Unable to ping gw from host but can from switch when vlan ip is removed

Unanswered Question
Aug 27th, 2009
User Badges:

this is the configuration for my current switch


Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES unset administratively down down

Vlan110 172.20.110.100 YES manual up up

Vlan111 unassigned YES manual up up

Vlan212 unassigned YES manual up up


ip default-gateway 172.20.110.1





I can not ping the host from the switch


The host sits on vlan 212 with an ip address of 172.20.212.6


I can reach the gw (firewall) when I ping

it. The gw is 172.20.212.1


Source address of 172.20.110.100


However, when i give vlan 212 an IP

172.20.212.236.


I can ping the host


However my pings no longer reach the FW



Does this make sense?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 08/27/2009 - 09:04
User Badges:
  • Purple, 4500 points or more

It sounds like it's a L2 switch. Is that correct? If so, the address that's assigned to the vlan is only for management purposes for whatever vlan you want it on. You, although I've never really tried it, probably won't be able to ping across vlans because you can't enable routing on a L2 switch, so you'd need something to route for you.


A good test would be to see if a host, not the switch, in Vlan 110 can ping your host in Vlan 212 without changing the address on the switch. You should have a router with subinterfaces configured or a L3 switch with routing enabled that can route that traffic for you.


HTH,

John

nygenxny123 Thu, 08/27/2009 - 09:12
User Badges:

well the default gateway for the switch is


Default gateway is 172.20.110.1



does all traffic from the switch go to there?


so i would have to look at routing at 172.20.110.1?



John Blakley Thu, 08/27/2009 - 09:19
User Badges:
  • Purple, 4500 points or more

"does all traffic from the switch go to there?"


YouR traffic is going to the default gateway when you try to ping something that's not on the same subnet as your management vlan 110.


But, since I don't know what equipment is routing for your vlans, we'll assume it's a router. You'll need a subinterface that's encapsulating vlan 212 with the same subnet as your host in vlan 212 to route for it.



Something like:


int fa0.212

encapsulation dot1q 212

ip address 172.20.212.236 255.255.255.0


HTH,

John


nygenxny123 Thu, 08/27/2009 - 09:53
User Badges:

This just got interesting



The gateway for the host is 212.1

Which is a FW interface


The gateway for the 3120 switch

is 110.1. That is an 1150 CSS LB



There is a static route on the LB

for the 212 network which points to another interface on the FW


172.20.2.1

John Blakley Thu, 08/27/2009 - 09:58
User Badges:
  • Purple, 4500 points or more

Hmmm...can you draw up a topology of what you're working with?

Jon Marshall Thu, 08/27/2009 - 10:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


Need to see if the firewall has any rules on it's interfaces allowing/blocking ICMP.


Obviously when you put an address on the switch in vlan 212 it will be able to ping the host because the CSS and the firewall are completely bypassed.


But with the switch in vlan 110 when you ping the firewall 212.1 it has to go via the CSS. It still works because the CSS has a route to 212.x network.


We also know it is not a firewall issue on the client PC because you can ping it direct when the switch is in vlan 212.


So it would suggest that there may be something happening on the firewall that blocks the return traffic.


What is the firewall and do you have a copy of it's config ?


Jon

nygenxny123 Thu, 08/27/2009 - 10:51
User Badges:

Thats interesting


Every interface on the FW has a any any permit ICMP statement.


When I ping the FW from the host switch. I see a log event on the FW


6 Aug 27 2009 16:17:28 172.20.110.4 172.20.212.1 Built ICMP connection for faddr 172.20.110.4/87 gaddr 172.20.212.1/0 laddr 172.20.212.1/0


and the Teardown log


But I see nothing when looking at the switch



Also when the host tries to ping the GW (which is the fw interface)


It gets host unreachable

Jon Marshall Thu, 08/27/2009 - 11:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you sure the IP address and subnet mask on the host are the from the same subnet as the FW interface.


Can you ping the host from the firewall ?


Jon

nygenxny123 Thu, 08/27/2009 - 11:36
User Badges:

yeah


host


IP 172.20.212.6/24 and I have 172.20.212.1 for gw.


fw


GigabitEthernet0/2.212 172.20.212.1 255.255.255.0



Jon Marshall Thu, 08/27/2009 - 11:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"yeah" - is this yeah you can ping the host from the firewall or yeah the subnet/masks are fine.


Jon

nygenxny123 Thu, 08/27/2009 - 11:59
User Badges:

oops


I cannot hit the host from the FW

and vica versa


But all subnets and masks seem fine


I can ping however other vlan interfaces on the same switche from the FW such as address 172.20.110.4


so there is a "physical" path there



Jon Marshall Thu, 08/27/2009 - 12:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post config of switch that is connected to FW and specify which port is connected to the FW.


And can you post firewall config as well.


Jon

nygenxny123 Thu, 08/27/2009 - 12:47
User Badges:

Jon,


I think I noticed something


g0/2 is connected to a switch

with existing hosts on 212 subnet


it has a subinterface of 0/2.212

and the IP of 172.20.212.1 conf

(the gateway for the host we are trying to get to work)



However this new host is connected

to a switch thats connected to a swtich which hangs of the FW port g0/0


And on this there are only

subinterface 0/0.151 and 0/0.152


with the IP 172.20.2.1 255.255.255.248 configured on the 0.151 subinterface


(which happens to be the next hop the

CSS was sending traffic to)


and


172.20.2.9 /248 on the .152 sub interface


Will this even work?



suryakant.chavan Thu, 08/27/2009 - 09:09
User Badges:

From your configuration it is layer 2 switch ,


1> can not ping the host from the switch

The host sits on vlan 212 with an ip address of 172.20.212.6


In this case switch take vlan 110 ip as source , & source ip and destination that is host are in different subnet , so routing required that is inter vlan communication.






Actions

This Discussion