PING TO ACE VLAN INTERFACES

Answered Question
Oct 16th, 2008

Hi,

I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.

I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.

I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.

Is there any option available to enable icmp on the interfaces.

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 1 month ago

The ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module.

For example, a Host on vlan 21 can ping the ACE's Vlan 21 interface ip address

but cannot ping IP addresses configured on VLAN31 on the ACE."

Simply put its by design that You can not ping an interface on the opposite side that the ICMP request is received on.

HTH

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Syed Iftekhar Ahmed Thu, 10/16/2008 - 11:43

In order to ping the Vlan Interface you just need management policy applied to the vlan interface.

Class-maps used in the management-policy

defines the source addresses from where these management accesses are allowed.

If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.

1. Some routing issues

2. Source IPs in Management class maps are not defined.

Following is an example of typical management policy

#Allow telnet & SSH from these ip addresses

#Allow ICMP from any source

class-map type management match-any MGMT-CLASS

10 match protocol telnet

20 match protocol ssh

30 match protocol icmp any

policy-map type management first-match MGMT-POLICY

class MGMT-CLASS

permit

interface vlan 10

ip address x.x.x.x 255.255.255.0

service-policy input MGMT-POLICY

no shutdown

interface vlan 20

ip address y.y.y.y 255.255.255.0

service-policy input MGMT-POLICY

no shutdown

Syed Iftekhar Ahmed

rajesh.perumalla Thu, 10/16/2008 - 15:41

Thanks for you reply.

I dont think this as a routing issue .

I think ACE is not forwarding any traffic destinated to its local interfaces.

I cant telnet/ssh to ACE interfaces if they need to reach them via different ACE interfaces.

I can ping the servers which are behind the ACE devices.

SubnetA----Layer3 sw--

(SubnetB)-----ACE------SubnetC.

Defined two VLANS int the ACE -

Subnet B(VLAN21) - Acting as ACE frontend.

Subnet C(VLAN31) - Acting as ACE Backend.(This will be gateway for the servers)

ROUTING

In Ace - the default route will be the interface 21 ip address defined on the Layer 3 switch.

A static route is defined on the Layer 3 switch pointing to VLAN21 ip address defined on the ACE for the subnet C.

I can ping the servers behind the ACE(Subnet C) but not the ip address defined on the ACE for the interface vlan 31.

and also

I can ping the host in subnet A from the servers but not the ip address defined on the ACE for the interface vlan 21.

Subnet B : Network behind the ACE with Gateway as ACE.

Correct Answer
Syed Iftekhar Ahmed Thu, 10/16/2008 - 21:15

The ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module.

For example, a Host on vlan 21 can ping the ACE's Vlan 21 interface ip address

but cannot ping IP addresses configured on VLAN31 on the ACE."

Simply put its by design that You can not ping an interface on the opposite side that the ICMP request is received on.

HTH

Syed Iftekhar Ahmed

rhgtyink Sat, 03/12/2011 - 09:30

Sorry for dragging up an old thread but we recently bought 4710's and are running in to the same issue.

If you would have used a "normal" router you would be able to ping the server-side vlan interface and VRRP ip from a complete other subnet that happens to be routed through the client-side vlan.

Having out-of-the-box security is good, but not giving user control to determine if they wish to allow it is bad in my opinion :-(

Where can we file an enhancement request to get this feature user configurable?

I'd like to monitor the server-side vlan + vrrp ip for availability from my management stations just like we could with the previous CSS11503's in redundant interface setup.

Kind Regards,

Ronny

Actions

This Discussion