cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
0
Helpful
16
Replies

traceroutes failing across 3550 switch

Kevin Melton
Level 2
Level 2

I have a 3550 switch which is in the egress path towards the Internet at my client site. I have only one VLAN configured with an IP address on the switch, and all traffic goes through this Gateway in and out of the network.

When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes.

Is there something on the switch that I may need to configure? IP traffic other than ICMP is fine. The switch will answer back to a ping....

Thx

16 Replies 16

j98me2
Level 1
Level 1

What do you have after the switch, it could be your firewall not responding to the icmp traffic.

I can get to google.com but I can not tracert to google.com or anything else outside my network. My ASA drops the icmp traffic.

Peter010101
Level 1
Level 1

"When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes. "

I am not sure what you mean here.

Do you have a route to 172.16.1.7? Does the other end have a route back to you?

Here is a sample:

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

The 172.16.1.7 address should be the 2nd line in the traceroute. He is the next IP hop on the way out. The appropriate routes are in place...see below:

C:\Documents and Settings\kevin.BOARSHEADINN.000>ping 172.16.1.7

Pinging 172.16.1.7 with 32 bytes of data:

Reply from 172.16.1.7: bytes=32 time=1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Ping statistics for 172.16.1.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Documents and Settings\kevin.BOARSHEADINN.000>

Thanks

If the 172.16.1.7 interface and 192.168.5.1 live on the same device, you should only get the nearest interface responding back to you...

They are not the same device. The 192.168.5.1 is the GW on our Core switch. The 172.16.1.7 is another switch and the next hop out on the way to the Internet...

Traceroute to 172.16.1.7 and show us the output of that.

C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 172.16.1.7

Tracing route to 172.16.1.7 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 1 ms <1 ms <1 ms 172.16.1.7

Trace complete.

C:\Documents and Settings\kevin.BOARSHEADINN.000>

Is 172.16.1.7 a L3 switch?

If its not a Layer 3 switch, it will not show up on the traceroute, because its not part of the routing path.

I think I just answered my question.

You have this topology:

L3Switch ---- layer 2 switch ---- Internet gateway

Only the L3switch and Internet gateway will respond to the traceroute (ICMP is L3), because the other switch is a layer two pathway. Only routers will respond to the traceroute.

I would assume you have ICMP blocked somewhere at your internet gateway.

ICMP is not blocked anywhere. I can ping all the way out the entire path. It is just traceroute that fails at the 2nd hop, not pings..

But it is part of the routing path. I sent you a trace route indicating that...

It is an L3 switch. We have a VLAN 3 configured on it. It has an ip address of 172.16.1.7. All the devices in that network (which is the way in and out towards the Internet) plug into a VLAN 3 port and use 172.16.1.7 as their gateway.

It looks like you are blocking some ICMP. The traceroute you sent only shows one response.

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco