Unable to ping gw from host but can from switch when vlan ip is removed

Unanswered Question
Aug 27th, 2009

this is the configuration for my current switch

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES unset administratively down down

Vlan110 172.20.110.100 YES manual up up

Vlan111 unassigned YES manual up up

Vlan212 unassigned YES manual up up

ip default-gateway 172.20.110.1

I can not ping the host from the switch

The host sits on vlan 212 with an ip address of 172.20.212.6

I can reach the gw (firewall) when I ping

it. The gw is 172.20.212.1

Source address of 172.20.110.100

However, when i give vlan 212 an IP

172.20.212.236.

I can ping the host

However my pings no longer reach the FW

Does this make sense?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 08/27/2009 - 09:04

It sounds like it's a L2 switch. Is that correct? If so, the address that's assigned to the vlan is only for management purposes for whatever vlan you want it on. You, although I've never really tried it, probably won't be able to ping across vlans because you can't enable routing on a L2 switch, so you'd need something to route for you.

A good test would be to see if a host, not the switch, in Vlan 110 can ping your host in Vlan 212 without changing the address on the switch. You should have a router with subinterfaces configured or a L3 switch with routing enabled that can route that traffic for you.

HTH,

John

nygenxny123 Thu, 08/27/2009 - 09:12

well the default gateway for the switch is

Default gateway is 172.20.110.1

does all traffic from the switch go to there?

so i would have to look at routing at 172.20.110.1?

John Blakley Thu, 08/27/2009 - 09:19

"does all traffic from the switch go to there?"

YouR traffic is going to the default gateway when you try to ping something that's not on the same subnet as your management vlan 110.

But, since I don't know what equipment is routing for your vlans, we'll assume it's a router. You'll need a subinterface that's encapsulating vlan 212 with the same subnet as your host in vlan 212 to route for it.

Something like:

int fa0.212

encapsulation dot1q 212

ip address 172.20.212.236 255.255.255.0

HTH,

John

nygenxny123 Thu, 08/27/2009 - 09:53

This just got interesting

The gateway for the host is 212.1

Which is a FW interface

The gateway for the 3120 switch

is 110.1. That is an 1150 CSS LB

There is a static route on the LB

for the 212 network which points to another interface on the FW

172.20.2.1

Jon Marshall Thu, 08/27/2009 - 10:14

Richard

Need to see if the firewall has any rules on it's interfaces allowing/blocking ICMP.

Obviously when you put an address on the switch in vlan 212 it will be able to ping the host because the CSS and the firewall are completely bypassed.

But with the switch in vlan 110 when you ping the firewall 212.1 it has to go via the CSS. It still works because the CSS has a route to 212.x network.

We also know it is not a firewall issue on the client PC because you can ping it direct when the switch is in vlan 212.

So it would suggest that there may be something happening on the firewall that blocks the return traffic.

What is the firewall and do you have a copy of it's config ?

Jon

nygenxny123 Thu, 08/27/2009 - 10:51

Thats interesting

Every interface on the FW has a any any permit ICMP statement.

When I ping the FW from the host switch. I see a log event on the FW

6 Aug 27 2009 16:17:28 172.20.110.4 172.20.212.1 Built ICMP connection for faddr 172.20.110.4/87 gaddr 172.20.212.1/0 laddr 172.20.212.1/0

and the Teardown log

But I see nothing when looking at the switch

Also when the host tries to ping the GW (which is the fw interface)

It gets host unreachable

Jon Marshall Thu, 08/27/2009 - 11:12

Are you sure the IP address and subnet mask on the host are the from the same subnet as the FW interface.

Can you ping the host from the firewall ?

Jon

nygenxny123 Thu, 08/27/2009 - 11:36

yeah

host

IP 172.20.212.6/24 and I have 172.20.212.1 for gw.

fw

GigabitEthernet0/2.212 172.20.212.1 255.255.255.0

Jon Marshall Thu, 08/27/2009 - 11:50

"yeah" - is this yeah you can ping the host from the firewall or yeah the subnet/masks are fine.

Jon

nygenxny123 Thu, 08/27/2009 - 11:59

oops

I cannot hit the host from the FW

and vica versa

But all subnets and masks seem fine

I can ping however other vlan interfaces on the same switche from the FW such as address 172.20.110.4

so there is a "physical" path there

Jon Marshall Thu, 08/27/2009 - 12:04

Can you post config of switch that is connected to FW and specify which port is connected to the FW.

And can you post firewall config as well.

Jon

nygenxny123 Thu, 08/27/2009 - 12:47

Jon,

I think I noticed something

g0/2 is connected to a switch

with existing hosts on 212 subnet

it has a subinterface of 0/2.212

and the IP of 172.20.212.1 conf

(the gateway for the host we are trying to get to work)

However this new host is connected

to a switch thats connected to a swtich which hangs of the FW port g0/0

And on this there are only

subinterface 0/0.151 and 0/0.152

with the IP 172.20.2.1 255.255.255.248 configured on the 0.151 subinterface

(which happens to be the next hop the

CSS was sending traffic to)

and

172.20.2.9 /248 on the .152 sub interface

Will this even work?

suryakant.chavan Thu, 08/27/2009 - 09:09

From your configuration it is layer 2 switch ,

1> can not ping the host from the switch

The host sits on vlan 212 with an ip address of 172.20.212.6

In this case switch take vlan 110 ip as source , & source ip and destination that is host are in different subnet , so routing required that is inter vlan communication.

Actions

This Discussion