Re: L3 switch SVI routing & device default gateway

eeebbunee · ‎07-07-2022

Hello Engineers,

I've just realized that end device which has wrong gateway (not in subnet mask range) is ABLE to communicate with other device. For instance,

- Core SW(L3) interface VLAN IP:

10.10.15.1/23

10.10.20.1/24

- PC A : 10.10.15.0/23 (Default G/W: 10.10.20.1)

- PC B : 10.10.20.0/24 (Default G/W: 10.10.20.1)

PC A - PC B can communicate each other even PC A has incorrect(?) default gateway.

I thought PC A can't talk with PC B because PC A should have gateway 10.10.15.1.

PC A can communicate with 10.10.15.0/24 and 10.10.16.0/24 without gateway, but how about other VLAN interface?

Why is this possible? 10.10.15.1 and 10.10.20.1 both IP addresses are eventually pointing 1 device? (Core switch)

Thank you for your reply.

MHM Cisco World · ‎07-07-2022

- PC A : 10.10.15.0/23 (Default G/W: 10.10.20.1)

- PC B : 10.10.20.0/24 (Default G/W: 10.10.20.1)

from my view it unidirectional,
what is mean
you ping first from PC-B to PC-A, PC-A now have MAC of GW of PC-B, and when PC-A send traffic to PC-B it use that MAC.

to be sure,
clear ARP in both PC
clear MAC in SW

now try ping first from PC-A to PC-B

try and share result here,
It unidirectional.

Jon Marshall · ‎07-07-2022

This is probably to do with proxy arp.

So PC A has a default gateway of 10.10.20.1 so when it sends traffic to PC B it arps for that IP and if proxy arp is enabled on the SVI for PC A's vlan then the switch will respond with it's mac address and PC A sends the packets to the switch and the switch forwards the packets on to PC B.

Do a "sh ip int <PC A SVI>" and it is should say proxy arp is enabled.

If you disable it then it should stop working.

Jon

MHM Cisco World · ‎07-07-2022

as I Know if the PC config with static or get Default GW from the DHCP then it will not send proxy ARP it send ARP to ask MAC directly use IP address of default GW.

correct me if I wrong

Jon Marshall · ‎07-07-2022

Yes it will send an arp for 10.10.20.1 and the switch, if it is running proxy arp on PC A's SVI will respond with the mac address of that SVI so PC A then sends the packet to the switch which checks the destination IP address and forwards on to PC B.

Jon

eeebbunee · ‎07-07-2022

Hello Jon,

Thank you for reaching me.

so if I disable proxy arp from SVI, then PC A no longer talk with other PCs?

- VLAN 15 SVI : 10.10.15.1/23

- VLAN 20 SVI : 10.10.20.1/24

Currently both SVI's proxy arp are enabled.

Should I disable proxy arp only for VLAN 20? or both?

If I disable only for VLAN 20, then PC A can't talk to PC B but not able to *opposite case?

*opposite case =

- PC A = 10.10.15.10/23 (gateway:10.10.15.1)

- PC B = 10.10.20.10/24 (gateway: 10.10.15.1)

Jon Marshall · ‎07-07-2022

'

For your original question you should disable proxy arp on the SVI for vlan 15 and then retest.

Jon

MHM Cisco World · ‎07-07-2022

i will test this in small lab share result here

Jon Marshall · ‎07-07-2022

FYI I just did a small lab as well and it works as described above.

Jon

MHM Cisco World · ‎07-07-2022

I do small lab and result is,
the traffic uni-directional,
You can see the echo request from R3 to R2
and as @Jon Marshall mention there is incomplete AFTER i disable proxy ARP in R1.

note:- the uni-directional traffic test do when disable proxy arp in R1.

MHM Cisco World · ‎07-07-2022

for any one what to do this lab
I use GNS3,
I emulate two router to be as PC by disable ip routing

eeebbunee · ‎07-08-2022

Hello,

Thank you for sharing your test lab.

Before I apply the command to our switch, I am tryin to test with packet tracer.

Following your test sample, I configured 3650 switch as a core, and three different end devices.

However, still I am able to send ping to PC0 (has other subnet default-gateway) from PC1 and Server0 AFTER I configure no ip proxy-arp.

Can you please see my switch configuration for SVI?

interface Vlan1

no ip address

shutdown

!

interface Vlan15

mac-address 00e0.a372.3801

ip address 10.10.15.1 255.255.254.0

no ip proxy-arp

!

interface Vlan18

mac-address 00e0.a372.3802

ip address 10.10.18.1 255.255.255.0

no ip proxy-arp

!

interface Vlan20

mac-address 00e0.a372.3803

ip address 10.10.20.1 255.255.255.0

no ip proxy-arp

!

ip classless

!

ip flow-export version 9

!

end

MHM Cisco World · ‎07-08-2022

first you must run routing in your SW
run
ip routing

second you must assign VLAN for each port
run
interafce fx/x
switch port access vlan x

eeebbunee · ‎07-08-2022

I am attaching the entire configuration.

