Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
0
Helpful
5
Replies

l2 switch mgmt IP went unreachable due to L3 hardening

murugananthamamir
Level 1
Level 1

‎12-09-2014 10:41 PM - edited ‎03-07-2019 09:50 PM

Dear folks,

 

We have a DC core switch which possess management SVI(L3) Vlan 100, and the downstream L2 switches management IP's been assigned in the  available vlan 100 range,  here we added the hardening commands in the L3 interface of vlan 100 on DC core switch. 

no ip unreachable 

no ip proxy-arp

Soon we noticed that some(apprx-10) of the L2 switches management IP went unreachable whereas it is learned in CDP as staying alive. AS well I can reach from L3 DC core switch but not from any other L2 switch.

I found here that the users are not impacted, switch is not isolated but the management IP is not reachable.

 

We couldn't found the issue happened exactly, though we tried to remove the last changes made as removing the hardening cmds.

 

Its unbelievable, the L2 switches are pinging each-other and Switch IP came reachable.

 

Assist me in explaining the reason behind this chaos . . . !

 

Thanks in advance 

 

Regards,

Amir

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎12-10-2014 07:05 AM

Amir

The switches that stopped responding to pings, are you sure they are in vlan 100 ie. the same IP subnet and subnet mask (the mask is particularly important) as the other switches that carried on working ?

Also do the switches that stopped working have a default gateway configured ?

Jon

0 Helpful

murugananthamamir
Level 1
Level 1
In response to Jon Marshall

‎12-11-2014 08:26 AM

Hi Jon,

 

Thanking on your response,

 

Yes, we have not did any changes towards L2 switches, hardening is the only changes done on the L3 interface. Issues been noticed on the certain switches and the rest switches were working fine.

Not aware, on what basis the certain switches been selected for the unreachable reasons.

Yes, default gateway is very well configured on those switches.

Post removing the hardening cmds the switch IP came reachable in matter of 5 sec interval.

 

Thank you . . .

 

Regards

Amir

 

0 Helpful

Ryan Curry
Level 1
Level 1
In response to murugananthamamir

‎12-11-2014 08:39 AM

Hi Amir, you may be running into an issue with path MTU discovery.  Here's an older article explaining what might be happening and why ICMP is being dropped (yet everything else is running fine):

http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

0 Helpful

murugananthamamir
Level 1
Level 1
In response to Ryan Curry

‎12-16-2014 05:52 PM


Hi Ryan,


Its a good knowledge sharing link, but still exactly not to my issue.

Shared link says about "no ip unreachable" cause behind the effect.

I tried to reoccur the issue out in my network and got to know that the command "no ip proxy-arp" is the culprit of this issue occurrence. 

Now the network is doing good with the hardening commands no ip redirect & no ip unreachable.

 

Thanks,

Amir

0 Helpful

murugananthamamir
Level 1
Level 1
In response to Jon Marshall

‎12-11-2014 08:28 AM

Hi Jon,

 

Thanking on your response,

 

Yes, we have not did any changes towards L2 switches, hardening is the only changes done on the L3 interface. Issues been noticed on the certain switches and the rest switches were working fine.

Not aware, on what basis the certain switches been selected for the unreachable reasons.

Yes, default gateway is very well configured on those switches.

Post removing the hardening cmds the switch IP came reachable in matter of 5 sec interval.

 

Thank you . . .

 

Regards

Amir

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card