Re: Routing between different subnets on the same interface

vcgalla · ‎04-24-2018

Moving to a new /21 subnet from an existing, functioning subnet (16 years). Routing on a 3 interface (2 inside, 1 outside) router, not a switch, and have assigned a secondary address on our primary inside interface. The normal Local and Connected route entries were automatically created on the router when the secondary address was defined so that all interfaces and associated IP segments are represented by a "show ip route". We are not using VLANs and no NAT settings are defined. I can ping the secondary address from our outside network, from the 2nd inside network and from the original subnet. Also, I can ping between individual hosts that are on the new subnet on the 1st inside network. The hosts on the new network can't get a response from their gateway (secondary address) nor can outside hosts (obviously) route to nodes on the new segment. All hosts on the original /22 segment are fully accessible by hosts on the outside and 2nd inside networks and hosts on the original inside network can access hosts on all other networks. Just not the one defined as secondary on the same interface. I have done this before for this exact reason and it was a no-brainer, though it was more than a decade ago. All Cisco information indicates this should be easy and acceptable for this type of transition.

Any ideas on what I am missing would be greatly appreciated.

Interface configs are as follows.

ip route 0.0.0.0 0.0.0.0 ***.***.75.29

interface GigabitEthernet0/0
description Outside Network
ip address ***.***.75.30 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no keepalive
no mop enabled
!
interface GigabitEthernet0/1
description Primary Inside Network
ip address ***.***.127.254 255.255.248.0 secondary
ip address ***.***.79.254 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no keepalive
no mop enabled
!
interface GigabitEthernet0/2
description 2nd Inside Network
ip address ***.***.81.158 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no keepalive
no mop enabled

Harold Ritter · ‎04-24-2018

Do the hosts on the new subnet (/21) have a default gateway pointing at ***.***.127.254?

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

vcgalla · ‎04-25-2018

Yes they do. However, I believe that the main clue is that they can't ping that address. Since the 2 clients and the gateway (the secondary address on the router interface) all have the same netmask, they should be able to ping each other without routing. Unfortunately, the 2 ***.***.120.0/21 hosts cant get a ping response from the ***.***.127.254 address on the router. Despite it being pingable from all other interfaces and subnets.

Richard Burts · ‎04-25-2018

Can you post the output of these commands

show ip interface brief

show arp (or perhaps show ip arp depending on platform)

And on one of the pc connected on the new subnet would you post the output of these commands

ipconfig

arp -a

As a side note, I am surprised to see each of the interfaces configured with no keepalive. Is there a reason for that? I doubt that it is causing this issue but it is quite unusual for normal Ethernet interfaces to be configured this way.

HTH

Rick

HTH

Rick

vcgalla · ‎04-25-2018

Our "keepalive" setting has to do with our alert monitoring. We want to differentiate between an outage on our equipment or that of our service provider equipment. So we want our interfaces to show as up regardless of what is going on with the equipment outside our control.

ARP List on the router is long of course so, I cut out the middle.

# show arp

Protocol Address Age (min) Hardware Addr Type Interface
Internet ***.***.75.27 58 00c1.6485.2c02 ARPA GigabitEthernet0/0
Internet ***.***.75.29 70 0007.7d4d.cfbf ARPA GigabitEthernet0/0
Internet ***.***.75.30 - 0462.734f.0fe8 ARPA GigabitEthernet0/0
Internet ***.***.76.1 0 000c.f1e6.a69b ARPA GigabitEthernet0/1
Internet ***.***.76.2 3 1803.73b0.0bdf ARPA GigabitEthernet0/1
...
Internet ***.***.79.252 3 0462.7360.21dd ARPA GigabitEthernet0/1
Internet ***.***.79.254 - 0462.734f.0fe9 ARPA GigabitEthernet0/1
Internet ***.***.81.132 38 0050.56b9.a8f9 ARPA GigabitEthernet0/2
Internet ***.***.81.135 0 0050.56b9.1cc2 ARPA GigabitEthernet0/2
Internet ***.***.81.136 240 0050.56b9.3000 ARPA GigabitEthernet0/2
Internet ***.***.81.142 18 246e.960c.7b30 ARPA GigabitEthernet0/2
Internet ***.***.81.156 48 ecbd.1dcf.7a47 ARPA GigabitEthernet0/2
Internet ***.***.81.158 - 0462.734f.0fea ARPA GigabitEthernet0/2
Internet ***.***.125.1 0 Incomplete ARPA
Internet ***.***.127.254 - 0462.734f.0fe9 ARPA GigabitEthernet0/1

