no ip proxy-arp/no ip redirects/no ip unreachables

Answered Question
Sep 25th, 2008

Hi,

I am facing one issue. First explain my scenario ..

We have two core switches and 7 access switches. Access switches are connected with core switch 1 and core switch 2 through trunk link. In core switches HSRP is configured to provide redundancy.

I have attached sample configuration of core switch and one access switch.

Issue is if I configured below mentioned three commands under interface VLAN , some switches are inaccessible from others. In core switches and access switches ,under interface VLAN I have configured no ip proxy-arp,no ip redirects,no ip unreachables commands. After some times what happened access switch 3 is (all host and switch IP) inaccessible from other host but the user under this access switch able to access all other switches and host. if I remove no ip proxy-arp command under valn 10 of core switch 1 then again switch 3 is accessable but after some time same thing happening with other access switches.

Core 1

interface Vlan10

description *****Management*****

ip address 10.138.74.130 255.255.255.192

no ip proxy-arp

no ip redirects

no ip unreachables

standby 10 ip 10.138.74.129

standby 10 priority 110

standby 10 preempt

Access switch 3

interface Vlan10

ip address 10.138.74.134 255.255.255.192

no ip proxy-arp

no ip redirects

no ip unreachables

Regards,

som

I have this problem too.
0 votes
Correct Answer by andrew.butterworth about 8 years 3 months ago

You haven't got a default gateway configured on the access switch. From any device on VLAN 10 you should be able to directly access the switch, however a host on a different VLAN would not be able to access it.

Add the following to the access switch configuration:

ip default-gateway 10.138.74.129

Without this the access switch will ARP for hosts not on the same subnet and the Core will respond (assuming proxy-arp is enabled).

HTH

Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
andrew.butterworth Fri, 09/26/2008 - 01:47

You haven't got a default gateway configured on the access switch. From any device on VLAN 10 you should be able to directly access the switch, however a host on a different VLAN would not be able to access it.

Add the following to the access switch configuration:

ip default-gateway 10.138.74.129

Without this the access switch will ARP for hosts not on the same subnet and the Core will respond (assuming proxy-arp is enabled).

HTH

Andy

somnath21 Fri, 09/26/2008 - 02:36

Thank u very much!!!

In access switches VLAN 10 is configured like that ...

Acc Sw1

int vlan 10

ip address 10.138.74.132 255.255.255.192

Acc Sw 2

int vlan 10

ip address 10.138.74.133 255.255.255.192

Now my qusetion is in all access switches I have to give same gateway i.e 10.138.74.129 (VLAN 10 ip in core switch)?

andrew.butterworth Fri, 09/26/2008 - 03:17

Your Layer-2 access switches only have a single SVI for management, they need to have a default-gateway configured that is part of the same VLAN. In this case the default-gateway is the HSRP address configured on VLAN 10. If you have an access switch with an SVI in VLAN 20 (for example) then it would need a default-gateway in VLAN 20.

I hope this makes sense?

Andy

Please rate helpful posts

ranjtech74 Tue, 04/09/2013 - 20:16

Hello

This is an old discussion but I'm hoping someone will see my message in this?

Anyway, I have a similar issue, except my network is a LOT more simple.

I just have One (1) 3560 L-3 switch at the border with simple IP peering with my ISP

This is the config of the physical port to which the ISP is connected:

interface GigabitEthernet0/19

description Edge L-3 to ISP

no switchport

ip address xxx.xxx.x6.66 255.255.255.252

no ip redirects

no ip unreachables

ip accounting access-violations

ip multicast boundary 30

no ip mroute-cache

Note: The address of the ISP Interface is .65

The public address space allocated to us is /27 subnet and it's configured in an SVI as follows:

interface Vlan100

description Ext VLAN

ip address xxx.xxx.x8.65 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip multicast boundary 30

no ip split-horizon

no ip mroute-cache

ntp disable

Now, the only way that I am able to ping the IP of VLAN100 from the Internet is if I remove the "ip proxy-arp" on Gi0/19 Interface connected to my ISP

If I add that back in, I'm only able to ping the IP of my Gi0/19 Interface (.6.66) but not that of VLAN100 (.8.65)

I tried adding "ip default-gateway" command as such: ip default-gateway xxx.xxx.6.65 (ISP gateway) but that does NOT work for me as suggested in this discussion.

I want to follow the best-practice and remove "proxy arp" from my Internet facing Interface but without it, I can't get it to work.

Do I need to turn on "ip redirects"? But isn't that also against "best practices"? And if that's the only way, then which interface is it supposed to be turned on at?

Thanks so much

aeg

Actions

This Discussion