Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot ping from 1 device to another device in the same vlan

superclive
Occasional Visitor

Cannot ping from 1 device to another device in the same vlan

Hi Guys,

I have setup a switch config accross 4 swithces, I need to be able to route between 2 pairs of particular vlans, having setup the vlans I enbaled routing on the switches and put in ACLs to allow routing between the 2 pairs of vlans and put an deny any any at the end. But on testing it seems that i cannot ping between 2 devices on the same vlan on the same switch! I can ping the switch interface from both devices but not he other devices, here is the config from my switch, 2 switches have the same vlan configs just with the vlan address incremented by 1. Can anyone help me?

HP3500-FIFI-SW1(vlan-2)# sh conf

Startup configuration:

; J8692A Configuration Editor; Created on release #K.12.16

hostname "HP3500-FIFI-SW1"
ip access-list extended "100"
10 permit ip 192.168.163.0 255.255.255.248 192.168.163.40 255.255.255.248
20 permit ip 192.168.163.16 255.255.255.248 192.168.163.56 255.255.255.248
30 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip routing
snmp-server community "public" Unrestricted
snmp-server host 10.242.5.7 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 20-24
ip address dhcp-bootp
no untagged 1-19
exit
vlan 2
name "app-DC"
untagged 1-4
ip address 192.168.163.0 255.255.255.248
exit
vlan 3
name "ISCSI-DC"
untagged 5-8
ip address 192.168.163.8 255.255.255.248
exit
vlan 4
name "PUB-DC"
untagged 9-12
ip address 192.168.163.16 255.255.255.248
exit
vlan 5
name "priv-DC"
untagged 13-16
ip address 192.168.163.24 255.255.255.248
exit
vlan 6
name "Mgmt_Console-DC"
untagged 17-19
ip address 192.168.163.32 255.255.255.248
exit
vlan 7
name "app-CR"
no ip address
exit
vlan 8
name "ISCSI-CR"
no ip address
exit
vlan 9
name "PUB-CR"
no ip address
exit
vlan 10
name "priv-CR"
no ip address
exit
vlan 11
name "Mgmt_Console-CR"
no ip address
exit
3 REPLIES
Matt Hobbs
Honored Contributor

Re: Cannot ping from 1 device to another device in the same vlan

The usual cause of this is that the firewall is enabled on the client machine.

Also I'd recommend you update the firmware.
Ardon
Trusted Contributor

Re: Cannot ping from 1 device to another device in the same vlan

Hi Superclive,

Your ACL is etup incorrectly as you are permitting IP traffic but that does not include ICMP Traffic.

If you configure an Extended ACL you will see the following options:

8212_DOT1(config-ext-nacl)# permit
<0-255> Match a specific protocol, as further specified.
ip-in-ip Match IP packets, as further specified.
ipv6-in-ip Match IPv6 packets, as further specified.
gre Match GRE packets, as further specified.
esp Match ESP packets, as further specified.
ah Match AH packets, as further specified.
ospf Match OSPF packets, as further specified.
pim Match PIM packets, as further specified.
vrrp Match VRRP packets, as further specified.
sctp Match SCTP packets, as further specified.
icmp Match ICMP packets, as further specified.
igmp Match IGMP packets, as further specified.
ip Match all IP packets.
tcp Match TCP packets, as further specified.
udp Match UDP packets, as further specified.
8212_DOT1(config-ext-nacl)# permit icmp
any Match packets from any IP address.
host Match packets from the specified IP address.
IP-ADDR/MASK-LENGTH Match packets from the specified subnet.
8212_DOT1(config-ext-nacl)# permit icmp

So if you want ICMP Traffic to pass through there should be a matching ACE entry in Access List 100.

One other remark on your statement of:'I enbaled routing on the switches and put in ACLs to allow routing between the 2 pairs of vlans and put an deny any any at the end'

ACLs are not needed to enable routing between the VLANs. Enabling IP Routing will do that (unrestricted). ACLs alow you to narrow down.
The Deny any any at the end of the ACL is also not needed (it will not harm you either) as every ACL has an implicit deny at the end anyways.

Regards

ProCurve Networking Engineer
someone847
Occasional Visitor

Re: Cannot ping from 1 device to another device in the same vlan

Hi, which VLAN are your hosts in? And, what are the hosts' IP addresses?

Re the other comment to you: access-lists shouldn't matter for local (within VLAN) pinging, and in Cisco terms 'IP'
does include ICMP.