#sho ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 ***.***.75.30 YES NVRAM up up
GigabitEthernet0/1 ***.***.79.254 YES NVRAM up up
GigabitEthernet0/2 ***.***.81.158 YES NVRAM up up

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : ***.***.125.1
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : ***.***.127.254

C:\a

Interface: ***.***.125.1 --- 0x2
Internet Address Physical Address Type
***.***.77.1 00-13-72-5b-70-90 dynamic
***.***.79.201 00-11-43-05-5b-a3 dynamic
***.***.79.205 a0-36-9f-3e-b0-14 dynamic
***.***.79.206 00-11-43-d9-55-94 dynamic
***.***.79.224 00-0d-56-fd-d1-49 dynamic
***.***.79.226 a0-36-9f-3e-b3-ce dynamic
***.***.79.254 04-62-73-4f-0f-e9 dynamic
***.***.124.1 00-1a-a0-1f-a2-a5 dynamic
***.***.127.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
231.1.1.1 01-00-5e-01-01-01 static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

Richard Burts · ‎04-25-2018

Thanks for the explanation about no keepalive. As I said I do not believe that this has anything to do with your issue. The outputs that you posted are clear that there is not layer 2 communication between the PC and the router. The router has sent an arp request but received no response as shown here

Internet ***.***.125.1 0 Incomplete ARPA

and the arp table in the PC has only two entries in the subnet and neither of them is the router

***.***.124.1 00-1a-a0-1f-a2-a5 dynamic
***.***.127.255 ff-ff-ff-ff-ff-ff static

We have seen only a partial config from the router and I do not see anything in that partial config that would explain these symptoms. Unless there is something significant in the router config that we have not seen I must believe that the problem is something in the connection between the PC and the router. Can you give us information about how the PC is connected?

One other question is to ask if you change the configuration of the PC and give it an IP address in the original subnet (and appropriate mask and gateway) does the PC communicate with the router?

HTH

Rick

HTH

Rick

vcgalla · ‎04-26-2018

Very simple layout. Router--->C4507R---->C3650---->PC1 (x.x.124.1/21)

|----->PC2 (x.x.125.1/21)

Both PCs can see each other fine, when on either subnet. If I move them back to the x.x.76.0/22 subnet with the other 1000 devices, they work perfectly and can ping the x.x.127.254 gateway. Move them back to the x.x.120.0/21 subnet and they can no longer see the gateway. This is an established network and we have no problems routing between the 3 interfaces. The introduction of the secondary address for the 4th subnet is merely temporary until we transition to the new subnet.

Richard Burts · ‎04-27-2018

Thanks for the information. It is helpful (and quite puzzling) to know that if the PC is assigned an IP in the original subnet that it works fine.

In looking at the output from the PC I am surprised to see a number of arp entries for addresses that are not in the local subnet

***.***.77.1 00-13-72-5b-70-90 dynamic
***.***.79.201 00-11-43-05-5b-a3 dynamic
***.***.79.205 a0-36-9f-3e-b0-14 dynamic
***.***.79.206 00-11-43-d9-55-94 dynamic
***.***.79.224 00-0d-56-fd-d1-49 dynamic
***.***.79.226 a0-36-9f-3e-b3-ce dynamic
***.***.79.254 04-62-73-4f-0f-e9 dynamic

Usually a PC will arp only for addresses that it considers to be local. Can you post the output of ipconfig /all from the PC?

Is logging enabled on the 4507 and the 3650? If so would you attempt to access one of the PC and then look in the logs to see if there are any messages that might relate to this?

On the router would you enable proxy arp on the interface with the secondary address and see if the behavior changes? (It should make no difference but it would be good to check on this)

On both the 3560 and 4507 would you post the output of show ip interface brief and of show interface status, identifying the interfaces where the PCs are connected?

HTH

Rick

HTH

Rick

paul driver · ‎04-27-2018

Hello
Have you also tried re-enabling ip redirect

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul