trouble with linux VM host communicating with firewall

Unanswered Question
Sep 23rd, 2010

Hi

I was troubleshooting one issue. We are having a blade chassis which is connected to ESX servers. Esx is having all the VM hosted on it.

We have configured trunks ports connecting to each VM. Blades are at access layer with private vlans configured .

a) ESX is having all the VM'S configured on it.

b) esx is configured with secondary vlans associated with VM

c) ESX are connected to blades which are configured with private vlans

d) Blade switches are connected to upstream switch at aggregation with trunks carrying private vlan information

e) Aggregation are connected to distribution switches and distribution is having firewall service module installed.

distribution switch is having firewall vlan-group command with primary and secondary both.

for ex. firewall vlan-group 1 vlan x,y

According to my understanding we should only allow primary vlan (x) to firewall since that port will be acting as promiscuous port.

My question is i'm having two hosts in private vlan x/y. One is physical host which is connected to normal access switch. My other host

is VM which is hosted on ESX.

The physical host can communicate with its default gateway and communicate with outside network as well.

VM is not able to ping the default gateway. Their default gateway is configured on firewall with vlan x associated with it.

ESX is not having any configuration issue. Its configured correctly with vlan y configured for that VM. VM is also configured with correct

ip address , correct subnet mask and correct default gateway.

All the switches are configured correctly with private vlan , that vlan information is carried by all the intermediate trunks

I have checked TCP /IP stack on VM using loopback ping test , self ip address ping , its working perfectly.

ip address for physical host connected to access switch on access layer

172.30.64.5

subnet mask 255.255.255.128

gateway 172.30.64.126   (This is able to ping default gateway and communicate with outside network)

(This is in private vlan x/y)

ip address for VM which is connected to blade on access layer

172.30.64.6

subnet mask 255.255.255.128

gateway 172.30.64.126

(This is in private vlan x/y)

not able to ping default gateway...

please help me out here ..

Sanjay

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 09/23/2010 - 14:01

If the problem is that your 172.30.64.6 cannot ping the default gateway then I think that problem could be in the switches. Maybe a problem with the MACs. Are you using multicast mac or something similar in the ESX ?

Could you include a diagram cuz it's a little be difficult to get an idea of your current topology.

sanjayraut Mon, 09/27/2010 - 05:41

Hi

This was the senario

ESX  server (VM in question was hosted on this)

|

|

Blade switch

|

|

Distribution Switch with MSFC and FWSM

The issue got solved. We were getting the mac address on blade switch however there was no arp entry on firewall. Firewall was

configured with necessary icmp rules to allow the ping to interface (default gateway for VM).

ESX guy rechecked the private vlan configuration and he fixed it. Now VM is reachable over the network

Hoewever my question is still there :

How packet which is originated from VM and traversing all the way (via trunks using 802.q trunking) till MSFC , is handed over to FWSM ?

How MSFC / FWSM will decide it needs to be hand overed to vlan 32.

Because even if vlan 33 (which was isolated ) was accidently pushed to FWSM , it did not actually make any impact.

My understanding is in this case we have trunks configured starting ESX till MSFC /(distribution switch) and MSFC/switch is connected to

FWSM via backplane through etherchannel ( using 802.1q trunking protocol) , that means we have end to end trunks , so when vlan information

within 802.1 q tag will be stripped off.

Please advice

Actions

This Discussion