Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
15
Helpful
5
Replies

Problems with VLAN routing (Switch 2960XR)

Go to solution
hectormiranda
Level 1
Level 1

‎08-29-2019 08:47 AM

Hello team,

These last days I've found some strange behavior --according to myself-- with a couple of Layer 3 switches.Switching VLAN routing, LAN Switching

The scenario is the following: in my customer's site there are two LANs physically separated, East wing and West wing. In the East wing we have as core switch a  WS-C2960XR-48TS-I (software image C2960X-UNIVERSALK9-M 15.2(6)E2). In the West wing we have as core switch a WS-C2960XR-24PS-I (software image C2960X-UNIVERSALK9-M 15.2(2)E7).

Both switches are linked with an etherchannel (2 gig ports from each switch), a fiber optics cable with GLC-MMD sfp's).

 

In this post I have attached two files with the respective configurations: East core switch is Config Switch Core-O.txt and West core switch is Config Switch Core-P.txt.

 

The "strange behavior" is the following: I have a PC with TeamViewer I use to remotely access the network in case other access I have via VPN fails. That PC is connected by a UTP cable directly to port Gi1/0/40 of the East core switch. That is an access port in VLAN 120 (this is the VLAN for users in the East wing). First strange symptom is I cannot ping nor traceroute from the core switch to that PC; BUT I can ping and tracert from the PC to the core switch.

That PC has got IP address from DHCP pool in the core switch: its IP address is 10.1.20.103 and its default gateway is 10.1.20.1 (ip address of the interface Vlan 120 in the core switch).

 

Yesterday I connected another PC directly to the core switch, port Gi1/0/27; I created the test VLAN 8 and assigned that port to that VLAN. In the PC I assigned the static IP address 192.168.8.125 with default gateway 192.168.8.52 which is the IP address of interface Vlan8 in the core switch.

The behavior is exactly the same: I cannot ping nor traceroute from the switch to the PC; BUT I can ping and tracert from the PC to the switch.

 

And what is the worst strange behavior is I cannot ping nor tracert between both PCs. This is specially important because we have an extended LAN in a remote Datacenter connected with a point to point link. I have port Gi1/0/2 in the East core switch connected to that point to point link; that port is assigned to VLAN 7. Currently, users in VLAN 120 (East wing) and VLAN 220 (West wing) don't have any problems accessing the servers at the Datacenter. BUT I'm having problems accessing those servers with our remote access (VPN) users.

 

Can anybody shed some light over this strange behavior?

I'm currently very confused...

 

Labels:
Preview file
18 KB
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎08-29-2019 09:49 AM

Hi,

Can you check the PCs for firewall software or sometime window firewall that block ICMP request?

HTH

View solution in original post

5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎08-29-2019 09:49 AM

Hi,

Can you check the PCs for firewall software or sometime window firewall that block ICMP request?

HTH

Go to solution
hectormiranda
Level 1
Level 1
In response to Reza Sharifi

‎08-29-2019 04:04 PM

Hello guys,

I don't know what to say... Sometimes trees don't let you see the forest...

Last weekend I did a huge work in this network, I replaced the Cisco ASA and installed two new Fortinet firewalls; changed all the IP map and logically separated both wings; reprogrammed both core switches and all of the access switches; installed and configured a lot of Meraki access points in the West wing to separate both wireless networks; reconfigured the CT2504 Wireless LAN Controller of the East wing, upgrading its operating system and redefining the WLANs...

All these between Saturday and Sunday... Just me alone...

I was thinking this was a big big problem related with something wrong with the L3 switches.... But no, it was the damned Windows firewall...

Thanks a lot and never forget the KISS principle...

 

Best regards,

 

Hector Miranda

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to hectormiranda

‎08-29-2019 06:22 PM

Hi,

Wow, you really did a lot of work on a weekend all by your self. I really am impressed with all the accomplishment you had in just one weekend.  Anyway, don't beat yourself up with the PC issue. We all miss the simple things. :-)

And as you said, never forget the KISS principal.

Good luck and glad to help!

HTH

Go to solution
hectormiranda
Level 1
Level 1
In response to Reza Sharifi

‎08-29-2019 07:26 PM

Thank you, Reza!

I must say I was planning that installation for two weeks.

The hardest part was to replicate the ASA configuration in the Fortinet machines, because I had more than 50 policies and hundreds of objects, besides some complex NAT and port forwardings. Fortunately, Fortinet's interface is really friendly... If you are able to understand Cisco ASA logic it seems every other logic looks pretty friendly :)

The Meraki part was the easiest. My main strength is switching and routing, so that part I did it almost with my eyes closed...

That was the cause of my frustration when I had this problem you helped me solve.

 

Thank you very much once again.

 

Hector

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-29-2019 02:26 PM

Am I understanding the post correctly that the symptoms described involve the East core switch and not the West core switch? So while it may be nice to have access to the config of the West switch that our attentions should really be focused on the East core switch?

 

My guess is that @Reza Sharifi has correctly identified the issue as being some firewall or some security policy on the PCs that prevents responding to ICMP requests. If that is not the case then I would ask that you post the output from the switch of the command show interface status and of show vlan.

 

HTH

 

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card