vlan routing on 2, 6513 with SUP720 and MSFC

Unanswered Question
Jun 10th, 2008

2 Core switch 6513 linked with TenGig trunk ports, with same vlans on both (can ping accross on same vlan no problem).

ok, I setup a vlan 172 on both switchs that already has a bunch of vlans.

I have 2 hosts on vlan 172 with addresses of 172.16.0.3 and .4

The gateway is .1 which is the vlan interface of SW1 and SW2 with HSRP.

Both hosts can ping each other and the gateway.

I also have a DNS server residing on vlan 104 with IP 10.98.4.22. It's gateway is also .1 but the gateway is actualy a firewall.

The firewall does not know about VLAN 172

The hosts on VLAN 172 cannot ping any other hosts on any vlans.

I thought that having the switch do vlan routing that they would know that 10.98.4.0 is physicaly connected as it shows up in the routing table of the switches...

sh ip route on the SW1 and SW2 shows:

10.0.0.0/23 is subnetted, 5 subnets

C 10.98.8.0 is directly connected, Vlan108

C 10.98.0.0 is directly connected, Vlan1

C 10.98.2.0 is directly connected, Vlan102

C 10.98.4.0 is directly connected, Vlan104

C 10.98.6.0 is directly connected, Vlan106

I'm kinda confused a bit... I'm using Ethereal and I'm trying to see if I find the issue.

My intuition says that the ping packets are getting to 10.98.4.20 although the response is getting lost comming back to 172.16.0.3 because the 10.98.4.20 host is sending it to the firewall which has no idea where 172 is or how to get there... But I need to see this in ethereal, just not sure how to do this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 06/10/2008 - 07:11

What device is holding Vlan 172?

Per your show ip route output on SW1 and SW2, neither device shows this subnet as 'connected'.

I'm a little confused about your network design based on the explanation given in your post. Can you elaborate?

__

Edison.

pipsadmin Tue, 06/10/2008 - 07:31

here is the complete sh ip route:

10.0.0.0/23 is subnetted, 5 subnets

C 10.98.8.0 is directly connected, Vlan108

C 10.98.0.0 is directly connected, Vlan1

C 10.98.2.0 is directly connected, Vlan102

C 10.98.4.0 is directly connected, Vlan104

C 10.98.6.0 is directly connected, Vlan106

S* 0.0.0.0/0 [1/0] via 10.98.4.1

C 192.168.0.0/21 is directly connected, Vlan100

The SW1 has all vlans (same IP route as SW2) and SW2 has all the same vlans as sw1.

The 2 switches are connected together via a TenG trunk port allowing all vlans to cross from one side to another...

all the vlans except for VLAN 172 have a gateway of .1 but the gateway is actualy a firewall whith physical ports (.1) into each vlans as it's doing the vlan routing.

Im strating to migrate the vlan routing onto the core switch instead.

so I added another vlan (172) onto both SW1 and SW2. I have a host connected to each SW1 and SW2 on vlan 172.

They can ping each other and there gateway (in this case is vlan interface of both SW1 and SW2 running HSRP), yet they cannot ping 10.98.4.20 which the MSFC knows about this network as per the sh ip route.

See attached for a diagram

Edison Ortiz Tue, 06/10/2008 - 07:42

Got it.

I thought the L3 device was the switch as you mentioned in the original post "inter-vlan routing".

I'm not sure about the firewall 'routing' capabilities, but general routing entails for the FW to have reachability to 10.98.4.0/24 subnet.

Can you ping from the FW to the 10.98.4.0/24 while sourcing from the 172.x.x.1 interface in the FW ?

Can you ping from the 10.98.4.0/24 subnet to the 172.x.x.1 interface at the FW?

It would be a lot simpler if you just point to the SVIs (Switch Virtual Interfaces) at the switches and have the hosts in the 172 subnet use it as the gateway.

However, I'm still wondering if you've created that portion of the config. It shows in the diagram but not in the ip route.

Did you create the following?

interface vlan 172

no shutdown

ip address 172.16.0.11 255.255.255.0

On SW1?

Make sure it's not in shutdown state (default).

HTH,

__

Edison.

Please rate helpful posts

pipsadmin Tue, 06/10/2008 - 08:05

The firewall does not know abou the 172 vlan or network. So pinging 172 from the firewall wont work because of this.

Vlan 172 on SW1:

interface Vlan172

description Vlan Interface for QA2 on SW1

ip address 172.16.0.11 255.255.240.0

standby 172 ip 172.16.0.1

standby 172 priority 90

standby 172 preempt

end

Vlan 172 on SW2

interface Vlan172

description Vlan Interface for QA2 on SW2

ip address 172.16.0.12 255.255.240.0

standby 172 ip 172.16.0.1

standby 172 priority 80

standby 172 preempt

end

Not sure what you mean by the bellow:

It would be a lot simpler if you just point to the SVIs (Switch Virtual Interfaces) at the switches and have the hosts in the 172 subnet use it as the gateway.

but HSRP is running on both VLAN interface which makes up the .1 gateway... Is this what you mean?

pipsadmin Tue, 06/10/2008 - 09:25

what I find very puzzling is if I monitor the port that 10.98.4.20 is connected to on SW1, and I ping 10.98.4.20 from 172.16.0.4, I can see 10.98.4.20 receiving the ICMP and replying, yet 172.16.0.4 does not get the reply... the reply goes to la la land....

See capture

Attachment: 
Edison Ortiz Tue, 06/10/2008 - 09:31

You seem to be contradicting in your posts.

Your original post you said:

The gateway is .1 which is the vlan interface of SW1 and SW2 with HSRP.

Then on your second post you said:

all the vlans except for VLAN 172 have a gateway of .1 but the gateway is actualy a firewall whith physical ports (.1) into each vlans as it's doing the vlan routing.

Now in this reply, you have the config with .1 being the HSRP address. Not even the diagram indicated that - now you understand why I can't help you?

Based on what you just posted, the Switches should have Vlan 172 in their routing table and based on the output you've posted, they don't.

Can you verify both interfaces in SW1 and SW2 are in up/up state?

pipsadmin Tue, 06/10/2008 - 10:36

Sorry, I ommited too many lines when copying the sh ip route:

This is SW1 "sh ip route" (I am ommiting the external networks for security reasons)

172.16.0.0/20 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, Vlan172

10.0.0.0/23 is subnetted, 5 subnets

C 10.98.8.0 is directly connected, Vlan108

C 10.98.0.0 is directly connected, Vlan1

C 10.98.2.0 is directly connected, Vlan102

C 10.98.4.0 is directly connected, Vlan104

C 10.98.6.0 is directly connected, Vlan106

S* 0.0.0.0/0 [1/0] via 10.98.4.1

C 192.168.0.0/21 is directly connected, Vlan100

This is SW2 "sh ip route" (I am ommiting the external networks for security reasons)

172.16.0.0/20 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, Vlan172

10.0.0.0/23 is subnetted, 5 subnets

C 10.98.8.0 is directly connected, Vlan108

C 10.98.0.0 is directly connected, Vlan1

C 10.98.2.0 is directly connected, Vlan102

C 10.98.4.0 is directly connected, Vlan104

C 10.98.6.0 is directly connected, Vlan106

S* 0.0.0.0/0 [1/0] via 10.98.4.1

C 192.168.0.0/21 is directly connected, Vlan100

All vlans except for VLAN172 have a gateway of .1 on there respective VLAN and that .1 is the firewall interface.

VLAN172 has a gateway of .1 also but in it's case, the .1 is the HSRP of both SVI interface from SW1 and SW2.

Is that clearer?

Edison Ortiz Tue, 06/10/2008 - 10:49

You need to have all hosts on their respective Vlan point to the switch, not the Firewall.

Configure HSRP on those Vlans similar to Vlan 172. That's the appropriate design.

The hosts in other Vlans point to the FW as the gateway and they don't have a route to 172. If the FW doesn't know about 172 (as you stated) the packet will die.

__

Edison.

Please rate helpful posts

pipsadmin Tue, 06/10/2008 - 10:56

ok,

I cant point all hosts on all other vlans to the switch HSRP gateway on there respective vlans as this is a migration I am doing, I wanted to do one vlan at a time, and trying to find a solution.

looks like the only solution is to put in a static route in the firewall to point to 172 via a SVI interface or an interim network hooked up between the firewall and the switch......

I wanted to try to do this in a step by step fashion but looks like I dont have any other choice ...

pipsadmin Thu, 06/12/2008 - 06:20

Ok, here is my config and please let me know if im on the right track...

FIREWALL IP 10.98.201.1/29

Firewall will have a static route to 172.16.0.0/16 via 10.98.201.2 which is the HSRP IP of SW1-2.

SW1:

interface G3/5

description PIPSFW1

ip address 10.98.201.3 255.255.255.248

standby 201 ip 10.98.201.2

standby 201 priority 90

standby 201 preempt

SW2:

interface G3/5

description PIPSFW1

ip address 10.98.201.4 255.255.255.248

standby 201 ip 10.98.201.2

standby 201 priority 80

standby 201 preempt

Since SW1 and SW2 are interconnected via a tenG trunk port allowing all vlans, where does the 201 vlan come in play, or don't I need one?!? This is the part where im confused as I cannot put a L3 port of SW1 or SW2 in a vlan?!?

pipsadmin Fri, 06/13/2008 - 10:40

ok,

this does not work and I have to find a solution FAST !

When on VLAN 10.98.4.0/23 (10.98.5.250) that is gateway'ed to the firewall, ex 10.98.4.1, if you ping a device on 172.16.0.0/20 which is gateway'ed via an interim network 10.98.201.0/29, the frames go to the firewall (4.1) then follow the static route in the firewall to 10.98.201.2 (the interim network) to 172.16.0.4, the icmp get's to the device via this path, but the reply leaves 172.16.0.4, hits the vlan interface which is part of the HSRP) 172.16.0.11 or 12, then goes directly to the Vlan 104 10.98.5.250 whithout passing through the interim network...

I think the reason is that the network 10.98.4.0 is directly connected (vlan interface) to the switch so it does not go via the interim network 10.98.201.0 as this would be a longuer path....

Is there a way to make the packets from 172.16.0.0/20 always go to 10.98.201.1 and not the vlan interface on 192.16.0.11 or 12 ?

The gateway on 172.16.0.0/20 is 172.16.0.1 (HSRP from the 2 vlan interface 172.16.0.11 and 12).

Actions

This Discussion