I believe I configured ip routing and access vlan for each port.

If I didn't configured ip routing, then I couldn't even make ping between PCs.

please correct me if I didn't get the point.

Thank you for giving your precious time.

MHM Cisco World · ‎07-08-2022

ALL BELOW CASE DEFAULT GW NOT config in all PC
*1
before run
ip routing
and assign VLAN

the SW is L2 and L2 is NOT separate the broadcast domain (you don't config any VLAN yet), what that meaning ?
the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of PC-2)traffic from PC-1 and FLOOD to all port (since all port is by default assign to VLAN1),
the PC-2 receive the ARP broadcast and reply with it MAC.

and that how it work when there you not assign VLAN and nor run ip routing
ping is success

*2
after run
assign VLAN
"ip routing is not run"

the SW is L2 and L2 separate the broadcast domain,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of PC-2) traffic from PC-1 and FLOOD to all port within same VLAN,
the PC-2 not receive the ARP broadcast because it in different VLAN

and here the ping is failed.

*3
after run
assign VLAN
ip routing run

the SW is L2 and L2 separate the broadcast domain,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of PC-2) traffic from PC-1 and FLOOD to all port within same VLAN (for example VLAN X) which include the SVI of VLAN X, the SVI have proxy-arp capability and answer the ARP with SVI mac address, PC-1 save the MAC address of SVI of VLAN X as it MAC of PC-2

here there are another ARP broadcast from SVI of VLAN Y (VLAN Y for PC-2), the SW flood this broadcast to all port, PC-2 reply with it MAC address.

now here ping is success

*4
after run
assign VLAN
ip routing run

no proxy-arp

the SW is L2 and L2 separate the broadcast domain,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of PC-2) traffic from PC-1 and FLOOD to all port within same VLAN (for example VLAN X) which include the SVI of VLAN X, the SVI have NO proxy-arp capability and NOT answer the ARP with SVI mac address.

now here ping is failed

ALL BELOW CASE DEFAULT GW config in all PC

*5
run
assign VLAN
ip routing run
on proxy-arp
default GW is config (correct GW)

PING REQUEST
the SW is L2 and L2 separate the broadcast domain,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of SVI of VLAN x) traffic from PC-1 and FLOOD to all port within same VLAN (for example VLAN X) which include the SVI of VLAN X, the SVI answer the ARP with SVI mac address, PC-1 save the MAC address of SVI of VLAN X .

here there are another ARP broadcast from SVI of VLAN Y (VLAN Y for PC-2), the SW flood this broadcast to all port, PC-2 reply with it MAC address.

PING REQUEST is success

PING REPLY

the SW is L2 and L2 separate the broadcast domain,

PC-2 now need to reply to PC-1, since the subnet is different than the PC-2, the PC-2 will using Default GW,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-2asking MAC of SVI of VLAN Y) traffic from PC-2 and FLOOD to all port within same VLAN (for example VLAN Y) which include the SVI of VLAN Y, the SVI answer the ARP with SVI mac address, PC-2 save the MAC address of SVI of VLAN Y.

here PING REPLY is success

*6
run
assign VLAN
ip routing run
on proxy-arp
default GW is config (GW wrong in one side)

PING REQUEST
the SW is L2 and L2 separate the broadcast domain,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-1asking MAC of SVI of VLAN x) traffic from PC-1 and FLOOD to all port within same VLAN (for example VLAN X) which include the SVI of VLAN X, the SVI answer the ARP with SVI mac address, PC-1 save the MAC address of SVI of VLAN X .

here there are another ARP broadcast from SVI of VLAN Y (VLAN Y for PC-2), the SW flood this broadcast to all port, PC-2 reply with it MAC address.

PING REQUEST is success

PING REPLY

the SW is L2 and L2 separate the broadcast domain,

PC-2 now need to reply to PC-1, since the subnet is different than the PC-2, the PC-2 will using Default GW,

the SW L2 will receive broadcast and here the must important ARP broadcast (PC-2asking MAC of SVI of VLAN X """"wrong GW""") traffic from PC-2 and FLOOD to all port within same VLAN (for example VLAN Y) which include the SVI of VLAN Y, the SVI of VLAN Y NOT answer the ARP because the proxy-ARP is disable

here PING REPLY is failed.

here the traffic uni-directional