.100.2.126

.....

Success rate is 0 percent (0/5)

Cisco IOS Software, s72033_rp Software (s72033_rp-IPBASEK9-M), Version 12.2(33)SXI3, RELEASE SOFTWARE (fc2)

thanks.

Latchum Naidu · ‎07-13-2011

Hi,

Rry to remove "ip verify unicast source reachable-via rx" command configuration from both SVI and check.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

johnlloyd_13 · ‎07-13-2011

Hi,

Make sure you've created your Layer 2 VLANs and have assigned ports to it. There should be at least one active port to put your SVI in up/up state. Lastly, enable 'ip routing' in global config.

Sent from Cisco Technical Support iPhone App

Wassim Aouadi · ‎07-13-2011

Yes, vlans are created. SVIs are up.

Here is the vlan membership for vlan 15 and 25:

TNSWCRCS01A2#sh vlan id 25

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

25 VLINFOAdmin active Po101, Po102, Po103, Po104

Po203A

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

25 enet 100025 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

TNSWCRCS01A2#sh vlan id 15

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

15 VLDG active Gi1/2/46, Po101, Po102, Po103

Po104, Po203A

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

15 enet 100015 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ----------------------

Giuseppe Larosa · ‎07-13-2011

Hello Wassim,

what happens if you disable uRPF?

my guess is that your issue might be related to this

Hope to help

Giuseppe

Latchum Naidu · ‎07-13-2011

Hi,

Rry to remove "ip verify unicast source reachable-via rx" command configuration from both SVI and check.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Wassim Aouadi · ‎07-13-2011

it works. Could you explain what this command is for?

Latchum Naidu · ‎07-13-2011

Hi,

Glad to solve your problem and thanks for your rating.

"ip verify unicast source reachable-via rx" command will only allow a packet through if the source address is on a network that is reachable via the received interface. This is very similar to how the old ip verify unicast reverse-path worked. The one caveat is that it will accept any packet that is received on any interface with equal cost routes.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Wassim Aouadi · ‎07-13-2011

but both SVIs are on the same switch. Therefore, the source address IS on a network reachable via the received SVI interface, isn't it?

by the way, I always rate useful posts

Giuseppe Larosa · ‎07-13-2011

Hello Wassim,

this should be a known drawback of uRPF

the SVI that receives a packet with source address that of the other SVI considers the packet as spoofed

to avoid this you should invoke an extended ACL with uRPF as explained here

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1001323

to be noted uRPF is based on CEF and pinging between the SVIs should be process switched, however the issue is seen.

Edit:

command reference provides an option for self-ping with ip verify ... via

see

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1060730

(Optional) Allows a router to ping its own interface or interfaces.

to be noted it it not recommended to use this option

Hope to help

Giuseppe

Wassim Aouadi · ‎07-15-2011

Thanks Giuseppe for the explanation