Join Log in
Score:0
avatar Server

Issues with VLANs on Linux. Can ping hosts in other VLAN

cn flag
jsplat_

When I configure an ip address on a vlan interface from another vlan subnet, I can reach that other vlan subnet. But it should not be reachable.

For example:

  • On the switch, the port is configured as tagged with vlan id 500 only
  • On the Linux box the interface eth0.500 with ip address 192.168.10.30/24 can ping hosts in subnet 192.168.10.0/24, but those hosts are in vlan 3000

I can't figure out what I'm doing wrong. Can you help me troubleshoot this, please?

There is an error on the Linux box:

kernel: received packet on eth0.3000 with own address as source address (addr: f4:03:43:ba:ca:c1 vlan:0)

STP is disabled on both the switch and the Linux box.

What I've tried:

  • rp_filter=1 - no effect
  • arp_ignore=1 or 2 - no effect
  • arp_filter=1 - no effect

It doesn't matter if it's a normal interface or bond or bridge, the behavior is the same.

There is no errors on the Switch.

No default route is set both on the switch and the Linux box.

In Wireshark when capturing traffic on eth0 there is a vlan tag = 500 on the packets.

Thank you!

EDIT 1: Routing table on Linux box:

192.168.10.0/24 dev eth0.500 proto kernel scope link src 192.168.10.30

EDIT 2: Diagram diag1

EDIT 3: tracepath and ping

tracepath 192.168.10.31
1?: [LOCALHOST]  pmtu 1500
1:  ??? 0.714ms !H
1:  ??? 0.516ms !H
    Resume: pmtu 1500

ping -c 2 192.168.10.31
PING 192.168.10.31 (192.168.10.31) 56(84) bytes of data.
64 bytes from 192.168.10.31: icmp_seq=1 ttl=64 time=0.230 ms
64 bytes from 192.168.10.31: icmp_seq=2 ttl=64 time=0.197 ms

--- 192.168.10.31 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1059ms

rtt min/avg/max/mdev = 0.197/0.213/0.230/0.016 ms

EDIT 4: ip addresses

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f4:03:43:ba:ca:c1 brd ff:ff:ff:ff:ff:ff
3: eth0.500@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:03:43:ba:ca:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.30/24 scope global eth0.500@eth0
       valid_lft forever preferred_lft forever
4: eth0.3000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:03:43:ba:ca:c1 brd ff:ff:ff:ff:ff:ff
204
0 + 0
in flag
Gerald Schneider
Are the packages routed somewhere else?
0
Reply
eKKiM avatar
lr flag
eKKiM
Can you add the routing table?
0
Reply
cn flag
jsplat_
Default route not set on Linux box, and no additional routes as well. The Switch is Mellanox SN2010M, on this switch routing is enabled, but only management interface in use, even no ip addresses on VLAN interfaces. Can it be Cisco ASA with same-security-traffic permit intra-interface enabled?
0
Reply
cn flag
jsplat_
@eKKiM added at the end of post
0
Reply
eKKiM avatar
lr flag
eKKiM
Do the other hosts in 192.168.10.0/24 in vlan 3000 show up in your ARP table? Maybe a small diagram with the hosts, switch and Cisco ASA could be helpfull too!
0
Reply
vidarlo avatar
ar flag
vidarlo
`eth0.500 with ip address 192.168.10.30/24 can ping hosts in subnet 192.168.10.0/24` - 10.0/24 ***is*** the ***same*** subnet as 10.0/24. What does `tracepath` show?
0
Reply
cn flag
jsplat_
@eKKiM diagram at the end of post, in arp table i can see other hosts if i ping or ssh into them.
0
Reply
cn flag
jsplat_
@vidarlo the problem is that i can reach other hosts in different vlan with same subnet, so i can configure ip address from subnet in vlan 3000 on interface with vlan 500 and reach subnet in vlan 3000. tracepath at the end.
1
Reply
eKKiM avatar
lr flag
eKKiM
Do you have anything configured on eth0.3000? Eventually add the output of ip addr? I also have a feeling there could be other routes on the routing table for the other NICs?
0
Reply
cn flag
jsplat_
@eKKiM ip addrs in last edit. Routing table in the edit 1, there is no other routes.
0
Reply
eKKiM avatar
lr flag
eKKiM
Can you ping the host using the following command?: ping -c 2 192.168.10.31 -I eth0.500 Also if you remove vlan 3000 from the host can you still reach the other machines? Also lets move to chat to avoid spamming the comments: https://chat.stackexchange.com/rooms/131659/issues-with-vlans-on-linux-can-ping-hosts-in-other-vlan
0
Reply
cn flag
jsplat_
@eKKiM i can reach other hosts with or without eth0.3000 interface on the host with your command. Can't answer you in the chat because of low reputation, sorry.
0
Reply
cn flag
jsplat_
@eKKiM Is the MAC address in the ARP table the remote machine MAC or some router/switch MAC? Yes, MAC address of the host is present in arp table on remote machine
0
Reply
cn flag
jsplat_
@eKKiM Do you bridge the VLAN's on the switch? What do you mean? VLAN mapping or Q-in-Q? No, i'm not using any of this.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.