cannot route between VLANs on 6509 switch

Answered Question

I have just installed a new Cisco 6509 switch and I have 2 VLANs:

VLAN 2

VLAN 3


I setup 2 interfaces on it:

int vlan 2

ip address 192.168.6.4


int vlan 3

ip address 192.168.7.1


I verified they're in no shutdown mode. I can ping both ip addresses when logged into the switch but I cannot ping between 2 hosts on the different subnets.


I have a default static route going to 192.168.6.1

(i.e. ip route 0.0.0.0 0.0.0.0 192.168.6.1 )


If I do sho ip route, it shows the 2 vlans that are directly connected and it shows the static route as well.


I want the 6509 to do the layer 3 routing between the VLANs.

Correct Answer by Edison Ortiz about 9 years 2 months ago

Excellent, please make sure to mark the thread as 'resolved'. I'm sure it will help others with similar problems.


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 04/16/2008 - 06:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Have you set the default-gateways on your hosts to the relevant interface address on your 6509


ie. host in vlan 2 should have default-gateway 192.168.6.4


host in vlan 3 should have default-gateway 192.168.7.1


Have you got any firewalls on the hosts.


Jon

mattcalderon Wed, 04/16/2008 - 06:42
User Badges:
  • Silver, 250 points or more

If you issue the command sh vlan do you see vlans 2 and 3? If you do good then your vlans are created.


Also if you can do a sh ip route, your ip routing is enabled.


Have you put the switchports in the vlans that your hosts are in?


Example


int fa1/1

switchport access vlan 2


int fa1/2

switchport access vlan 2


Your ports need to be a member of the vlan that the pc is assigned to.

Edison Ortiz Wed, 04/16/2008 - 06:43
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The hosts were configured with a default gateway pointing to their respective Vlan?


For instance, on host in Vlan 2, this device must be connected on a switchport with 'access vlan 2'. In addition, the IP address must be in the 192.168.6.1-254 range (excluding 192.168.6.4, of course). The gateway must be 192.168.6.4


The same idea should be implemented on the device sitting on Vlan3.


HTH,


__


Edison.

Edison Ortiz Wed, 04/16/2008 - 07:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Please post the switch config along with show ip route and show vlan.


Please also post the output from typing ipconfig /all from both devices.


__


Edison.

sundar.palaniappan Wed, 04/16/2008 - 07:56
User Badges:
  • Green, 3000 points or more

Just a hunch could ICMP redirects be the causing this problem.


Can you configure this command 'no ip redirects' under the vlan interface(s) and do the ping again. If possible, post the output of 'route print' from the PC itself.


HTH


Sundar



interface FastEthernet4/25

no ip address

switchport

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet4/26

no ip address

switchport

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet4/27

no ip address

switchport

switchport access vlan 2

spanning-tree portfast

...

...

interface FastEthernet8/17

no ip address

switchport

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet8/18

no ip address

switchport

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet8/19

no ip address

switchport

switchport access vlan 3

spanning-tree portfast


...

interface Vlan2

description Data

ip address 192.168.6.4 255.255.255.0

!

interface Vlan3

description Servers

ip address 192.168.7.1 255.255.255.0

!

ip default-gateway 192.168.6.1

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.6.1

ip route 192.168.7.0 255.255.255.0 192.168.6.1

ip http server


---------------------------

sho ip route

Gateway of last resort is 192.168.6.1 to network 0.0.0.0


C 192.168.6.0/24 is directly connected, Vlan2

C 192.168.7.0/24 is directly connected, Vlan3

S* 0.0.0.0/0 [1/0] via 192.168.6.1


------------------------------------

sho vlan


2 Data active Fa3/1, Fa3/2, Fa3/3, Fa3/4

Fa3/5, Fa3/6, Fa3/7, Fa3/8

Fa3/9, Fa3/10, Fa3/11, Fa3/12

Fa3/13, Fa3/14, Fa3/15, Fa3/16

Fa3/17, Fa3/18, Fa3/19, Fa3/20

etc.


3 Servers active Fa8/1, Fa8/2, Fa8/3, Fa8/4

Fa8/5, Fa8/6, Fa8/7, Fa8/8

Fa8/9, Fa8/10, Fa8/11, Fa8/12

etc.



------------------------

There's a PIX firewall that's connected to one of the ports in VLAN 2 and that has the ip address 192.168.6.1.


Edison Ortiz Wed, 04/16/2008 - 08:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The switch configuration looks fine.


1) Vlans were created in Layer2 and Layer3


2) The port membership is correctly assigned


3) You have ip routing running per the show ip route output. Both routes are shown as connected.



The problem indicates something wrong in the workstation configs.


Can you ping the PIX from the 6509 while source from Vlan3 ?


Please remember, the PIX needs to have a route to 192.168.7.0/24 in order to work.


(route add 192.168.7.0 255.255.255.0 192.168.6.4)

__


Edison.


Correct Answer
Edison Ortiz Wed, 04/16/2008 - 09:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Excellent, please make sure to mark the thread as 'resolved'. I'm sure it will help others with similar problems.


Thanks


lamav Wed, 04/16/2008 - 09:34
User Badges:
  • Blue, 1500 points or more

Edison:


Can you clarify something for me?


When you recommended adding a route to the 192.168.7.0 network on the PIX so that "it" would work, you were talking about PINGing from the switch to the PIX and sourcing vlan3, right?


Because it doesn't make sense to me that he should have to add a route to the 7.0 subnet to have successfuly inter-vlan routing, UNLESS the PIX is indeed proxy arping and hosts on the 6.0 subnet are forwarding their traffic to the PIX. Without a route to the 192.168.7.0 network, the PIX was dropping the traffic.


Why would a host on vlan 2 that is trying to communicate with a host on vlan 3 be effected by the routing on the firewall? It shouldn't. All the traffic should stay local to the switch.


Set me straight...


Victor

Edison Ortiz Wed, 04/16/2008 - 09:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

When you recommended adding a route to the 192.168.7.0 network on the PIX so that "it" would work, you were talking about PINGing from the switch to the PIX and sourcing vlan3, right?



Yes.


Why would a host on vlan 2 that is trying to communicate with a host on vlan 3 be effected by the routing on the firewall?


I wasn't targeting the hosts with my reply. I was trying another device to test inter-vlan routing in the switch. It seems the hosts have a problem on their own but it also seems the OP got that part working.




lamav Wed, 04/16/2008 - 09:44
User Badges:
  • Blue, 1500 points or more

Exactly. That's what I thought. You were just making a recommendation so that a suggested PING test would work. But adding that route also fixed his inter-vlan routing problem.


So, although adding a route to the 7.0 subnet on the PIX "fixed" his inter-vlan routing, he should not have had to do that, unless he has proxy arp enabled on the FW's interface.


So, I think adding the static route to the FW is really a band-aid to fix a misconfiguration. Unless, of course, for some operational reason that we are not privy to, proxy arp MUST be turned on the PIX interface. Otherwise, it should probably be turned off.


Victor

sundar.palaniappan Wed, 04/16/2008 - 09:51
User Badges:
  • Green, 3000 points or more

Guys,


Adding a static route on the PIX to get to the 192.168.7.0 network wouldn't fix the problem. PIX, by default, doesn't route traffic out the same interface it received the traffic on. Though, if the code supports it there's some additional configuration that can be used to get this to work.


HTH


Sundar

Edison Ortiz Wed, 04/16/2008 - 09:56
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

My guess is (again, I'm guessing), the OP created another subnet and wanted this subnet to traverse the PIX for internet/outside connectivity.


That subnet wasn't working and he posted his question here but forgot to introduce the PIX into the equation until he was pressed to provide more information.


For the PIX to serve a subnet other than its own, a route add must be entered and once the OP did, everything worked as designed.


Again, I guess we should let the OP answer your inquiries as I'm just replying to you out of courtesy.


My goal was identifying the inter-vlan configuration was properly done in the switch. Since he brought up another device into the equation (PIX), I had him test against that. My goal on that reply was never intended to fix his workstation issues, but it did. It's unknown up to this point how he was testing but it now works...


Gotta run, have a 2pm, adios ..



sundar.palaniappan Wed, 04/16/2008 - 10:09
User Badges:
  • Green, 3000 points or more

""For the PIX to serve a subnet other than its own, a route add must be entered and once the OP did, everything worked as designed.""


Even if your guess is correct, in a PIX you need more than just adding a route to forward traffic between interfaces. You would need an access rule + nat configuration if nat control is enabled etc..


You don't have to respond to this but just highlighting something PIX needs in addition to the route.


However, I agree with you the OP would have to provide more information to really know what the underlying problem was.


HTH


Sundar

sundar.palaniappan Wed, 04/16/2008 - 09:42
User Badges:
  • Green, 3000 points or more

Glad to hear your issue is resolved :-)


Are you saying you had to add a route on the PC for the other VLAN. If the PC's default gateway was pointing to the switch's VLAN interface IP then you shouldn't require a specific route in the PC.


The default route, aka gateway of last resort in the switch, is pointing to the PIX. I have seen problems on a few occasions, with a similar setup like yours, when a LAN host sends traffic to it's gateway (router) and it uses another router or firewall in the same LAN segment as it gateway the router would send an ICMP redirect packet to the PC. The PC could then accept that packet and start sending future communications to that remote network via the redirected gateway. We don't know if your issue was caused by the ICMP redirect or some route misconfiguration in the PC itself.

lamav Wed, 04/16/2008 - 09:48
User Badges:
  • Blue, 1500 points or more

sundar:


Are you saying you had to add a route on the PC for the other VLAN. If the PC's default gateway was pointing to the switch's VLAN interface IP then you shouldn't require a specific route in the PC.


He added a route on the PIX, not the PC. But he shouldn;t have had to do that either.


Scroll up and see my comments to Edison.


Victor


sundar.palaniappan Wed, 04/16/2008 - 09:56
User Badges:
  • Green, 3000 points or more

Victor,


Our posts crossed each other. I responded to your query about adding a route to the PIX. By default, PIX doesn't route traffic out the same interface it received the traffic on.


HTH


Sundar

Richard Burts Wed, 04/16/2008 - 08:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gilbert


The config that you posted seems reasonable straightforward. I do not see any serious issue (other than that the static route p route 192.168.7.0 255.255.255.0 192.168.6.1 is incorrect since 192.168.7.0 is a connected subnet on VLAN 3 you can not route it to VLAN 2 address).


I know that you have said that the PCs are configured with correct gateways. But if the switch can successfully ping the PC with a standard ping but can not ping the PC with extended ping (which is what I believe you are describing) then it sure sounds like there is a problem with the gateway on the PC. Or perhaps that the PC is configured with a route that points somewhere else.


It would be really helpful if you would post the output of ipconfig and of route print from the PCs.


HTH


Rick

lamav Wed, 04/16/2008 - 08:54
User Badges:
  • Blue, 1500 points or more

Hi:


Check the workstations, as recommended.


I am also wondering if proxy arp should be disabled on the FW's interface (192.168.6.1).


As far as I can remember, proxy arp is enabled by default on the PIX, so you would need to apply the sysopt noproxyarp command to the interface to disable proxy arp.


If that is indeed the problem, when you do an arp -a on a workstation in vlan 2 (192.168.6.0/24 subnet), you will see the MAC address for the FW's interface bound to IP addresses on the 192.168.6.0/24 subnet, instead of the router's vlan 2 interface.


HTH


Victor

sundar.palaniappan Wed, 04/16/2008 - 09:54
User Badges:
  • Green, 3000 points or more

Guys,


Unless I am missing something in the post, since it's quite a long thread, this should work without having to add a static route to the PC.


OP indicated he has the following 2 VLANs in his switch. His PCs on both VLANs are using these addresses as their default gateway. Real simple - this should have worked under normal circumstances without additional configuration in the PC or PIX.


nt vlan 2

ip address 192.168.6.4


int vlan 3

ip address 192.168.7.1



HTH


Sundar

sundar.palaniappan Wed, 04/16/2008 - 10:08
User Badges:
  • Green, 3000 points or more

""For the PIX to serve a subnet other than its own, a route add must be entered and once the OP did, everything worked as designed.""


Even if your guess is correct, in a PIX you need more than just adding a route to forward traffic between interfaces. You would need an access rule + nat configuration if nat control is enabled etc..


However, I agree with you the OP would have to provide more information to really know what the underlying problem was.


HTH


Sundar

lamav Wed, 04/16/2008 - 10:10
User Badges:
  • Blue, 1500 points or more

Sundar:


Just to set things straight, since there was so much back and forth going on...


1.) I think I can speak for Edison (since I already clarified it with him) when I say that he only recommended adding the route to the 7.0 subnet on the PIX, not the PC, so that a suggested PING test between the switch and the PIX would work. It wasn't to address the inter-vlan routing issue between vlans 2 and 3.


2.) Upon adding the static route to the 7.0 subnet on the PIX, inter-vlan routing started working.


3.) I think we all agree that that should NOT have fixed the inter-vlan routing problem, and that if it did, it's because it is acting as a band-aid. I think we all agree that the traffic should have stayed local to the L3 switch and the PIX should have had nothing to do with routing between 2 vlans that are configured locally on the switch.


To that, I say that the FW was receiving traffic bound for the 7.0 subnet from hosts on the 6.0 subnet -- and I think that the reason for that is that proxy arp on the PIX interface is enabled.


If it is, the PIX will respond to all ARP requests that are broadcast on the 6.0 subnet for destinations on the 7.0 subnet, making hosts on the 6.0 subnet think that they should forward their traffic to the PIX. However, without a route to the 7.0 subnet, the PIX was dropping the traffic -- that is, until the OP added the static route to the PIX for the 7.0 subnet.


Anyway, I hate rehashing entire conversations, but this problem is a real good one "for the books," so IMHO, it's worth understanding exactly what is wrong and what fixed the problem.


Thanks


Victor

sundar.palaniappan Wed, 04/16/2008 - 10:25
User Badges:
  • Green, 3000 points or more

Victor,


""To that, I say that the FW was receiving raffic from hosts on the 6.0 subnet and I think that the reason for that is that proxy arp on the PIX interface is enabled. If it is enabled, but doesnt have to be for some other operational reason, it should be disabled.""


I thought about it too. But, when the PC ARPed for the gateway (switch) address had the PIX responded (proxyARP) then the OP wouldn't have been able to ping the PC from the switch itself. It's only when traffic was sourced from a remote network the pings were failing. Hence, it looks like for whatever reason the PC was sending the traffic to the PIX, ip redirects/proxy ARP etc, to get to the 7.0 network instead of sending it to the switch.


I responded a few times, probably too many, about the PIX and a static route alone wouldn't have addressed the issues if the PIX had been routing the traffic between the VLANs.


I totally agree with you we don't have all the facts to make an accurate determination as to what caused the problem to begin with.


:-)


HTH


Sundar



I think the PIX is handling the layer 3 routing for that subnet 192.168.6.x and the switch is handling layer 3 routing for the 192.168.7.x subnet.


The workstations in the 6.x subnet are configured like this:

192.168.6.10

255.255.255.0

192.168.6.1 <--default gatewa


I did notice that on the PIX there's a route for the 6.x subnet pointing to 192.168.6.1

Edison Ortiz Wed, 04/16/2008 - 12:43
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

They should point to 6.4 (The L3 switch).



lamav Wed, 04/16/2008 - 13:37
User Badges:
  • Blue, 1500 points or more

The workstations in the 6.x subnet are configured like this:


192.168.6.10

255.255.255.0

192.168.6.1 <--default gatewa


Yo, G:


You gotta be kidding, dude...


Not for nothing, but the first thing everyone asked you to do (like 10 times) was to make sure that users on the 6.0 subnet had their default gateways pointing to the 6.4 address on the switch, and you swore up and down that they were...


We've been chasing our tails for nothing.

sorry about that. But I never said they were pointing to 6.4, I just said that the config looked correct.


I have 200+ workstations that are pointing to 6.1 and it's a 24x7 operation so I can't just change it on all the workstations to 6.4.


By the way, if I was to point the workstations to 6.4, would the switch do the layer 3 routing? (by merely pointing the workstations to the L3 switch?)


Edison Ortiz Thu, 04/17/2008 - 07:02
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Currently, you are experiencing assymetrical routing.


When a workstation from the 6.x subnet wants to reach a workstation in the 7.x subnet, it goes to the PIX and from the PIX to the L3 switch then its final destination.


When that workstation in the 7.x subnet responds back, it goes to the L3 switch then its final destination.


My recommendation is to resolve this issue by either changing the default gateway on the 6.x subnet devices or swap the IP addressese between the PIX and the L3 Switch.


It would've helped if you have mentioned the PIX was in the picture and that 6.x subnet was using such device as their default gateway.


I'm also surprised the PIX is honoring ICMP redirects.


By the way, if I was to point the workstations to 6.4, would the switch do the layer 3 routing? (by merely pointing the workstations to the L3 switch?)




Yes.



HTH,


__


Edison.

Actions

This Discussion