Switching

I have an EX2200 48T running version 12.3R6.6.  I'm trying to set up RVI to route between VLANs, but it's not working properly. The VLANs in question are listed below:

DHCP Unit 3 10.10.3.253/24
Test Unit 5 10.10.4.253/24
Test2 Unit 6 10.10.6.253/24

Interfaces ge-0/0/5 and ge-0/0/30 are trunked to access all three of these VLANs.

The EX2200 is running DHCP on these three networks (10.10.3.0/24, 10.10.4.0/24, and 10.10.6.0/24), with the range .1 - .250 for each, and .253 is set as the default gateway.

Laptop A on the DHCP VLAN has address 10.10.3.1.
Laptop B on the Test VLAN has address 10.10.4.1.

Laptop A can ping its own gateway (10.10.3.253) and the gateway for the Test VLAN (10.10.4.253), but it cannot ping Laptop B.

The same is true for Laptop B.  It can ping its own gateway and the gateway for other VLANs, but it cannot ping anything else on a different VLAN.

I tried to follow this technote:
http://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/bridging-routed-vlan-interfaces-ex-series-cli.html

The issue is very similar to the behavior described in the 7th message of this post:
http://forums.juniper.net/t5/Ethernet-Switching/EX2200-Inter-Vlan-Routing/m-p/99182/highlight/true#M4361

I created Test2 on 10.10.6.253/24 from scratch to see if I made a mistake in the earlier config, but it behaves in exactly the same way.

The relevant parts of the config are attached.  What am I doing incorrectly?

NOTE: This system is in production, so I can't take drastic steps, like rebooting or upgrading/reverting versions.

Attachment(s)

config to post.txt   2 KB 1 version

You do not need those /24 static routes.  These are local routes the switch is aware of.  I suggest you copy config for ge-0/0/28 and use it to config some other physical interface, say ge-0/0/29, and also change VLAN member to either DHCP or Test 2.  You should now be able to ping between these subnets (.4 to either .3 or .6).

When you try to ping from .5/Test (BTW much easier to manage/keep track if you match unit number to vlan number) to either DHCP or Test 2 what is physically connected to ge-0/0/5 or ge-0/0/30, another PC?  This will NEVER work unless the PC can strip Dot1Q headers.  To test PC to PC pings you need them on access ports, not trunk ports.  Of the trunk ports would generally be another switch, and then that switch needs proper VLAN configuration, etc.

Also, when you ping anything that is 10.10.x.253 you are ping the same place.  That would be switch CPU/RE.  Ping gateways on L3 switches, means very little, except to prove local gateway is up.  Id CPU/RE is busy, pings could be either delayed or potentially dropped.

This is all very basic stuff, and it all works, 100% for sure.  If not working you are doing something wrong, generally with very basic stuff.

I set ge-0/0/5 and ge-0/0/30 back to access ports and removed the /24 static routes.  DHCP VLAN is on ge-0/0/5, and Test2 is on ge-0/0/30. 

One PC is one 10.10.3.1 (DHCP VLAN), and another is on 10.10.6.1 (Test2 VLAN), but they still cannot ping each other.

The updated config is attached. 

Attachment(s)

updated config.txt   3 KB 1 version

I took your config with some minor modifications, and dumped it directly into an EX2200 switch, with a single trunk link connecting to my laptop with 3x VLANS (10,20,30) configured. As you can see, I can ping fine from each set of hosts, with the traceroute confirming my path to/from each.

VLAN10 received 10.10.10.1 via DHCP

VLAN20 received 10.10.20.1 via DHCP

This doesn't prove reverse routing (the return route will be directly connected), but does show unidirectional test in each direction through the router.

laptop$ traceroute -s 10.10.10.1 10.10.20.1
traceroute to 10.10.20.1 (10.10.20.1) from 10.10.10.1, 64 hops max, 52 byte packets
1 10.10.10.253 (10.10.10.253) 9.597 ms 2.356 ms 3.416 ms
2 10.10.20.1 (10.10.20.1) 0.406 ms 0.386 ms 0.323 ms

## ping forcing source address from VLAN10 to destination in VLAN20
laptop$ ping -S 10.10.10.1 10.10.20.1
PING 10.10.20.1 (10.10.20.1) from 10.10.10.1: 56 data bytes
64 bytes from 10.10.20.1: icmp_seq=0 ttl=63 time=0.278 ms
64 bytes from 10.10.20.1: icmp_seq=1 ttl=63 time=0.337 ms
^C
--- 10.10.20.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.278/0.307/0.337/0.030 ms

laptop$ ifconfig | egrep -A 8 -e "vlan" | egrep "inet\s|vlan:|^vlan"
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
vlan: 10 parent interface: en3
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.10.20.1 netmask 0xffffff00 broadcast 10.10.20.255
vlan: 20 parent interface: en3
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.10.30.1 netmask 0xffff0000 broadcast 10.10.30.255
vlan: 30 parent interface: en3

I'd suggest checking the end-systems to see if there's a conflicting interface or route causing the response to be sent somewhere else.  You can confim the correct interfaces are configured, and that there aren't routes for networks on the reply path configured locally, or somewhere else. 

LINUX/OSX

ifconfig

netstat -rn

Windows

ipconfig

route print

Attachment(s)

dhcp-test-config.txt   3 KB 1 version

Hi barnesry-jnet,

What modifications did you make?  Were you using one host to ping another, or were you pinging the hosts from your laptop on the trunk port?

ColonelSarge,

host to host pings via switch (inter-vlan route). You can run a diff of my config vs yours to get the exact details, but basically vlan numbering, etc. Confirmed the pings were routing correctly source->dest, but the response would likely have been direct (as the vlans co-exist on my laptop - not separate isolated VMs which would have been a more comprehensive test). I did test from both directions though specifying source addresses.

laptop vlan10 -------\

                               trunk ---------- switch

laptop vlan20 - -----/ 

RVI still is not working.  When I run tracert for an IP on another VLAN, I get results like this:

C:\>tracert 10.10.6.1

Tracing route to 10.10.6.1 over a maximum of 30 hops

  1     8 ms    10 ms     1 ms  10.10.3.253
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

In this case, I'm trying to go from VLAN 3 (10.10.3.0 255.255.255.0 with the EX2200 as default gateway on 10.10.3.253) to VLAN 6 (10.10.6.0 255.255.255.0 with EX2200 as gateway on 10.10.6.253). 

The same thing happens if I run tracert from VLAN 6 to VLAN 3 or VLAN 5.  The packets get to the EX2200 and then time out.  The laptops on each VLAN can ping the switch, so they definitely have connectivity.  The packets get to the default gateway and then don't go anywhere, because RVI isn't working.

Can someone please tell me what I need to change in my config (posted above) to get RVI to work?

I've investigated some more, and all evidence indicates that the routing table config is correct.  The problem seems to be that the EX2200 switch cannot ping the clients that are connected to it, even though the clients can ping the switch.

The clients were getting addresses from DHCP on the EX2200.  As an experiment, I set a desktop to a static IP on 10.10.5.1 on vlan.5.  That desktop on 10.10.5.1 can ping the switch on 10.10.5.253, but the switch cannot ping 10.10.5.1.  The desktop does appear in the switch's arp table.

Does anybody know why the switch cannot ping physical clients that are directly connected?

show arp
MAC Address       Address         Name                      Interface           Flags
3c:97:0e:2f:4e:a4 10.10.3.1       10.10.3.1                 vlan.3              none
44:37:e6:0b:59:3d 10.10.5.1       10.10.5.1                 vlan.5              none

ping 10.10.5.1
PING 10.10.5.1 (10.10.5.1): 56 data bytes
^C
--- 10.10.5.1 ping statistics ---
15 packets transmitted, 0 packets received, 100% packet loss

2 dumb questions:

1) what are the client OS's?

2) if connect 2 clients on the same VLAN, can they ping each other?

Relating to Q1, if WIn7/8 is the answer, by default ping (reply) is blocked in local firewall rules...this one drove me crazy years ago...still gets me sometimes when I bring up a new Win7 client...also true for W2K8/W2K8-R2.

hth...Jeff

Thanks, Jeff.  This fixed it!