ip forwarding issue

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
we have summit x460 configured with 3 vlans. ipforwarding is disabled to all vlans but were still able to ping from one vlan to another. please see below the screenshot


we also have pc directly connected to vlan server and still can reached the other vlans even the ipforwarding is disabled. below is the screenshot



below are the iproutes from switch



is this correct? I am expecting if ipforwarding is disable vlan will not communicate with each other like layer 2.


thanks
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,574 Points 10k badge 2x thumb
Can you ping the servers IP address from the client?
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb
Hi Patrick,
thanks. yes
Photo of Lane, Mike

Lane, Mike, Employee

  • 904 Points 500 badge 2x thumb
Your input  is almost complete, please show your PC's routing and arp tables to demonstrate that the PC is actually using this switch as its gateway..  I see you have successfully pinged an address for a VLAN that has no active ports in it.  I expect this can only happen if there is another switch on your broadcast domain that is forwarding,  You can also provide a "show ipstats" to prove that this switch was actually forwarding. - Mike
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb
Hi Mike,

thanks. actually I enable the loopback mode in vlan that has no active ports that's why I successfully reached that vlan. below are the screenshots of pc routing table and arp table




below are the ipstats of the switch

X460-24p.1 # sh ipstats
IP Global Statistics
InReceives =        451 InUnicast  =        129 InBcast    =         78
                        InMcast    =        244
InHdrErr   =          0 Bad vers   =          0 Bad chksum =          0
                        Short pkt  =          0 Short hdr  =          0
                        Bad hdrlen =          0 Bad length =          0
InDelivers =        163 InDiscards =          0 Bad Proto  =          0
OutRequest =         91 OutDiscard =          0 OutNoRoute =          0
Forwards   =          0 ForwardOK  =          0 Fwd Err    =          0
NoFwding   =        121 Redirects  =          0 No route   =          0
Bad TTL    =          0 Bad MC TTL =          0
Bad IPdest =        121 Blackhole  =          0 Output err =          0
MartianSrc =          0
FragCreate =          0 FragOKs    =          0 FragFails  =          0

Global ICMP Statistics
OutResp    =          8 OutError   =          0 InBadcode  =          0
InTooshort =          0 Bad chksum =          0 In Badlen  =          0
echo reply                      In =          0        Out =          8
destination unreachable         In =          0        Out =          0
 - protocol unreachable         In =          0        Out =          0
redirect                        In =          0        Out =          0
echo                            In =          8        Out =          0
router advertisement            In =          0        Out =          0
time exceeded                   In =          0        Out =          0

Global IGMP Statistics
Out Query  =         37 Out Report =          0 Out Leave  =          0
In Query   =          0 In Report  =         46 In Leave   =         16
In Error   =          0

Router Interface finance
     inet 172.21.201.246 netmask 255.255.255.0 broadcast 172.21.201.255
     Stats:  IN         OUT
             22          22 packets
            704         704 octets
             22          22 Mcast pkts
              0           0 Bcast pkts
              0           0 errors
              0           0 discards
              0             unknown protos

Router Interface IT
     inet 172.21.200.246 netmask 255.255.255.0 broadcast 172.21.200.255
     Stats:  IN         OUT
             17          17 packets
            544         544 octets
             17          17 Mcast pkts
              0           0 Bcast pkts
              0           0 errors
              0           0 discards
              0             unknown protos

Router Interface server
     inet 172.18.1.246 netmask 255.255.255.0 broadcast 172.18.1.255
     Stats:  IN         OUT
            413          52 packets
          25786        1888 octets
            205          44 Mcast pkts
             78           0 Bcast pkts
              0           0 errors
            122           0 discards
              0             unknown protos
Photo of Matthew Helm

Matthew Helm, Employee

  • 200 Points 100 badge 2x thumb
Without ipforwarding enabled, a switch will receive a packet on a VLAN interface and will respond if the packet is directed to an IP address assigned to one of its VLAN interfaces where that VLAN is enabled and up (either in loopback mode or has active port(s)). It will not forward that packet to another IP address on that subnet/VLAN even if present in the switch's IP ARP table. It will only forward if IP forwarding is enabled on both the receiving VLAN and enabled on the VLAN where the destination IP address is located.
Photo of JeremyClarkson

JeremyClarkson

  • 1,010 Points 1k badge 2x thumb
Marlon can you confirm please.
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb
Hi Jeremy,

I can still ping the other vlan even the ipforwarding is disable globally and per vlan. thanks
Photo of JeremyClarkson

JeremyClarkson

  • 1,010 Points 1k badge 2x thumb
but can you ping clients on the VLAN or just the VLAN interface?
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb
just the vlan interface
Photo of Drew C.

Drew C., Community Manager

  • 38,546 Points 20k badge 2x thumb
Hi Marlon, do you still need assistance with this?  It may be best to open a case with GTAC if this hasn't been resolved yet.
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,836 Points 10k badge 2x thumb
in my opinion Matthew gave the answer on that topic.
Photo of Drew C.

Drew C., Community Manager

  • 38,546 Points 20k badge 2x thumb
I think so too, but I wanted to try to be sure.  Lots of loose ends around here that I'm trying to tie up :)