I had a problem a while ago when setting up a VLAN test environment where I couldn`t ping between VLANs. It was down to the firewall on some PCs being on in the end.
However, I`ve now come across a similar situation which I can`t seem to whittle down and it`s not the firewalls this time.
I`ve setup some VLANs as follows:
VLAN1 - Default/Native (172.16.n.n),VLAN30 (172.30.n.n), VLAN40 (172.40.n.n) and VLAN50 (172.50.n.n)
I`ve setup a Cisco 3550 as the VLAN router, I`ve also enabled routing.
I`ve setup some devices on VLAN40 and can ping them from devices on VLAN1 with no problems. However I cant ping devices on VLAN1 from any devices on VLAN40.
I`ve done the following diags to try and find what might be causing this.
1. Checked that the Default Gateway on the devices was the IP address assigned to the router for that vlan (The IP addresses are VLAN1=172.16.8.1/VLAN40=18.104.22.168 etc). All set correctly.
2. From the VLAN40 device I can ping the local VLAN40 router IP 22.214.171.124 and the VLAN1 router interface 172.16.8.1 (and the other VLAN router IP addresses too) but nothing else on the other VLAN1. From this I presume that the Cisco routing is working ok.
3. Running a Tracert from the VLAN40 device hits the 126.96.36.199 VLAN40 interface 1st then stops.
4. From the VLAN40 device I can ping other VLAN40 devices on other switches From the VLAN1 device I can ping VLAN40 devices on other switches so I presume this means that the trunking between switches is ok.
I`m a bit stuck as what to look at next.
Could anyone give me a clue or point me in the right direction please.
Do the hosts in other VLANs can ping each other? 30 to 40, 50 to 30?
It may be a security feature. You may need to create a different Vlan and move the 172.16.n.n subnet, or create a new management VLAN and add the trunk ports between switches to it.
Hope this helps
I have a few questions which may help us to understand the issue better and perhaps to find some answers to this issue.
- Can you confirm that you have tried more than one device in VLAN 40 to more than one device in VLAN 1 with the same results - ping fails?
- You describe configuring a 3550 as the VLAN router. Is that the only layer 3 device in the network?
- You describe VLAN 1 as the native VLAN. That would seem to imply that there is trunking. Is there trunking? Are there other layer 2 switches in the network? Can you give us a better understanding of the topology of this network?
- If you test using extended ping from the 3550, can you ping devices in VLAN 1 if you specify that the source address is the switch address in VLAN 1?
1. Yep, I`ve tried a couple of devices on VLAN40 and neither can ping any VLAN1 devices. However, as Eugen suggested, I`ve tried pinging between the other VLANs 30,40, 50 and this all works as it should. It just seems to be between the "VLANs 30.40, 50" back to VLAN1 that`s not working. From VLAN1 to "VLANs 30,40, 50" pings fine.
2. The only other router/Layer3 device is the internet gateway device which is set as the "Default Route Forwarding IP" on the 3550.
3. The network is a lovely mix of Cisco 3550/2960Ss, 3com 3300/4400s and HP procurves (and a few other flavours of HP and 3com). These have all been setup with the correct VLANs and have trunking setup between them. The section I`m "playing" with at the moment is:
PC (VLAN50)--3com 4400--TRUNK--Cisco2960s--TRUNK--Cisco3550(Routing)--TRUNK--Cisco2960s--TRUNK--3com4226--PC(VLAN1)
However, the network as a whole is a Campus style setup with loads of satelite offices and locations scattered over a large site. It`s currently a "flat" network on 1 IP range with loads of devices. This is one of the reasons I`m VLANing it up into segments.
In a nutshell, everything is currently in VLAN1 by default. Ive set trunking up between switches and have some devices (CCTV cameras) running on VLAN40 at various locations sucessfully. Not sure if I can ping back from the cameras but I can see them and they`re working as expected. I`m now testing some connection with a laptop/PC and have this one-way ping issue.
4. I`ve done some extended ping tests and the results are:
Router VLAN1 interface to VLAN1 devices - OK
Router VLAN50 interface to VLAN50 devices - OK
Router VLAN1 interface to VLAN50 interface - OK
Router VLAN50 interface to VLAN1 interface - OK
Router VLAN1 interface to VLAN50 devices - OK
Router VLAN50 interface to VLAN1 devices - Not Pinging.
From this I gather that the 3550 routing is working within itself but somethings not ok with the trunking for VLAN1 possibly?
I`ve just done a quick couple of tests and it looks like devices on VLAN40 can ping devices on VLAN50 and visa vera as well as devices on their own VLAN. These are the same devices that couldnt ping from VLAN40 or VLAN50 to VLAN1 but could from VLAN1 to VLAN40 and VLAN50 (I just changed their IP addresses and VLAN assignments around).
What sort of security feature are you thinking of? I`ve switched off any firewalls and antivirus.
Changing the VLAN1 IPs would be a major upheaval as this currently has all devices on prior to implementing my new VLAN assignments.
The ports between switches should be in native vlan. I see that you have non-Cisco switches. The switches have Vlan 1 by default on. Cisco switches does not tagg frames in native vlan. I don't know about 3com but HP taggs its native vlan.
The way I see you to solve this problem is to create a native vlan ( vlan 55 or other unique number) and add only the trunk ports between switches to it. This way you can leave the hosts that are in vlan 1 there.
I hope it make sense
I think I can see what you`re suggesting. I`ll have a play with that this week.
You`re right about the HP kit. 3com is the same with tagging (I think 3com was bought by HP the other year). It would be nice to have a common Cisco platform but finances won`t allow a massive spend like that. Whenever a new bit of kit is required I ty and go for a Cisco is I can.
However, have a look at the extended ping results I`ve done for Richard.
The VLAN50 tp VLAN1 pings that didn`t work were done from the Cisco 3550 switch itself to another Cisco 3550 switch with no HP/3com kit inbetween. Would that effect the results you`d expect to see?
Good to hear that is working now.
If your traffic for Vlan 1 goes through HP switch, then HP switch will tagg the frame with the tagg value it has configured. The Cisco switch does not tagg the Vlan 1. When Cisco switch get the frame for Vlan 1 with tagg on it, will discard it. Thats why it works between 2 Cisco switches.
As a side note, 172.40.x.x and 172.50.x.x are not private IP address ranges. The private address range 172.16.0.0/12 only goes from 172.16.0.0 to 172.31.0.0. You should check if any access lists are disallowing IP's not within this private range.
The ranges I`ve created are /16 (255.255.0.0) to give me a nice scope to "logic"ally" group stuff. Would this still be the case?
The IP addresses I`m pinging are 172.16.8.1, 172.16.8.2, 172.16.3.206 on VLAN1 and 188.8.131.52 184.108.40.206 on VLAN50
I assume that 3550 is the only device that performs the intervlan routing. can you pleas confirm if you can ping all the vlan1 devices from this L3 switch?
if true, can you pls check the arp table of 3550? It should have an entry of the vlan 1 device that you are trying to reach.
I`ve had a bit of progress on this issue this morning.......
I`ve been running through the testing I did on Thursday/Friday and I`ve moved on a step.
I`d not made any changes to the configurations today but wanted to confirm the result I was getting, and strangely, I can now ping devices on VLAN1 from devices on VLAN 30,40, 50 and visa versa. Most weird. It wasn`t working like this on Friday. I can also ping the VLAN1 devices from the VLAN30.40.50 interfaces on the router/3550.
Anyway, I still can`t ping other switches (which have been trunked and have IP addresses on VLAN1) from the other VLANs 30,40,50. This isn`t a problem as these only need to be accessible for management and can be done through VLAN1 anyway.
I think I`m at the point where I can carry on so many thanks for your help everyone.
Here are several comments:
- I am glad to hear that it is now working. If it did not work on Friday, you made no config changes, and now it does work then I wonder if the issue might have been an ARP entry or a switch MAC address table entry that was not correct and that aged out over the weekend and now is correct.
- I am not sure that you understood the comment from Glenn about private addresses. He is referring to the fact that 172.16.0.0/20 (172.16.0.0 through 172.31.255.255) are private (reserved) addresses. So when you use 220.127.116.11 and 18.104.22.168 you are actually using addresses that are assigned in the public Internet and are not using private addresses.
Using public addresses in a private network would not necessarily cause a problem, but you need to be very careful that you do not advertise those networks into the Internet and that you do not send traffic into the Internet that has these as source addresses. Since my understanding of your post is that this is just a test environment (and probably has no connection to the Internet) then it does not matter much. But it would be more of a Best Practice if the addresses that you use were in the reserved range.
i have a cisco 3750 series switch and i created vlan on that and connect devices to it i cannt ping connected devices to my switch following is the configuration of my switch.
Current configuration : 4885 bytes
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
aaa session-id common
switch 2 provision ws-c3750g-24ps
system mtu routing 1500
no ip domain-lookup
ip domain-name easyconnect.af
ip name-server 22.214.171.124
ip name-server 126.96.36.199
ip name-server 188.8.131.52
crypto pki trustpoint TP-self-signed-1664115328
crypto pki certificate chain TP-self-signed-1664115328
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363634 31313533 3238301E 170D3933 30333031 30303032
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36363431
31353332 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DBBD 79022692 E37E77E7 A626ED02 FFA8E173 3AF88E69 330CDEDC BF932F2A
7B201C70 DB7E0732 B2F7DB21 49F4BBCC AAF92D1A B07FE889 7BF94581 BC1A5EFA
2B04FA16 4C6CA2FC 3BDD8AD7 938432E2 D8849351 9B1001AC F1B9559E 8F9DB417
FC41D453 67B61A2B E83D4D72 C9EF6278 0D2C6C48 E8D70870 83AD033E 9B5334B3
18EF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17536865 72506F6F 722E6561 7379636F 6E6E6563 742E6166
301F0603 551D2304 18301680 14E702B9 C18C2260 09F6F6FC B76637F9 C93BE480
D8301D06 03551D0E 04160414 E702B9C1 8C226009 F6F6FCB7 6637F9C9 3BE480D8
300D0609 2A864886 F70D0101 04050003 8181007D F08D5FA0 C1BA9762 5DB98858
9E3E085A 6B6B8F66 DBABF4E1 93554D54 8F4BE168 2B88F23B A0E7031F F459662F
33FA6D81 953D7B1C FD378060 0EC9A8B9 1A3FFE3F 8494DDF3 A64BD56E D1390063
CACE9041 1C24205F 001FC2E3 A63C7C52 7049D35E 3F4F1114 83DF7BD3 6344F6E2
1C82397C EC6F3BAF DC3A6615 75F97CAA 63C39D
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
ip address X.X.X.X X.X.X.X
power inline never
switchport access vlan 2
switchport mode access
switchport access vlan 3
switchport mode access
switchport access vlan 4
switchport mode access
switchport access vlan 5
switchport mode access
switchport access vlan 6
switchport mode access
following is the ip information
no ip address
ip address 192.168.60.1 255.255.255.252
ip address 192.168.60.5 255.255.255.252
ip address 192.168.60.9 255.255.255.252
ip address 192.168.60.13 255.255.255.252
ip address 192.168.60.61 255.255.255.252
You have given us only a very limited part of the configuration of the switch and no information about the devices connected to it . So it is difficult to determine what the problem is. I suggest that we focus on one device connected to the switch. If we solve the issue for that device it may well show us the solution for all of the problem. So please pick one of the devices, tell us what the device is, and specify what is its IP address, its mask, and its default gateway.
Also please post the output of show interface status and of show arp from the switch.