cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5463
Views
45
Helpful
20
Replies

static route on L3 switch not working

Ibrahim Bhuiyan
Level 1
Level 1
 

Dear,

In my data center I configured static route as like below's scenerio. But I can't ping from PC to Firewall. But in packet tracer this is working but in real life this is not working. what is the problem? can anyone help me?

 

 

12.png

20 Replies 20

Hello,

 

what equipment are you using in 'real' life ? What static route do you have configured on the L3 switch ?

 

The switch should be configured as:

 

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.100.1

I used cisco 3850 Switch and 5515-X Firewall.

Yes I did it ( ip routing and ip route 0.0.0.0 0.0.0.0 192.168.100.1) which you mentioned above. I also did this lab in GNS3 but result is same. no ping.

NOTE: If I use router except L3 Switch then got the ping okay! I think there is a issue in switch which I am missing.

 

Ruben Cocheno
Spotlight
Spotlight

@Ibrahim Bhuiyan 

 

Perhaps is easier if you can share more info on what you have in your datacenter, hardware, versions and config's.  your scenario seams very straight forward.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

I think also that would be easiar. but result is same. If I do this on Packet Tracer then I got the ping.

I also shared configuration of L3 Switch and ASA FW of GNS3 Lab for your better knowing

 

L3 Switch Configuration

.............................

vlan 100
name uplink
int vl 100
ip add 192.168.100.2 255.255.255.0
no sh

int e 0/0

sw mod acc
sw acc vl 100
.......................

vlan 101
name lan
int vl 101
ip add 192.168.1.1 255.255.255.0
no sh

int e0/1

sw mod acc
sw acc vl 101

..................................

ip default-gateway 192.168.1.1

 

ASA Configuration:

....................................

int e 0

ip add 192.168.100.1 255.255.255.0

nameif inside

no sh

 

route inside 192.168.1.0 255.255.255.0 192.168.100.2

balaji.bandi
Hall of Fame
Hall of Fame

high level - By default ASA ICMP denied in Physical Kit. ? you can check at ASDM or ASA Log, is the ping received at interface ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I kept global icmp. I already told that If I use router except L3 Switch then got ping the okay. but If use L3 switch then I dont get the ping.

balaji.bandi
Hall of Fame
Hall of Fame

Maybe I have missed that, can you post L3 Switch complete config to look. you have not shared or aware of your testings?

 

On the L3 Switch ( i know you mentioned you already did, please check again, and share full Layer 3 switch config)

 

no ip default-gateway 192.168.1.1

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.100.1 --< towards ASA

 

conduct below tests :

 

 

Are you able to ping from L3 Switch ASA?

from the device are you able to ping to L3 Switch?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Are you able to ping from L3 Switch ASA?

Ans: Yes

primary-SW# ping
Protocol [ip]:
Target IP address: 192.168.100.1
Repeat count [5]: 100
Datagram size [100]: 500
Timeout in seconds [2]: 5
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 500-byte ICMP Echos to 192.168.100.1, timeout is 5 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/12/100 ms
primary-SW#

 

 

from the device are you able to ping to L3 Switch?

Ans: Yes

PC1> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=11.286 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=0.907 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=1.214 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=7.814 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=7.068 ms

Switch Config:

..........................


SW#
SW#sh run
Building configuration...

Current configuration : 1620 bytes
!
! Last configuration change at 19:11:30 UTC Fri Sep 11 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 100
switchport mode access
!
interface Ethernet0/1
switchport access vlan 101
switchport mode access
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet1/0
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3
!
interface Ethernet2/0
!
interface Ethernet2/1
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.100.2 255.255.255.0
!
interface Vlan101
ip address 192.168.1.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

SW#

 

Ping from PC to Firewall

.................


PC1> ping 192.168.100.1
192.168.100.1 icmp_seq=1 timeout
192.168.100.1 icmp_seq=2 timeout
192.168.100.1 icmp_seq=3 timeout
192.168.100.1 icmp_seq=4 timeout
192.168.100.1 icmp_seq=5 timeout

PC1>

 

In looking at the posted config for the switch I do not see the command ip routing. Are we sure that routing is enabled on the switch? Perhaps the output of these commands might be helpful in determining this

show ip protocol

show ip route

 

Are we sure that the PC has correct mask and default gateway? Can the switch ping the switch interface in the vlan connecting to the ASA? (can the PC ping 192.168.100.2)

HTH

Rick

primary-SW#sh ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4)

primary-SW#
primary-SW#sh ip rou
primary-SW#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 10.66.244.0/29 [1/0] via 192.168.100.1
C 10.66.253.0/24 is directly connected, Vlan101
L 10.66.253.2/32 is directly connected, Vlan101
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/29 is directly connected, Vlan100
L 192.168.100.2/32 is directly connected, Vlan100
primary-SW#

balaji.bandi
Hall of Fame
Hall of Fame

Just to check - is this virtual Lab you having an issue or Physical kit ( looking at your switch config, doe not seems to be a physical kit)

 

here is the possibilities - if this issue only with GNS3 virtual Lab.

Try the below steps :

 

1. no ip cef   - remove this from switch and test.

2. your IOL image may have buggy - try a different one.

 

tested with this works for me in real and virtual -

 Linux Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.2(20170809:194209)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes this gns3 lab. but main issue is in real field. I thought I had wrong any where, thats why i tried with gns3,but result is same.

 

I can try to see with your command and see what happen?

primary-SW#sh ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4)

 

 

primary-SW#
primary-SW#sh ip rou
primary-SW#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 10.66.244.0/29 [1/0] via 192.168.100.1
C 10.66.253.0/24 is directly connected, Vlan101
L 10.66.253.2/32 is directly connected, Vlan101
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/29 is directly connected, Vlan100
L 192.168.100.2/32 is directly connected, Vlan100
primary-SW#

 

 Thank you very much for all reply.

Actually I need to solve this scenerio (check attach picture) in real life. I already configured Failover and HSRP. I got the ping from Core Switch to BANet Firewall Gateway (10.66.244.1). But when I do ping from LAN PC(10.66.253.100) to BANet (10.66.244.1), I don't get the ping even not to 192.168.100.1 (Firewall inside gateway). Then I realize problem is from LAN pc to Firewall gateway. And try to solve in that issues I posted above problems. hope you understand. Really I hopless to take this. I cant understand what is the actuall issue?

You can check all the configuration. Please suggest me what to do?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco