VLANs layer 3 switch question

I have 2 PCs connected to a layer 3 switch. First PC in vlan 5 and second PC in vlan 10. The default gateway for these PCs are the vlan interfaces on the layer 3 switch. I did not configure any inter vlan routing, I don't even have ip routing enabled on the layer 3 switch. My question is this. I can ping from PC vlan 5 to its default gateway on the switch, but I can also ping the default gateway of the other VLAN (10). I cannot ping the PC in vlan 10, obviously. Why am I able to ping from PC5 the default gateway of a totally different vlan? I thought I needed routing to do that. I'm really confused. As I said, i don't have ip routing enabled on the switch.

Find more posts tagged with

Comments

networkfuzz

Can you paste the running-config here?

Harry Roles

If IP routing is OFF on the switch, then it behaves like a normal host which means you won't be able to get pass your local network from any of the PCs. If routing was ON, then the switch would move the frame between the SVIs and the ping would succeed.

Harry Roles

I just noticed you said you can do it - are you sure there is no "ip default-gateway" command in place and "no ip routing" shows up in the config? If you say "no" to both, it may be a bug on your virtual switch.

diffie

This was simple enough to lab and I had never really thought about this nor tried it until now.

I duplicated your topology and achieved the same results on a 3560, ip routing was disabled and a default gateway had not been set.

Switch#show ip route
Default gateway is not set

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty

Playing with this, ended up being a reminder of what the purpose of a SVI is, to assign an entire VLAN on a switch to a logical Layer 3 IP address, to assist with the routing of traffic in and out of a VLAN.

Since it’s layer 3, and references every device/port within the VLAN, some additional processing would be needed to determine which specific device the traffic is intended for and if it’s allowed. (i.e. routing/encapsulation/decapsulation). When the Host first pings the other SVI default gateway, the switch send the traffic to it's own default gateway. From there, the switch recognizes it knows how to get to the other subnet since a SVI is assigned to it, so it responds back.

How I’m thinking about this now is, a ping to the gateway address is a knock on the front door, no determination is being made to allow the traffic thru the door. The door was merely found, which on the other side are devices in that subnet. Only when the traffic actually go thru the door are IDs (VLANs) checked.

In this scenerio, our ping is actually only asking if the door exists.

jboogie81

My understanding is that an SVI is just a logical vlan interface and does not mean it is a member of the vlan int #. Which is why the switch can ping all its svi's no matter what vlan you intended them to be for. The traffic is not getting blocked until it hits the switchport facing the vlan 10 PC.

diffie

Putting aside the VLAN membership issue, what I found additionally surprising is the fact that the Switch has no problems with the fact the Gateway is in a different subnet.

As a test, I created another SVI, 192.168.1.1, and both PC's could ping that. They could also ping a routed ports IP address.

It does make sense that the switch knows how to get to any logical interface, since the destinations are itself.