Solved: VLAN/Gateway issue (VLAN 0)

sigoe · ‎04-17-2010

After noon all,

I’m wondering if anyone could shed some light on a issue I’m currently having?

All this is happening on a stack of 7 Catalyst 3750's

I work in a college and generally I am the go to man for networking, I have a contact who Knows lots more than me and is Cisco certified but even he is a little stumped, I’ll warn you I have only practical knowledge of networks although I am working towards my CCNA, that’s not to say I’m useless but I can following instructions off the Cisco site on achieving what I need (Config and Image up/down loads, switch configuration...) so please forgive me if I get some things in the wrong context!!!!

We use multiple VLANs on our network; all VALNs have their own gateway.

I have been asked to create a new VLAN for a student project, so I looked up the process on the Cisco site and found the following commands:

Switch #vlan database
Switch (vlan) #vlan 65 Name STUnion
Switch (vlan) # Exit
Switch # conf t
Switch (config) # int vlan 65
Switch (config-if) # ip address 172.65.0.254 255.255.0.0
Switch (config-if) # no shutdown

From what I understand this created a VLAN 65, set an IP route of 172.65.0.0/16 and connect this to VLAN 65 and finally set 172.65.0.254 as the default gateway for this VLAN.

I currently have 3 devices (2 IP Cameras & 1 Laptop (hardwired)) connected to VLAN 65, the laptop can ping both cameras and gateway and from the switch I can ping all 3 devices and gateway but when I start adding ACLs to VLAN 65 (incoming only) I cannot get the laptop to ping the gateway for VALN 65 unless I add a ACL rule to allow traffic to 172.65.0.254, and if I type the following to do a layer 2 trace, I get the following back:

Switch #Tractroute MAC IP 172.65.0.254 172.65.0.10
Source and Destination arped on different vlans (source on vlan 0 and destination on vlan 65).

Also I have the following method mismatch

SouthCore-1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      172.18.0.40     YES     NVRAM up                     up
Vlan4                      172.16.0.250    YES    NVRAM up                   up
Vlan12                     172.30.0.254    YES NVRAM up                       up
Vlan21                     172.21.0.254    YES NVRAM up                      up
Vlan22                     172.22.0.254    YES NVRAM up                       up
Vlan65                     172.65.0.254    YES   manual up                       up

I have outputs from the commands
sh int vlan 65
sh ip route

Both indicate either the IP or range respectively are attached to VLAN 65.

Does anyone have any ideas what I may have gotten wrong, from that I understand the laptop should be able to ping the gateway for VLAN 65 without the need of an permit ACL rule.

Thanks Simon

Jon Marshall · ‎04-18-2010

Simon

I’m sure that traffic is being routed even if I removed the “permit ip any host 172.65.0.254”

Yes it will be because the destination IP in a packet going to a remote subnet is not the gateway IP of the vlan so it will not be blocked.

vlan 22 acl is not as restrictive ie.

permit ip 172.22.0.0 0.0.0.255 any

would allow any host on 172.22.0.0 to ping the gateway.

Being able to ping the gateway does not affect routing traffic through the gateway.

Jon

View solution in original post

Jon Marshall · ‎04-17-2010

Simon

Does anyone have any ideas what I may have gotten wrong, from that I understand the laptop should be able to ping the gateway for VLAN 65 without the need of an permit ACL rule.

Just to clarify. Without an acl applied inbound you can ping the gateway. There is an implicit deny ip any any at the end of any acl. So as soon as you apply the acl unless you explcitly permit the traffic to the gateway it will be denied.

Jon

sigoe · ‎04-17-2010

Hi Jon,

Yes thats right without the ACL there are no problems it is just when I add the ACL I lose the ability to ping the gateway, the odd thing is that non of the other VLANs have any enties in their ALC to allow traffic to the gateway, yet they can ping their own gateway without any issues.

Giuseppe Larosa · ‎04-17-2010

Hello Simon,

please add the ACL you has applied inbound to SVI interface vlan 65.

Generally speaking inbound ACLs can deny traffic destined to the device itself.

Outbound ACLs cannot block traffic generated on the device itself.

so if you have applied an ACL inbound to the object SVI vlan65 it is expected behaviour that you cannot ping the SVI if no line allows it, for the implicit deny any that it is at the end of the ACL and for what stated above about inbound ACLs.

about Vlan0: it is not a valid vlan number but it may be used internally on the switch the same happens for vlan 4096, other vlan numbers can be taken for internal use.

Hope to help

Giuseppe

sigoe · ‎04-17-2010

Hi Giuseppe,

So am I wrong thinking that I have an issue??

I’m sure that traffic is being routed even if I removed the “permit ip any host 172.65.0.254” line from the ACL I can ping/access the IP cameras on VLAN 65 from the 172.21.0.0 range and I can also ping the DNS and proxy from the VLAN 65 at that are in the 172.22.0.0 range, what is confusing is that I cannot get a full response from the gateway without adding an ACL rule, if I remove the rule, then ping the gateway a odd response

ping 172.65.0.254

Reply from 172.65.0.254 destination net unreachable

I think my main question is why do I have to add a ACL rule to be able to ping the gateway on VLAN 65 when no others VLAN have a corresponding ACL rule for their VLAN??

VLAN 65 ACL

ip access-list extended st3-STUnion
permit ip any host 172.65.0.254
permit udp any host 172.22.0.1 eq domain
permit tcp any host 172.22.0.1 eq domain
permit tcp any host 172.22.0.11 eq www
permit tcp any host 172.22.0.11 eq 8080
permit tcp any host 172.22.0.11 eq 443
permit ip any 172.21.0.0 0.0.255.255
deny ip any any

Non of the other VLANs have an issue pinging their own gateway for a host on the same vlan/IP rage, I can ping the gateway of 172.22.0.0 without having a ACL rule to allow access. VLAN 22 is the most restrictive, to be honest ACL are one of those things I sort of understand, I know the permit I have added to VLAN 65 to allow access to the gateway is wide open but this is only a workaround.

VLAN 22 ACL

ip access-list extended st3-curic22
permit ip 172.22.0.0 0.0.0.255 172.18.0.0 0.0.0.255 log
deny ip any 172.18.0.0 0.0.0.255 log
permit ip 172.22.0.0 0.0.0.255 172.21.0.0 0.0.0.255 log
permit ip 172.22.0.0 0.0.0.255 any
permit tcp 172.22.7.0 0.0.0.255 host 172.21.0.3 eq www
permit tcp 172.22.7.0 0.0.0.255 host 172.21.0.5 eq www
permit tcp 172.22.7.0 0.0.0.255 host 172.21.0.3 eq 8000
permit tcp 172.22.7.0 0.0.0.255 host 172.21.0.5 eq 8000
permit tcp 172.22.0.0 0.0.255.255 host 172.21.0.5 eq www
permit tcp 172.22.0.0 0.0.255.255 host 172.21.0.5 eq 8000
permit ip 172.22.8.0 0.0.0.255 host 172.21.0.4
permit tcp 172.22.9.0 0.0.0.255 host 172.21.0.3
permit tcp 172.22.9.0 0.0.0.255 host 172.22.0.5
permit tcp 172.22.0.0 0.0.255.255 any eq 443 log
permit udp 172.22.22.0 0.0.0.255 any eq domain
permit tcp 172.22.22.0 0.0.0.255 any eq domain
permit tcp 172.22.22.0 0.0.0.255 any eq www
permit tcp 172.22.22.0 0.0.0.255 any eq 443
permit udp 172.22.22.0 0.0.0.255 any range 27000 27020
permit tcp 172.22.22.0 0.0.0.255 any range 27020 27050
deny ip any any log

Thanks Simon

Jon Marshall · ‎04-18-2010

Simon

I’m sure that traffic is being routed even if I removed the “permit ip any host 172.65.0.254”

Yes it will be because the destination IP in a packet going to a remote subnet is not the gateway IP of the vlan so it will not be blocked.

vlan 22 acl is not as restrictive ie.

permit ip 172.22.0.0 0.0.0.255 any

would allow any host on 172.22.0.0 to ping the gateway.

Being able to ping the gateway does not affect routing traffic through the gateway.

Jon

sigoe · ‎04-18-2010

Hi Jon thanks for that.

“Being able to ping the gateway does not affect routing traffic through the gateway”.

I was unaware that this was the case and assumed that I had an issue, I look at the VLAN 22 ACL and passed over that rule as to allow access for all to see server range (172.22.0.0/24) it completely by passed me as the gateway is in that range.

When it comes to ACLs I generally work on a monkey see, monkey do process, I guess a fresh set of eye is always the best plan. I have just looked at the other ACLs and each has a 172.X.0.0/24 rule.

This where my practical knowledge breaks down a little and this is more than likely a simple but stupid question:

1. As long as the IP Cameras/Laptop have the gateway set to 172.65.0.254, it will all work fine??

2. I take it this means I don’t need the ACL rule in VALN 65 “permit ip any host 172.65.0.254” so it can be removed??

Again I would like to thank you for your help

Simon

Jon Marshall · ‎04-18-2010

Simon

1) As long as the IP Cameras/Laptop have the gateway set to 172.65.0.254, it will all work fine??

2) I take it this means I don’t need the ACL rule in VALN 65 “permit ip any host 172.65.0.254” so it can be removed??

1) Correct

2) as long as you don't want clients on vlan 65 to be able to ping the default-gateway you don't need that line in your acl.

Jon