Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
5
Replies

Can I use 'extended ping' to simulate client ping? basic ACL testing

news2010a
Level 3
Level 3

‎09-09-2009 12:50 PM - edited ‎03-06-2019 07:39 AM

Imagine I am trying to test ACLs and validate whether a given IP

could communicate with a target server.

My goal in this case below is to ping target server=10.66.206.5 as if I was

a client IP=10.66.217.131.

Isn't possible to do this with extended ping? I don't understand why it does

not work. I am doing this from the layer 3 switch where routing takes place for the respective VLANs both server and clients are member of. Both servers and clients are connected to layer 2 switches which are connected to layer 3 3750 distribution switches.

3750layer3#ping

Protocol [ip]: 10.66.206.5

% Unknown protocol - "10.66.206.5", type "ping ?" for help

3750layer3#ping

Protocol [ip]:

Target IP address: 10.66.206.5

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.66.217.131 <=== *** Not sure why it returns invalid source. This is actual IP from a client.

% Invalid source

Source address or interface:

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎09-09-2009 12:53 PM

Marlon

The source address or interface used in extended ping must belong to the actual router/switch you are running the ping on.

So unless 10.66.217.131 is assigned to an interface on the switch it will report that it is not a valid address.

Jon

0 Helpful

news2010a
Level 3
Level 3
In response to Jon Marshall

‎09-09-2009 01:42 PM

Darn. So I guess if I add a secondary IP address under the respective vlan interface, that could be a way to test it then.

Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to news2010a

‎09-09-2009 01:44 PM

Marlon

Know it sounds a bit obvious but why not just use the client.

Or alternatively add a temporary entry into your acl for the switch interface address that 10.66.217.131 connects to and then test.

Jon

0 Helpful

news2010a
Level 3
Level 3
In response to Jon Marshall

‎09-09-2009 02:20 PM

I would use the client, but in this particular case there is no one on site so I want to make sure it is accurate before we have people trying the solution.

Sure, instead of adding the secondary IP address, I can definitely use the existing IP on the SVI.

Thankls!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to news2010a

‎09-09-2009 02:33 PM

Marlon

No problem. Glad to have helped.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card