10-16-2008 04:05 AM
Hi,
I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.
I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.
I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.
Is there any option available to enable icmp on the interfaces.
Solved! Go to Solution.
10-16-2008 09:15 PM
The ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module.
For example, a Host on vlan 21 can ping the ACE's Vlan 21 interface ip address
but cannot ping IP addresses configured on VLAN31 on the ACE."
Simply put its by design that You can not ping an interface on the opposite side that the ICMP request is received on.
HTH
Syed Iftekhar Ahmed
10-16-2008 11:43 AM
In order to ping the Vlan Interface you just need management policy applied to the vlan interface.
Class-maps used in the management-policy
defines the source addresses from where these management accesses are allowed.
If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.
1. Some routing issues
2. Source IPs in Management class maps are not defined.
Following is an example of typical management policy
#Allow telnet & SSH from these ip addresses
#Allow ICMP from any source
class-map type management match-any MGMT-CLASS
10 match protocol telnet
20 match protocol ssh
30 match protocol icmp any
policy-map type management first-match MGMT-POLICY
class MGMT-CLASS
permit
interface vlan 10
ip address x.x.x.x 255.255.255.0
service-policy input MGMT-POLICY
no shutdown
interface vlan 20
ip address y.y.y.y 255.255.255.0
service-policy input MGMT-POLICY
no shutdown
Syed Iftekhar Ahmed
10-16-2008 03:41 PM
Thanks for you reply.
I dont think this as a routing issue .
I think ACE is not forwarding any traffic destinated to its local interfaces.
I cant telnet/ssh to ACE interfaces if they need to reach them via different ACE interfaces.
I can ping the servers which are behind the ACE devices.
SubnetA----Layer3 sw--
(SubnetB)-----ACE------SubnetC.
Defined two VLANS int the ACE -
Subnet B(VLAN21) - Acting as ACE frontend.
Subnet C(VLAN31) - Acting as ACE Backend.(This will be gateway for the servers)
ROUTING
In Ace - the default route will be the interface 21 ip address defined on the Layer 3 switch.
A static route is defined on the Layer 3 switch pointing to VLAN21 ip address defined on the ACE for the subnet C.
I can ping the servers behind the ACE(Subnet C) but not the ip address defined on the ACE for the interface vlan 31.
and also
I can ping the host in subnet A from the servers but not the ip address defined on the ACE for the interface vlan 21.
Subnet B : Network behind the ACE with Gateway as ACE.
10-16-2008 09:15 PM
The ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module.
For example, a Host on vlan 21 can ping the ACE's Vlan 21 interface ip address
but cannot ping IP addresses configured on VLAN31 on the ACE."
Simply put its by design that You can not ping an interface on the opposite side that the ICMP request is received on.
HTH
Syed Iftekhar Ahmed
03-12-2011 09:30 AM
Sorry for dragging up an old thread but we recently bought 4710's and are running in to the same issue.
If you would have used a "normal" router you would be able to ping the server-side vlan interface and VRRP ip from a complete other subnet that happens to be routed through the client-side vlan.
Having out-of-the-box security is good, but not giving user control to determine if they wish to allow it is bad in my opinion :-(
Where can we file an enhancement request to get this feature user configurable?
I'd like to monitor the server-side vlan + vrrp ip for availability from my management stations just like we could with the previous CSS11503's in redundant interface setup.
Kind Regards,
Ronny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide