Solved: Unexpected SVI Behaviour

Luke Robertson · ‎10-17-2013

I'm looking at a network (which I don't usually manage), which is being migrated from a flat (single VLAN - 1) network to a multi-VLAN network.

We have Cisco 3750 (2 switches stacked) as the core (IOS 15.2(1)E), with SVI's to provide first-hop routing. There are several Dell switches at the access layer.

Workstations and servers are both still in VLAN 1 at this time.

An administrator changed the DHCP scope, so workstations are now on a different subnet (10.61.72.0 /22), while servers are still on the original subnet (10.61.106.0 /23). Unfortunately, the workstations have not yet been moved to VLAN 120, as was the plan.

These SVI's have been configured:

interface Vlan1

ip address 10.61.106.170 255.255.254.0

interface Vlan120

ip address 10.61.72.2 255.255.255.0

The subnet mask of SVI VLAN 120 is wrong. It should be 255.255.252.0

My test workstation is on VLAN 1, and it's IP is 10.61.74.79. It's default gateway is 10.61.72.2 and it is connected directly into the catalyst. The port it is connected to is:

interface GigabitEthernet1/0/10

switchport mode access

What's confusing me is, my test laptop is in VLAN 1, but it can ping the IP address of SVI VLAN 120.

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is a44c.1173.e8c0 (bia a44c.1173.e8c0)

Vlan120 is up, line protocol is up

Hardware is EtherSVI, address is a44c.1173.e8ca (bia a44c.1173.e8ca)

This is the ARP table on my laptop:

Interface: 10.61.74.54 --- 0xd

Internet Address Physical Address Type

10.61.72.2 a4-4c-11-73-e8-c0 dynamic

So the laptop thinks that the MAC for 10.61.72.2 is SVI VLAN1, when this IP is on SVI VLAN 120. I would have thought that the laptop would not be able to ping this address, being on a different VLAN.

I'm trying to understand this behaviour before helping with the migration to VLAN 120. Why is VLAN 1 responding to a ping for an IP on VLAN 120?

Thanks

Richard Burts · ‎10-18-2013

Would the original poster post the output of show ip interface vlan1? I am guessing that it has proxy arp enabled. In that case I believe that this is what is happening:

- PC does arp for its configured default gateway 10.61.72.2.

- SVI vlan 1 sees the ARP request and responds with its own MAC address.

- PC uses a4-4c-11-73-e8-c0 as the MAC address and sends ping.

- SVI vlan 1 receives and processes the ping.

Note that if the mask on interface vlan 120 had been correct that the switch would have tried to send the response back through vlan 120 and the ping would have failed.

The major weakness in this explanation is that most IOS devices will reject an arp request if the source address of the request is in a subnet different from the subnet configured on the interface. Wondering why this works makes me wonder whether ip routing is enabled on these switches. This behavior would make more sense if these switches are operating as layer 2 switches. And if the existing network has been a flat vlan 1 network then layer 2 operation would be logical. Perhaps the original poster can provide some clarification about this?

HTH

Rick

HTH

Rick

View solution in original post

devils_advocate · ‎10-18-2013

You may want to double check your config as you show the subnet for Vlan 1 as being 10.61.106.0 /23 yet your IP address is 10.61.74.79 which suggests you are getting an address from Vlan 120. Are you sure the port you are plugged into is not a member of Vlan120?

On the Cisco switch, do the following and post the results

#show ip arp 10.61.106.170

#show ip arp 10.61.72.2

Thanks

Richard Burts · ‎10-18-2013

Would the original poster post the output of show ip interface vlan1? I am guessing that it has proxy arp enabled. In that case I believe that this is what is happening:

- PC does arp for its configured default gateway 10.61.72.2.

- SVI vlan 1 sees the ARP request and responds with its own MAC address.

- PC uses a4-4c-11-73-e8-c0 as the MAC address and sends ping.

- SVI vlan 1 receives and processes the ping.

Note that if the mask on interface vlan 120 had been correct that the switch would have tried to send the response back through vlan 120 and the ping would have failed.

The major weakness in this explanation is that most IOS devices will reject an arp request if the source address of the request is in a subnet different from the subnet configured on the interface. Wondering why this works makes me wonder whether ip routing is enabled on these switches. This behavior would make more sense if these switches are operating as layer 2 switches. And if the existing network has been a flat vlan 1 network then layer 2 operation would be logical. Perhaps the original poster can provide some clarification about this?

HTH

Rick

HTH

Rick

Luke Robertson · ‎10-20-2013

I've done some more research into proxy-arp, and this does explain what I'm seeing here.

I don't think this will become a problem, I'm just glad to understand why this is happening.

Thanks for your help

Richard Burts · ‎10-20-2013

I am glad that my suggestion did point you in the right direction toward a solution for your issue. I agree that proxy arp does explain the symptoms. Thank you for using the rating system to mark this question as answered.

HTH

Rick

HTH

Rick