Hi Jon, Thanking you on your

murugananthamamir · ‎12-09-2014

Dear folks,

We have a DC core switch which possess management SVI(L3) Vlan 100, and the downstream L2 switches management IP's been assigned in the available vlan 100 range, here we added the hardening commands in the L3 interface of vlan 100 on DC core switch.

no ip unreachable

no ip proxy-arp

Soon we noticed that some(apprx-10) of the L2 switches management IP went unreachable whereas it is learned in CDP as staying alive. AS well I can reach from L3 DC core switch but not from any other L2 switch.

I found here that the users are not impacted, switch is not isolated but the management IP is not reachable.

We couldn't found the issue happened exactly, though we tried to remove the last changes made as removing the hardening cmds.

Its unbelievable, the L2 switches are pinging each-other and Switch IP came reachable.

Assist me in explaining the reason behind this chaos . . . !

Thanks in advance

Regards,

Amir

Jon Marshall · ‎12-10-2014

Amir

The switches that stopped responding to pings, are you sure they are in vlan 100 ie. the same IP subnet and subnet mask (the mask is particularly important) as the other switches that carried on working ?

Also do the switches that stopped working have a default gateway configured ?

Jon

murugananthamamir · ‎12-11-2014

Hi Jon,

Thanking on your response,

Yes, we have not did any changes towards L2 switches, hardening is the only changes done on the L3 interface. Issues been noticed on the certain switches and the rest switches were working fine.

Not aware, on what basis the certain switches been selected for the unreachable reasons.

Yes, default gateway is very well configured on those switches.

Post removing the hardening cmds the switch IP came reachable in matter of 5 sec interval.

Thank you . . .

Regards

Amir

Ryan Curry · ‎12-11-2014

Hi Amir, you may be running into an issue with path MTU discovery. Here's an older article explaining what might be happening and why ICMP is being dropped (yet everything else is running fine):

http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

murugananthamamir · ‎12-16-2014

Hi Ryan,

Its a good knowledge sharing link, but still exactly not to my issue.

Shared link says about "no ip unreachable" cause behind the effect.

I tried to reoccur the issue out in my network and got to know that the command "no ip proxy-arp" is the culprit of this issue occurrence.

Now the network is doing good with the hardening commands no ip redirect & no ip unreachable.

Thanks,

Amir

murugananthamamir · ‎12-11-2014

Hi Jon,

Thanking on your response,

Yes, we have not did any changes towards L2 switches, hardening is the only changes done on the L3 interface. Issues been noticed on the certain switches and the rest switches were working fine.

Not aware, on what basis the certain switches been selected for the unreachable reasons.

Yes, default gateway is very well configured on those switches.

Post removing the hardening cmds the switch IP came reachable in matter of 5 sec interval.

Thank you . . .

Regards

Amir

l2 switch mgmt IP went unreachable due to L3 hardening