Solved: Newly configured Catalyst 3850 L3 Switch not routing, Ip-helper not workin - Page 2

wmlarkin1 · ‎07-20-2019

Hi I have just configured a 3850 switch for ip routing and have been through the configuration many times, but still no routing is taking place. I have enable ip routing and setup several vlans with IP address (different subnets) added several trunk ports and switch ports to test my configuration. I also have a Windows DHCP server with associated scopes for the various subnets, but not except the defualt vlan (which I set to 10) is working.

Here is my configuration for the CoreSwitch

!
! Last configuration change at 15:47:07 UTC Sat Jul 20 2019 by admin
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname Core-Switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$wEUy$iJ.U37OqiVLaORCJ2n5GG0
!
no aaa new-model
switch 1 provision ws-c3850-24p
!
!
!
!
ip routing
!
ip domain name aaota.org
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-939288410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-939288410
revocation-check none
rsakeypair TP-self-signed-939288410
!
!
crypto pki certificate chain TP-self-signed-939288410
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username admin password 7 08751E1A5D4B5C46
!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
speed 1000
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/9
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/10
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/11
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.0.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan100
ip address 172.16.10.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan110
ip address 172.16.12.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan200
ip address 172.16.20.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan210
ip address 172.16.22.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan300
ip address 172.16.30.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan310
ip address 172.16.32.254 255.255.255.0
ip helper-address 172.16.0.5
!
interface Vlan600
ip address 172.16.60.254 255.255.255.0
ip helper-address 172.16.0.5
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip ssh version 2
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password 7 1443405F5856737A
logging synchronous
login
stopbits 1
line aux 0
password 7 1443405F5856737A
login
stopbits 1
line vty 0 4
password 7 135145465F5E5D7B
logging synchronous
login local
transport input all
line vty 5 15
password 7 135145465F5E5D7B
logging synchronous
login local
transport input all
!
!
mac address-table notification mac-move
!
!
!
!
!
end

Joseph W. Doherty · ‎07-22-2019

" I was originally trying this route 172.16.0.0 255.255.255.0 172.16.0.254, thinking that it would cover ALL of the SVI's, but for some reason this never worked."

Or try 172.16.0.0 255.255.0.0 172.16.0.254

wmlarkin1 · ‎07-22-2019

@Joseph W. Doherty wrote:
" I was originally trying this route 172.16.0.0 255.255.255.0 172.16.0.254, thinking that it would cover ALL of the SVI's, but for some reason this never worked."

Or try 172.16.0.0 255.255.0.0 172.16.0.254

Head Slap!! - Yes.. this did work.. somehow I lost my thinking trying to wade through all of this. Thanks Again!

wmlarkin1 · ‎07-21-2019

Hi.. I have updated my posts.. please take a look at the info. Thanks - Bill

andrew.butterworth · ‎07-22-2019

So your windows servers default gateway is the Internet router and you have now added a static route on the Internet router for the networks routed by the Catalyst 3850. Your workaround will work but it is suboptimal.

If the Internet router sends ICMP redirects then your Windows host will create temporary host /32 routes for each internal destination it sends traffic to. If it doesn't send ICMP redirects then traffic from the Windows host to networks routed by the Catalyst are sent to the Internet router and then back to the Catalyst. You can check if the windows host is doing this from a command prompt with the command 'route print'.

https://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.pdf

The better option is to connect the Internet router to the switch using a 'transit' IP network that just has the Internet router and the Catalyst (i.e a /30 or /31 Point-to-Point subnet). Set the windows hosts default gateway to be the Catalysts SVI interface IP address. Add static routes on the Internet gateway for your internal networks via the P2P and add a default static route on the catalyst to the Internet router.

Andy

Joseph W. Doherty · ‎07-22-2019

Andrew raises a good point!

He's correct, another way (often the better way assuming you're not providing gateway redundancy) is not to have the Internet router on a internal host network. Whether you have the Internet router or the L3 switch as the default gateway, either, by default, will redirect hosts to the other router if that's where the traffic needs to go next (NB: BTW this is only an issue for hosts on the common network - non-common internal networks will use the "shared" internal host network for transit - i.e. redirects will not be an issue for them). If you do keep them using a shared internal host network, for which of the two routers to use as the host gateway, generally your L3 switch should be the gateway, as it usually has much more capacity than a WAN router (to support internal LAN-to-LAN traffic).

Another way to avoid the redirects is to disable them on the shared interfaces (mentioned, I believe, in the reference Andrew provided). This will then cause traffic to possibly transit a router that it really doesn't need to, but it avoids the hosts loading up redirected routes.

Although, if you do define a transit network, Andrew mentions using static routes, again, the two routing devices can share routing information via a routing protocol.

[edit]

PS:

If you want disable redirects, build a dedicated transit network, need additional help, etc., feel free to ask. I, and/or others, will try to help.

wmlarkin1 · ‎07-23-2019

@Joseph W. Doherty wrote:

PS:
If you want disable redirects, build a dedicated transit network, need additional help, etc., feel free to ask. I, and/or others, will try to help.

Thank you for your post.. I do have some work to do here as I want to get it right and working optimally. I do not work in this area much, but can get around ok. I reached out to the Cisco Community as I was running into a "brick wall" so to speak and have now made it past that point (Thanks to Everyone again). To tackle this information that you and Andrew posted, I am sure that I will reach back out here as it is pretty much new territory for me, familiar yes, but that's about it. Thanks Again. - Bill

wmlarkin1 · ‎07-23-2019

@andrew.butterworth wrote:
So your windows servers default gateway is the Internet router and you have now added a static route on the Internet router for the networks routed by the Catalyst 3850. Your workaround will work but it is suboptimal.

Hi Andy.. thanks for your post.. I will be checking into this and hopefully working through your info as I do want this to be optimal. I have had some experience with this, but do not work in this area mostly, hence the OP here. As far as the info quoted above, my Windows server has the default gateway set to the Switch SVI, not the internet router. The internet router is directly connected to the switch on an access port. I have a default ip route set to: 0.0.0.0 0.0.0.0 172.16.0.1 in the CoreSwitch. I understand what you posted and do know after reading it that some work needs to be done. Thanks - Bill