Why MLS2 Doesn't Get ICMP Packet To Where It Should?

Question

This is a Packet Tracer lab from Kieth Barker's website with minor modifications. It is intended to exhibit how can we get to the network 10.10.0.0/24 access to the Web Server 23.1.2.2/24 Using NAT.

The MLSs and Routers have OSPF enabled.

Two VLANs are configured: VLAN10 (10.10.0.0 /24) and VLAN20 (10.20.0.0).

The Edge Router advertises its default route after applying:

default-information originate.

The Running Configurations of MLSs and Routers are attached along with routing tables.

The thing:

While I was preparing to configure NAT on the Edge Router, I pinged the web server 23.1.2.2 from PC1 10.10.0.10 and traced the ICMP packet in the simulation mode to make sure that the packet would get to the Web server and would not be able to get back to PC1 as no Gateway was configured on the Web server and no NAT is configured on the Edge Router.

I tried this many times.

Here is what happens step by step:

The ICMP packet goes from PC1 to access1 switch and from there to the MLS2 which sends it to the edge switch.

Here, I expect that the edge switch will pass the ICMP packet to the edge router, but it doesn't and it sends it to the MLS1 instead. ??!!!!

From there the MLS1 broadcasts the ICMP packet back to both the access1 switch which drops the packet and the edge switch which this time passes the packet to the edge router.

My question is: Why doesn't the edge switch pass the packet to the edge router the first time it gets it from MLS2? Am I missing something?

I did a lot of searching, reading, and labing to get the answer with no luck.

I believe that well understanding such details are crucial for a well-established Network Engineer. I hope I will find the answer here and thanks in advance for all the contributors.

And here is the lab file for those who like to see it live by themselves.

Edge Router Running Config:

edge-router#sh run
Building configuration...

Current configuration : 1060 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname edge-router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX15241ZV6-
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 23.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.20.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 40.25.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.255.255.255 area 0
 network 40.25.0.0 0.0.0.255 area 0
 default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 23.1.2.254 
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
!
line aux 0
!
line vty 0 4
 login
!
!
!
end


edge-router#
edge-router#

Edge Router Routing Table:

edge-router#sh ip route

Gateway of last resort is 23.1.2.254 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O       10.10.0.0/24 [110/11] via 10.20.0.11, 00:29:10, GigabitEthernet0/1
                     [110/11] via 10.20.0.22, 00:29:10, GigabitEthernet0/1
C       10.20.0.0/24 is directly connected, GigabitEthernet0/1
L       10.20.0.1/32 is directly connected, GigabitEthernet0/1
     23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       23.1.2.0/24 is directly connected, GigabitEthernet0/0
L       23.1.2.1/32 is directly connected, GigabitEthernet0/0
     40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       40.25.0.0/24 is directly connected, GigabitEthernet0/2
L       40.25.0.1/32 is directly connected, GigabitEthernet0/2
S*   0.0.0.0/0 [1/0] via 23.1.2.254

edge-router#

Running configuration of MLS2:

MLS2#sh run
Building configuration...

Current configuration : 1752 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MLS2
!
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
!
!
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 mac-address 0000.0cb0.0601
 ip address 10.10.0.22 255.255.255.0
 standby 1 ip 10.10.0.3
!
interface Vlan20
 mac-address 0000.0cb0.0602
 ip address 10.20.0.22 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
!
line aux 0
!
line vty 0 4
 login
!
!
!
!
end


MLS2#

Routing Table of MLS2:

MLS2#sh ip route

Gateway of last resort is 10.20.0.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.10.0.0 is directly connected, Vlan10
C       10.20.0.0 is directly connected, Vlan20
     40.0.0.0/24 is subnetted, 1 subnets
O       40.25.0.0 [110/11] via 10.20.0.1, 00:29:05, Vlan20
O*E2 0.0.0.0/0 [110/1] via 10.20.0.1, 00:29:05, Vlan20

MLS2#

MLS1 Running Configuration:

MLS1#sh run
Building configuration...

Current configuration : 1795 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MLS1
!
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
!
!
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 mac-address 0007.ec77.3601
 ip address 10.10.0.11 255.255.255.0
 standby 1 ip 10.10.0.3
 standby 1 priority 105
 standby 1 preempt
!
interface Vlan20
 mac-address 0007.ec77.3602
 ip address 10.20.0.11 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
!
line aux 0
!
line vty 0 4
 login
!
!
!
!
end


MLS1#

MLS1 Routing Table

MLS1#sh ip route

Gateway of last resort is 10.20.0.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.10.0.0 is directly connected, Vlan10
C       10.20.0.0 is directly connected, Vlan20
     40.0.0.0/24 is subnetted, 1 subnets
O       40.25.0.0 [110/11] via 10.20.0.1, 00:29:15, Vlan20
O*E2 0.0.0.0/0 [110/1] via 10.20.0.1, 00:29:15, Vlan20

MLS1#

Answer 1

We're missing a bunch of output here, but here is a working theory:

PC1 (which is in VLAN 10) has a default gateway of 10.10.0.11 (MLS1). Due to Per-VLAN Spanning Tree Protocol (PVSTP+) blocking the Gig0/1 port on the access switch and the Gig0/2 port of MLS1, this results in MLS2 forwarding the packet from PC1 to the edge switch. The edge switch then forwards the frame to MLS1 through the trunk link (on its Fa0/1 port). Note that, so far, only the frame's destination MAC address has been used to make forwarding decisions. The frame is still in VLAN 10.

After MLS1 receives the frame for 23.1.2.2, it looks into its routing table and realizes that the next hop to reach 23.1.2.2 is 10.20.0.1 (which happens to be in VLAN 20, but this is irrelevant at this point). This is the first time any router/switch examined the destination IP address.

MLS1 sends a new frame with a destination MAC address of whatever the MAC address of Gig0/1 of the edge router is. Since neither MLS1, nor the edge switch, know about the whereabouts of the router's MAC address, they flood the frame to all their ports.

From your description, this seems like a non-issue. MLS1 is acting as a Router-on-a-Stick, as it is supposed to. It is routing between VLAN 10 and VLAN 20. The flow of frames as you describe is typical of unknown unicast traffic flow.

And you got a downvote because your question is out of scope for this sub-Stack Exchange.