Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Can't seem to ping gateway address

SOLVED
Go to solution
mortalwombat
Advisor

Can't seem to ping gateway address

I have a ProCurve 2910al-48G. I have several VLANS set up, and have enabled routing between them. I have then set up an ACL to control traffic between them. The problem is, none of the systems can ping their gateway for some reason. For example:

VLAN 104 has an address of 172.20.104.0/24
VLAN 106 has an address of 172.20.106.0/24

Host A is on VLAN 104 with an address of 172.20.104.21
Host B is on VLAN 106 with an address of 172.20.104.21

Host A can ping Host B
Host A can ping the gateway for VLAN 106, 172.20.106.1
Host A can NOT ping it's own gateway, 172.20.104.1

Host B can ping Host A
Host B can ping the gateway for VLAN 106, 172.20.104.1
Host B can NOT ping it's own gateway, 172.20.106.1

If I remove all ACLs, or add an ACL to permit all (permit ip 0.0.0.0/0 0.0.0.0/0), the pings go through fine. Of course, that kind-of defeats the purpose of my ACLs.

What gives?
10 REPLIES
Mohammed Faiz
Honored Contributor

Re: Can't seem to ping gateway address

Hi,

Could you post up the one of the ACLs along with the vlan specific configuration (i.e. what direction it's applied on the VLAN)
mortalwombat
Advisor

Re: Can't seem to ping gateway address

My Running config:

MC_Core_Switch(config)# show run

Running configuration:

; J9147A Configuration Editor; Created on release #W.14.03

hostname "MC_Core_Switch"

ip access-list extended "100"
20 remark "AI to Profilers"
20 permit ip 172.20.105.0 0.0.0.255 172.20.106.0 0.0.0.255
21 remark "Profilers to AI"
21 permit ip 172.20.106.0 0.0.0.255 172.20.105.0 0.0.0.255
30 remark "AI to Pathfire"
30 permit ip 172.20.105.0 0.0.0.255 172.20.101.0 0.0.0.255
31 remark "Pathfire to AI"
31 permit ip 172.20.101.0 0.0.0.255 172.20.105.0 0.0.0.255
40 remark "HarrisFS to AI"
40 permit ip 172.20.102.51 0.0.0.0 172.20.105.0 0.0.0.255
41 remark "AI to HarrisFS"
41 permit ip 172.20.105.0 0.0.0.255 172.20.102.51 0.0.0.0
50 remark "Creative Services FS to SD Ingest"
50 permit ip 172.20.100.22 0.0.0.0 172.20.102.23 0.0.0.0
51 remark "SD Ingest to Creative Services FS"
51 permit ip 172.20.102.23 0.0.0.0 172.20.100.22 0.0.0.0
60 remark "Creative Services FS to Segmenter 01"
60 permit ip 172.20.100.22 0.0.0.0 172.20.102.31 0.0.0.0
61 remark "Segmenter 01 to Creative Services FS"
61 permit ip 172.20.102.31 0.0.0.0 172.20.100.22 0.0.0.0
70 remark "Creative Services FS to Segmenter 02"
70 permit ip 172.20.100.22 0.0.0.0 172.20.102.32 0.0.0.0
71 remark "Segmenter 02 to Creative Services FS"
71 permit ip 172.20.102.32 0.0.0.0 172.20.100.22 0.0.0.0
80 remark "SD Ingest to Pathfire VLAN"
80 permit ip 172.20.102.23 0.0.0.0 172.20.101.0 0.0.0.255
81 remark "Pathfire VLAN to SD Ingest"
81 permit ip 172.20.101.0 0.0.0.255 172.20.102.23 0.0.0.0
90 remark "Internet and Remote to Pathfire VLAN"
90 permit ip 172.20.1.0 0.0.0.255 172.20.100.0 0.0.0.255
91 remark "Pathfire VLAN to Internet and Remote"
91 permit ip 172.20.100.0 0.0.0.255 172.20.1.0 0.0.0.255
100 remark "Internet and Remote to BCast VLAN"
100 permit ip 172.20.1.0 0.0.0.255 172.20.102.0 0.0.0.255
101 remark "BCast VLAN to Internet and Remote"
101 permit ip 172.20.102.0 0.0.0.255 172.20.1.0 0.0.0.255
exit
module 1 type J9147A
interface 1
ip access-group "100" in
exit

*Output omitted cuz it's long*

interface 48
ip access-group "100" in
exit
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1
ip address 172.20.1.1 255.255.255.0
tagged 2-48
exit
vlan 100
name "Creative_Services"
untagged 2-8
ip address 172.20.100.1 255.255.255.0
exit
vlan 101
name "Pathfire"
untagged 13-24
ip address 172.20.101.1 255.255.255.0
exit
vlan 102
name "BCast"
untagged 9-10
ip address 172.20.102.1 255.255.255.0
exit
vlan 104
name "AVNET"
untagged 25-36
ip address 172.20.104.1 255.255.255.0
exit
vlan 105
name "Auto_Ingest"
untagged 37-42
ip address 172.20.105.1 255.255.255.0
exit
vlan 106
name "Profilers"
untagged 12
ip address 172.20.106.1 255.255.255.0
exit
vlan 99
name "NETWORK"
untagged 43-48
ip address 172.20.99.1 255.255.255.0
exit
ip route 10.100.1.0 255.255.255.0 vlan 1
ip route 10.100.101.0 255.255.255.0 vlan 101
ip route 10.100.104.0 255.255.255.0 vlan 104
snmp-server community "Engineering" Unrestricted
snmp-server contact "Matt Dryden - IT"
spanning-tree
no autorun
Mohammed Faiz
Honored Contributor
Solution

Re: Can't seem to ping gateway address

Ok, that's interesting. So I'm assuming from the missing part of the config that the ACL is applied to ports 1-48 in the "inbound" direction?
In that case I don't see how any traffic from Host A would be seen at all as I can't see a permit statement for the 172.20.104.0/24 range in your ACL?
As an aside, I'd look at applying your ACL on a VLAN level instead of at a port level, it would mean you have more ACLs but they would be shorter and easier to debug.
mortalwombat
Advisor

Re: Can't seem to ping gateway address

Ok, that's interesting. So I'm assuming from the missing part of the config that the ACL is applied to ports 1-48 in the "inbound" direction?
In that case I don't see how any traffic from Host A would be seen at all as I can't see a permit statement for the 172.20.104.0/24 range in your ACL?
As an aside, I'd look at applying your ACL on a VLAN level instead of at a port level, it would mean you have more ACLs but they would be shorter and easier to debug.

Yeah, It is applied to all ports, 1-48, in an inbound direction. That's how the documentation said to apply the ACL to a port. It looks like the switch only supports filtering inbound traffic, which is why I have an ACE for traffic going both directions.

How do you apply the ACL on a VLAN level? I would rather do that than a port level. I just didn't know how to do it.
Mohammed Faiz
Honored Contributor

Re: Can't seem to ping gateway address

Ah, ok it seems applying ACLs at a VLAN level is only available on the 3500/5400 and above family of switches. That's a shame.

So deal with the config as is,
it'll be easiest to start with one example and debug that, so where you have:

> Host A is on VLAN 104 with an address of 172.20.104.21

You don't appear to have a permit entry for the 172.20.104.0 network anywhere.

Add that in see if it fixes:

> Host A can NOT ping it's own gateway, 172.20.104.1
mortalwombat
Advisor

Re: Can't seem to ping gateway address

OK. I added:

109 permit ip 172.20.104.0 0.0.0.255 172.20.106.0 0.0.0.255
110 permit ip 172.20.106.0 0.0.0.255 172.20.104.0 0.0.0.255

Host A can ping Host B and Host B's Gateway
Host B can ping Host A and Host A's Gateway

Host B can not ping it's own gateway
Host A can not ping it's own gateway.

(I just noticed I made a mistake in my original post. Host B is on VLAN 106 with an address of 172.20.106.21. The original said the IP was 172.20.104.21. Sorry about that)
mortalwombat
Advisor

Re: Can't seem to ping gateway address

I just found that I can add a permit from the vlan to it's own gateway.

permit ip 172.20.104.1/32 172.20.104.0/24
21 permit ip 172.20.104.0/24 172.20.104.1/32

That allows me to ping the gateway from that vlan, but why do I have to do that?
mortalwombat
Advisor

Re: Can't seem to ping gateway address

OK, more info that I just found:

with my previous ACL, I could not ping any machine on the same VLAN. So Host B (172.20.106.21) could not ping Host C (172.20.106.22)

I solved the problem by adding
10 permit ip 172.20.106.0/24 172.20.106.0/24

So is this a general requirement for ACLs, or is there a different way to allow hosts to ping within their own VLAN?
Mohammed Faiz
Honored Contributor

Re: Can't seem to ping gateway address

Are you sure the restriction was limited to ICMP ? (I suspect that if you remove that '106.0/24 to 106.0/24 permit' statement and try to browse to a network share between two hosts on that subnet it won't work either)

I think that the behaviour is a consequence of VLANs applied at a port level rather than a VLAN level. In other words they filter both switched and routed traffic.
So the answer is yes, you do need those "same VLAN" entries to allow hosts on the same VLAN/subnet to communicate with one another.
mortalwombat
Advisor

Re: Can't seem to ping gateway address

I have not yet tested anything other than ICMP, but I am confident it applies to all IP traffic. Every ACL I have created is an IP ACL, so it should filter any and all IP traffic.

I have also found that applying this many ACLs to this many ports is a mistake. It very quickly limits the number of ACEs you can create since each ACE is calculated once per port.

I am going to have to restructure my ACLs pretty drastically so they will only be applied to the needed ports. Hopefully this will save some resources on the switch as well. I will post the final running config once that is finished, in case anyone else has a similar problem in the future.