08-27-2009 08:44 AM - edited 03-04-2019 05:52 AM
this is the configuration for my current switch
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
Vlan110 172.20.110.100 YES manual up up
Vlan111 unassigned YES manual up up
Vlan212 unassigned YES manual up up
ip default-gateway 172.20.110.1
I can not ping the host from the switch
The host sits on vlan 212 with an ip address of 172.20.212.6
I can reach the gw (firewall) when I ping
it. The gw is 172.20.212.1
Source address of 172.20.110.100
However, when i give vlan 212 an IP
172.20.212.236.
I can ping the host
However my pings no longer reach the FW
Does this make sense?
08-27-2009 09:04 AM
It sounds like it's a L2 switch. Is that correct? If so, the address that's assigned to the vlan is only for management purposes for whatever vlan you want it on. You, although I've never really tried it, probably won't be able to ping across vlans because you can't enable routing on a L2 switch, so you'd need something to route for you.
A good test would be to see if a host, not the switch, in Vlan 110 can ping your host in Vlan 212 without changing the address on the switch. You should have a router with subinterfaces configured or a L3 switch with routing enabled that can route that traffic for you.
HTH,
John
08-27-2009 09:12 AM
well the default gateway for the switch is
Default gateway is 172.20.110.1
does all traffic from the switch go to there?
so i would have to look at routing at 172.20.110.1?
08-27-2009 09:19 AM
"does all traffic from the switch go to there?"
YouR traffic is going to the default gateway when you try to ping something that's not on the same subnet as your management vlan 110.
But, since I don't know what equipment is routing for your vlans, we'll assume it's a router. You'll need a subinterface that's encapsulating vlan 212 with the same subnet as your host in vlan 212 to route for it.
Something like:
int fa0.212
encapsulation dot1q 212
ip address 172.20.212.236 255.255.255.0
HTH,
John
08-27-2009 09:53 AM
This just got interesting
The gateway for the host is 212.1
Which is a FW interface
The gateway for the 3120 switch
is 110.1. That is an 1150 CSS LB
There is a static route on the LB
for the 212 network which points to another interface on the FW
172.20.2.1
08-27-2009 09:58 AM
Hmmm...can you draw up a topology of what you're working with?
08-27-2009 10:14 AM
Richard
Need to see if the firewall has any rules on it's interfaces allowing/blocking ICMP.
Obviously when you put an address on the switch in vlan 212 it will be able to ping the host because the CSS and the firewall are completely bypassed.
But with the switch in vlan 110 when you ping the firewall 212.1 it has to go via the CSS. It still works because the CSS has a route to 212.x network.
We also know it is not a firewall issue on the client PC because you can ping it direct when the switch is in vlan 212.
So it would suggest that there may be something happening on the firewall that blocks the return traffic.
What is the firewall and do you have a copy of it's config ?
Jon
08-27-2009 10:51 AM
Thats interesting
Every interface on the FW has a any any permit ICMP statement.
When I ping the FW from the host switch. I see a log event on the FW
6 Aug 27 2009 16:17:28 172.20.110.4 172.20.212.1 Built ICMP connection for faddr 172.20.110.4/87 gaddr 172.20.212.1/0 laddr 172.20.212.1/0
and the Teardown log
But I see nothing when looking at the switch
Also when the host tries to ping the GW (which is the fw interface)
It gets host unreachable
08-27-2009 11:12 AM
Are you sure the IP address and subnet mask on the host are the from the same subnet as the FW interface.
Can you ping the host from the firewall ?
Jon
08-27-2009 11:36 AM
yeah
host
IP 172.20.212.6/24 and I have 172.20.212.1 for gw.
fw
GigabitEthernet0/2.212 172.20.212.1 255.255.255.0
08-27-2009 11:50 AM
"yeah" - is this yeah you can ping the host from the firewall or yeah the subnet/masks are fine.
Jon
08-27-2009 11:59 AM
oops
I cannot hit the host from the FW
and vica versa
But all subnets and masks seem fine
I can ping however other vlan interfaces on the same switche from the FW such as address 172.20.110.4
so there is a "physical" path there
08-27-2009 12:04 PM
Can you post config of switch that is connected to FW and specify which port is connected to the FW.
And can you post firewall config as well.
Jon
08-27-2009 12:47 PM
Jon,
I think I noticed something
g0/2 is connected to a switch
with existing hosts on 212 subnet
it has a subinterface of 0/2.212
and the IP of 172.20.212.1 conf
(the gateway for the host we are trying to get to work)
However this new host is connected
to a switch thats connected to a swtich which hangs of the FW port g0/0
And on this there are only
subinterface 0/0.151 and 0/0.152
with the IP 172.20.2.1 255.255.255.248 configured on the 0.151 subinterface
(which happens to be the next hop the
CSS was sending traffic to)
and
172.20.2.9 /248 on the .152 sub interface
Will this even work?
08-27-2009 09:09 AM
From your configuration it is layer 2 switch ,
1> can not ping the host from the switch
The host sits on vlan 212 with an ip address of 172.20.212.6
In this case switch take vlan 110 ip as source , & source ip and destination that is host are in different subnet , so routing required that is inter vlan communication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: