- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Can't seem to ping gateway address
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-15-2010 09:14 AM
тАО04-15-2010 09:14 AM
VLAN 104 has an address of 172.20.104.0/24
VLAN 106 has an address of 172.20.106.0/24
Host A is on VLAN 104 with an address of 172.20.104.21
Host B is on VLAN 106 with an address of 172.20.104.21
Host A can ping Host B
Host A can ping the gateway for VLAN 106, 172.20.106.1
Host A can NOT ping it's own gateway, 172.20.104.1
Host B can ping Host A
Host B can ping the gateway for VLAN 106, 172.20.104.1
Host B can NOT ping it's own gateway, 172.20.106.1
If I remove all ACLs, or add an ACL to permit all (permit ip 0.0.0.0/0 0.0.0.0/0), the pings go through fine. Of course, that kind-of defeats the purpose of my ACLs.
What gives?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-16-2010 12:00 AM
тАО04-16-2010 12:00 AM
Re: Can't seem to ping gateway address
Could you post up the one of the ACLs along with the vlan specific configuration (i.e. what direction it's applied on the VLAN)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-16-2010 07:15 AM
тАО04-16-2010 07:15 AM
Re: Can't seem to ping gateway address
MC_Core_Switch(config)# show run
Running configuration:
; J9147A Configuration Editor; Created on release #W.14.03
hostname "MC_Core_Switch"
ip access-list extended "100"
20 remark "AI to Profilers"
20 permit ip 172.20.105.0 0.0.0.255 172.20.106.0 0.0.0.255
21 remark "Profilers to AI"
21 permit ip 172.20.106.0 0.0.0.255 172.20.105.0 0.0.0.255
30 remark "AI to Pathfire"
30 permit ip 172.20.105.0 0.0.0.255 172.20.101.0 0.0.0.255
31 remark "Pathfire to AI"
31 permit ip 172.20.101.0 0.0.0.255 172.20.105.0 0.0.0.255
40 remark "HarrisFS to AI"
40 permit ip 172.20.102.51 0.0.0.0 172.20.105.0 0.0.0.255
41 remark "AI to HarrisFS"
41 permit ip 172.20.105.0 0.0.0.255 172.20.102.51 0.0.0.0
50 remark "Creative Services FS to SD Ingest"
50 permit ip 172.20.100.22 0.0.0.0 172.20.102.23 0.0.0.0
51 remark "SD Ingest to Creative Services FS"
51 permit ip 172.20.102.23 0.0.0.0 172.20.100.22 0.0.0.0
60 remark "Creative Services FS to Segmenter 01"
60 permit ip 172.20.100.22 0.0.0.0 172.20.102.31 0.0.0.0
61 remark "Segmenter 01 to Creative Services FS"
61 permit ip 172.20.102.31 0.0.0.0 172.20.100.22 0.0.0.0
70 remark "Creative Services FS to Segmenter 02"
70 permit ip 172.20.100.22 0.0.0.0 172.20.102.32 0.0.0.0
71 remark "Segmenter 02 to Creative Services FS"
71 permit ip 172.20.102.32 0.0.0.0 172.20.100.22 0.0.0.0
80 remark "SD Ingest to Pathfire VLAN"
80 permit ip 172.20.102.23 0.0.0.0 172.20.101.0 0.0.0.255
81 remark "Pathfire VLAN to SD Ingest"
81 permit ip 172.20.101.0 0.0.0.255 172.20.102.23 0.0.0.0
90 remark "Internet and Remote to Pathfire VLAN"
90 permit ip 172.20.1.0 0.0.0.255 172.20.100.0 0.0.0.255
91 remark "Pathfire VLAN to Internet and Remote"
91 permit ip 172.20.100.0 0.0.0.255 172.20.1.0 0.0.0.255
100 remark "Internet and Remote to BCast VLAN"
100 permit ip 172.20.1.0 0.0.0.255 172.20.102.0 0.0.0.255
101 remark "BCast VLAN to Internet and Remote"
101 permit ip 172.20.102.0 0.0.0.255 172.20.1.0 0.0.0.255
exit
module 1 type J9147A
interface 1
ip access-group "100" in
exit
*Output omitted cuz it's long*
interface 48
ip access-group "100" in
exit
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1
ip address 172.20.1.1 255.255.255.0
tagged 2-48
exit
vlan 100
name "Creative_Services"
untagged 2-8
ip address 172.20.100.1 255.255.255.0
exit
vlan 101
name "Pathfire"
untagged 13-24
ip address 172.20.101.1 255.255.255.0
exit
vlan 102
name "BCast"
untagged 9-10
ip address 172.20.102.1 255.255.255.0
exit
vlan 104
name "AVNET"
untagged 25-36
ip address 172.20.104.1 255.255.255.0
exit
vlan 105
name "Auto_Ingest"
untagged 37-42
ip address 172.20.105.1 255.255.255.0
exit
vlan 106
name "Profilers"
untagged 12
ip address 172.20.106.1 255.255.255.0
exit
vlan 99
name "NETWORK"
untagged 43-48
ip address 172.20.99.1 255.255.255.0
exit
ip route 10.100.1.0 255.255.255.0 vlan 1
ip route 10.100.101.0 255.255.255.0 vlan 101
ip route 10.100.104.0 255.255.255.0 vlan 104
snmp-server community "Engineering" Unrestricted
snmp-server contact "Matt Dryden - IT"
spanning-tree
no autorun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2010 03:57 AM
тАО04-17-2010 03:57 AM
SolutionIn that case I don't see how any traffic from Host A would be seen at all as I can't see a permit statement for the 172.20.104.0/24 range in your ACL?
As an aside, I'd look at applying your ACL on a VLAN level instead of at a port level, it would mean you have more ACLs but they would be shorter and easier to debug.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2010 07:51 AM
тАО04-19-2010 07:51 AM
Re: Can't seem to ping gateway address
In that case I don't see how any traffic from Host A would be seen at all as I can't see a permit statement for the 172.20.104.0/24 range in your ACL?
As an aside, I'd look at applying your ACL on a VLAN level instead of at a port level, it would mean you have more ACLs but they would be shorter and easier to debug.
Yeah, It is applied to all ports, 1-48, in an inbound direction. That's how the documentation said to apply the ACL to a port. It looks like the switch only supports filtering inbound traffic, which is why I have an ACE for traffic going both directions.
How do you apply the ACL on a VLAN level? I would rather do that than a port level. I just didn't know how to do it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2010 08:10 AM
тАО04-19-2010 08:10 AM
Re: Can't seem to ping gateway address
So deal with the config as is,
it'll be easiest to start with one example and debug that, so where you have:
> Host A is on VLAN 104 with an address of 172.20.104.21
You don't appear to have a permit entry for the 172.20.104.0 network anywhere.
Add that in see if it fixes:
> Host A can NOT ping it's own gateway, 172.20.104.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2010 08:31 AM
тАО04-19-2010 08:31 AM
Re: Can't seem to ping gateway address
109 permit ip 172.20.104.0 0.0.0.255 172.20.106.0 0.0.0.255
110 permit ip 172.20.106.0 0.0.0.255 172.20.104.0 0.0.0.255
Host A can ping Host B and Host B's Gateway
Host B can ping Host A and Host A's Gateway
Host B can not ping it's own gateway
Host A can not ping it's own gateway.
(I just noticed I made a mistake in my original post. Host B is on VLAN 106 with an address of 172.20.106.21. The original said the IP was 172.20.104.21. Sorry about that)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2010 08:34 AM
тАО04-19-2010 08:34 AM
Re: Can't seem to ping gateway address
permit ip 172.20.104.1/32 172.20.104.0/24
21 permit ip 172.20.104.0/24 172.20.104.1/32
That allows me to ping the gateway from that vlan, but why do I have to do that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2010 08:39 AM
тАО04-19-2010 08:39 AM
Re: Can't seem to ping gateway address
with my previous ACL, I could not ping any machine on the same VLAN. So Host B (172.20.106.21) could not ping Host C (172.20.106.22)
I solved the problem by adding
10 permit ip 172.20.106.0/24 172.20.106.0/24
So is this a general requirement for ACLs, or is there a different way to allow hosts to ping within their own VLAN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-20-2010 02:26 AM
тАО04-20-2010 02:26 AM
Re: Can't seem to ping gateway address
I think that the behaviour is a consequence of VLANs applied at a port level rather than a VLAN level. In other words they filter both switched and routed traffic.
So the answer is yes, you do need those "same VLAN" entries to allow hosts on the same VLAN/subnet to communicate with one another.