MLS SVIs enforce correct subnet mask, 2620 doesn't?

Answered Question
May 22nd, 2008

A customer network had a 2620 router trunked to a 2950 switch with some hosts in vlan 2 and some with no access port assignment. Hosts on the native vlan were able to access (per user reports) a server on vlan 2 until we replaced the 2620 with a 3750 mls. I put the untagged ports in vlan 3, setup SVIs for vlan 2 and 3, and trunked to the 2950. The subnets were consecutive /27 that could form a /26. During troubleshooting, I found the customer gave the vlan 2 server the /26 mask. The server could talk to other vlan 2 hosts, ping its SVI gateway, Internet hosts, but not the vlan 3 SVI or hosts. Vlan 3 hosts could ping any vlan 2 host except the server. Once the mask on the vlan 2 server was corrected, all worked as expected. Thoughts? How did the mask affect intervlan routing on a mls but not a router?

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 8 months ago

Steve

The 3750 is not looking at the mask used on the server. The real issue is on the server and how it determines how it chooses to communicate with addresses in VLAN 3. Since it considers the addresses to be "local" it will arp for them. (for any address that is not local the server will forward to its default gateway) If the server arps for them and receives no response (because proxy arp is disabled) then it can not communicate with them.

Consider that the only decision the 3750 has made in this was the decision whether to respond when it receives an arp request for an address in VLAN 3. If it had responded (proxy arp enabled) then the server can communicate with VLAN 3. But when the 3750 does not respond to that arp (proxy arp disabled) then the server can not communicate with VLAN 3.

You certainly should be able to configure no ip proxy-arp on the subinterfaces of the 2620. Any IP interface or subinterface is capable of proxy arp. It is enabled by default. And you can configure any of those interfaces to disable it - on an interface by interface basis. So disabling proxy-arp on the physical interface has no effect on its subinterfaces. If you want it disabled on the subinterface then you must configure on the subinterface.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Thu, 05/22/2008 - 09:07

Steve

From your description of the symptoms I would guess that there was a difference between the 2620 and the 3750 about proxy arp. Perhaps it was a config change that did not seem significant or perhaps it is a different default behavior in the IOS.

Before we talk about proxy arp let us be clear that when the server had the /26 mask it considered the hosts in VLAN 2 and 3 to all be local devices and would arp for the addresses of any of them.

If the server does arp for an address in VLAN 2 then the destination host receives the arp and responds and the server can reach it. And for any destination outside of vlan 2 and 3 the server just forwards to its default gateway. So this explains how the server was able to reach hosts in vlan 2 and hosts outside. But when the server wanted to reach hosts in VLAN 3 it would still arp for them (since it believes that they are local). If the 2620 enabled proxy arp then the 2620 would respond to the arp request and when the server sent it the packet the 2620 would forward to the host in vlan 3. But if the server sends arp and the 3750 does not enable proxy arp then the 3750 will not respond. The arp never reaches the destination host since it is in a different VLAN and the arp broadcast is not forwarded between VLANs.

If you do show ip interface vlan2 I believe that you will find that proxy arp is not enabled. If you were to do that on the 2620 I believe that you would find that proxy arp was enabled.

HTH

Rick

Stephen Berk Thu, 05/22/2008 - 09:57

I looked at the proxy arp configs and it was disabled in both configs ("no ip proxy arp" on the svi for the 3750, on the physical int for the 2620). The server should have arp'd for a hardware address since it thought it was on the same subnet, the 2620 FE 0/1.2 must have replied with its mac address, and then passed future packets to the processor or asics for routing. The 3750 "seems" to be refusing to route (but still switches l2 vlan traffic as vlan 2 hosts could talk to the server, even when trunked to different switches) between hosts with masks that don't match its SVI mask.

Richard Burts Thu, 05/22/2008 - 10:48

Steve

You are specific that the physical interface FE0/1 was configured with no ip proxy-arp but not specific about the subinterface for VLAN 2. Does that mean that the subinterface was not configured with no ip proxy-arp? If it is not turned off then by default it is enabled. And that fits my theory of the issue since with proxy-arp enabled the router subinterface would have received the arp request and would have responded with its own MAC and would have forwarded any packets sent to it.

You comment: "The 3750 "seems" to be refusing to route" and I am not sure about that. Any device in VLAN 2 should be able to communicate with the server since they are all in the same broadcast domain, and can therefore ARP for each other, and talk directly to each other. There is no routing in that. I believe that the original post indicates that the server can talk to devices in remote networks, so the 3750 is certainly routing for that. And the failure of the server to communicate with VLAN 3 is not a failure to route but is a failure of the server to send the packets to its default gateway.

HTH

Rick

Stephen Berk Thu, 05/22/2008 - 10:58

Proxy arp was not turned off on the 2620 sub interfaces, just the master/physical interface. That's a good lead, I'll pull a 2620 out of storage and see if I can disable proxy arp on the subinterfaces.

Once the 3750 replaced the 2620, the server (with an incorrect mask) on vlan 2 couldn't talk to anyone on vlan 3, but other hosts (with correct masks) on vlan 2 could talk to vlan 3. The behavior suggested that the 3750 was looking at the mask of the server in determining if it would switch packets between subnets.

Thanks for the info on the possible proxy arp problem, I'm going to check it out now!

Correct Answer
Richard Burts Thu, 05/22/2008 - 11:06

Steve

The 3750 is not looking at the mask used on the server. The real issue is on the server and how it determines how it chooses to communicate with addresses in VLAN 3. Since it considers the addresses to be "local" it will arp for them. (for any address that is not local the server will forward to its default gateway) If the server arps for them and receives no response (because proxy arp is disabled) then it can not communicate with them.

Consider that the only decision the 3750 has made in this was the decision whether to respond when it receives an arp request for an address in VLAN 3. If it had responded (proxy arp enabled) then the server can communicate with VLAN 3. But when the 3750 does not respond to that arp (proxy arp disabled) then the server can not communicate with VLAN 3.

You certainly should be able to configure no ip proxy-arp on the subinterfaces of the 2620. Any IP interface or subinterface is capable of proxy arp. It is enabled by default. And you can configure any of those interfaces to disable it - on an interface by interface basis. So disabling proxy-arp on the physical interface has no effect on its subinterfaces. If you want it disabled on the subinterface then you must configure on the subinterface.

HTH

Rick

Stephen Berk Thu, 05/22/2008 - 11:17

The light bulb just went off. :)

My understanding of ARP was incorrect. I didn't realize proxy arp was required for the router to respond in that manner. It must have been enabled on the subinterfaces and wasn't on the SVIs, hence the problem. Thank you, sir!

Richard Burts Thu, 05/22/2008 - 11:41

Steve

I just love it when I can help the light bulb go off.

Yes ARP is designed as a "local" function. You should ARP for local destinations and use the default-gateway for remote destinations. And you should respond to ARP when the address being asked is on the local subnet.

The question comes up what to do if the router/l3 switch gets an ARP request for an address that is remote. Should the router respond (should it be a proxy for the remote device) or not respond? If proxy-arp is disabled then the router does not respond, the rule about ARP for local communication is enforced, and communication does not happen. If proxy-arp is enabled then the router does respond, we bend the rule a little bit about ARP is for local communication, and communication is facilitated.

HTH

Rick

Actions

This Discussion