Can't ping my default gateway (a vlan on a Cisco switch)
Hello Cisco Experts,
I have a strange problem that I can’t seem to find a solution for. I have configured a vlan on a switch. I have assigned the vlan (vlan 21) and IP address of 10.110.124.254. I have assigned a single port to that vlan. I have connected a PC into the port assigned to vlan 21 and given the PC the following configuration:
IP: 10.110.124.254
SM: 255.255.255.0
DG: 10.110.124.254
For some reason, I cannot ping 10.110.124.254 from the PC.
Below is the vlan config from the switch:
Vlan21 is up, line protocol is up
Internet address is 10.110.124.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is BADGE-SERVER
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Below is the config for the port:
interface GigabitEthernet2/13
switchport access vlan 21
switchport mode access
spanning-tree portfast
SW1#show ip interface gigabitEthernet 2/13
GigabitEthernet2/13 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Any ideas?
As always, your help is much appreciated.
Nick
I have a strange problem that I can’t seem to find a solution for. I have configured a vlan on a switch. I have assigned the vlan (vlan 21) and IP address of 10.110.124.254. I have assigned a single port to that vlan. I have connected a PC into the port assigned to vlan 21 and given the PC the following configuration:
IP: 10.110.124.254
SM: 255.255.255.0
DG: 10.110.124.254
For some reason, I cannot ping 10.110.124.254 from the PC.
Below is the vlan config from the switch:
Vlan21 is up, line protocol is up
Internet address is 10.110.124.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is BADGE-SERVER
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Below is the config for the port:
interface GigabitEthernet2/13
switchport access vlan 21
switchport mode access
spanning-tree portfast
SW1#show ip interface gigabitEthernet 2/13
GigabitEthernet2/13 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Any ideas?
As always, your help is much appreciated.
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think all you guys hit the nail on the head with the access list. Below is the configuration for the access list:
Extended IP access list BADGE-SERVER
10 permit tcp host 10.110.124.21 host 10.1.100.177 eq 8080
20 deny ip any any log-input (83746 matches)
Please tell me if I'm reading line 10 correctly:
Permit host 10.110.124.21 (which is the PC) to communicate with host 10.1.100.177 (a proxy server) over port 8080.
Is that correct?
Extended IP access list BADGE-SERVER
10 permit tcp host 10.110.124.21 host 10.1.100.177 eq 8080
20 deny ip any any log-input (83746 matches)
Please tell me if I'm reading line 10 correctly:
Permit host 10.110.124.21 (which is the PC) to communicate with host 10.1.100.177 (a proxy server) over port 8080.
Is that correct?
That's it. And line 20 is why you can't ping the gateway (or anything else for that matter)...
ASKER
How would I remove this access list? Would I just do the following:
sw1# config t
sw(config)# interface vlan 21
sw(config-if)# no extended ip access list BADGE-SERVER
sw1# config t
sw(config)# interface vlan 21
sw(config-if)# no extended ip access list BADGE-SERVER
Should be more like:
Don't forget to save it if you want it to survive a reload.
sw1# config t
sw1(config)# int vlan21
sw1(config-if)# no ip access-group in
sw1(config-if)# end
sw1# Don't forget to save it if you want it to survive a reload.
Or just modify the access-list as follows:
no ip access-list extended BADGE-SERVER
ip access-list extended BADGE-SERVER
permit ip host 10.110.124.21 any
deny ip any any
This will allow only this IP to communicate outside of this VLAN (that's if you're intentionally denying the rest of the PCs access out of that VLAN).
If that's your policy, I'd suggest you put another access-list outbound on the interface vlan 21 as follows:
ip access-list extended BADGE-SERVER-OUT
permit ip any host 10.110.124.21
deny ip any any
no ip access-list extended BADGE-SERVER
ip access-list extended BADGE-SERVER
permit ip host 10.110.124.21 any
deny ip any any
This will allow only this IP to communicate outside of this VLAN (that's if you're intentionally denying the rest of the PCs access out of that VLAN).
If that's your policy, I'd suggest you put another access-list outbound on the interface vlan 21 as follows:
ip access-list extended BADGE-SERVER-OUT
permit ip any host 10.110.124.21
deny ip any any
ASKER
First of all, my apologies for not getting back to this sooner.
If I do the following steps, is this just removing the access list from the Vlan and not deleting it from the switch?
sw# config t
sw(config)# int Vlan 21
sw(config-if)# no IP access-group in
sw(config-if)# end
What is happening overall is there is one PC connected to this Vlan that needs access to the Internet. I want this to go through our proxy. With the way things are setup now, I know traffic is hitting the proxy as I have used nap to verify this . However the PC can't get to the Internet.
Wait a second, I wonder if I put the IP of the proxy in as the gateway on the PC if traffic will start flowing to the Internet as expected? I will try this when I get in. If not, I want to save the access rule so that it can be reapplied later.
If I do the following steps, is this just removing the access list from the Vlan and not deleting it from the switch?
sw# config t
sw(config)# int Vlan 21
sw(config-if)# no IP access-group in
sw(config-if)# end
What is happening overall is there is one PC connected to this Vlan that needs access to the Internet. I want this to go through our proxy. With the way things are setup now, I know traffic is hitting the proxy as I have used nap to verify this . However the PC can't get to the Internet.
Wait a second, I wonder if I put the IP of the proxy in as the gateway on the PC if traffic will start flowing to the Internet as expected? I will try this when I get in. If not, I want to save the access rule so that it can be reapplied later.
On the first portion, correct, that simply removes the access-list from the interface. The access-list is still defined if you want to put it back on later.
As the proxy server address (as indicated by your access-list) is not on the same subnet with the PC itself, you won't be able to set the proxy address as the gateway. The next hop address for any route (including the default gateway) has to be on the same subnet as the NIC. Even if the proxy address were on the same subnet, this would not fix your problem unless the proxy server also happened to be a router.
When you set the proxy address on the PC, did you use a name or the IP address? If you were using the name, along with the access-list you specified, your PC would not have been able to resolve the name as DNS was blocked by the access-list. See if removing the access-list from the interface fixes the problem. If it does, and you want to continue to use the access-list method to lock down the PC, you'll need to figure out what other resources you need to permit in order for it to work.
As the proxy server address (as indicated by your access-list) is not on the same subnet with the PC itself, you won't be able to set the proxy address as the gateway. The next hop address for any route (including the default gateway) has to be on the same subnet as the NIC. Even if the proxy address were on the same subnet, this would not fix your problem unless the proxy server also happened to be a router.
When you set the proxy address on the PC, did you use a name or the IP address? If you were using the name, along with the access-list you specified, your PC would not have been able to resolve the name as DNS was blocked by the access-list. See if removing the access-list from the interface fixes the problem. If it does, and you want to continue to use the access-list method to lock down the PC, you'll need to figure out what other resources you need to permit in order for it to work.
ASKER
Thank you for all of your help.
Most likely it is this access-list:
Inbound access list is BADGE-SERVER
Remove this access-list completely from under the interface vlan 21, and try without it. It will work.