asked on
Not able to ping DMZ port on Firewall from the switch.
On firewall, the DMZ2 port connects to ColoC3750X switch on Gi2/0/21 while the LAN port to Winston-3750sw switch Gi1/0/1, as shown on the attached diagram and the config files. There is a trunking connection between the two switches.
The big big issue is, from the ColoC3750X switch, we are NOT able to ping the DMZ2 port IP 10.10.2.1. (But from Winton-3750sw, we are able to ping both 10.10.2.1 and 10.10.2.2.)
Can you please figure what I missed out?
Thanks.
Cannot-ping-FW.jpg
coloc3750x-confg
winston-3750sw-confg
The big big issue is, from the ColoC3750X switch, we are NOT able to ping the DMZ2 port IP 10.10.2.1. (But from Winton-3750sw, we are able to ping both 10.10.2.1 and 10.10.2.2.)
Can you please figure what I missed out?
Thanks.
Cannot-ping-FW.jpg
coloc3750x-confg
winston-3750sw-confg
Switches / HubsRoutersSoftware FirewallsHardware Firewalls
Last Comment
Castlewood
ASKER
vlan102 should be up. See the result:
ColoC3750X#sh interface vlan 102
Vlan102 is up, line protocol is up
Hardware is EtherSVI, address is 4403.a749.b345 (bia 4403.a749.b345)
Internet address is 10.10.2.2/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:57, output 00:12:56, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
16993 packets input, 2604456 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
675 packets output, 45418 bytes, 0 underruns
0 output errors, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
ColoC3750X#sh interface vlan 102
Vlan102 is up, line protocol is up
Hardware is EtherSVI, address is 4403.a749.b345 (bia 4403.a749.b345)
Internet address is 10.10.2.2/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:57, output 00:12:56, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
16993 packets input, 2604456 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
675 packets output, 45418 bytes, 0 underruns
0 output errors, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
As earlier mentioned, the other switch (Winston-3750sw) is able to ping the DMZ interface without a problem.
Here is the result for sh ip arp: (10.10.2.1 is the DMZ interface ip. Is everything ok?)
ColoC3750X#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.2.2 - 4403.a749.b345 ARPA Vlan102
Internet 10.2.6.14 - 4403.a749.b343 ARPA Vlan60
Internet 10.2.4.14 - 4403.a749.b341 ARPA Vlan40
Internet 10.10.2.1 36 001e.c9b2.788b ARPA Vlan102
Internet 10.2.5.14 - 4403.a749.b342 ARPA Vlan50
Internet 10.2.0.1 73 0022.91b8.5bc8 ARPA Vlan100
Internet 10.2.5.20 184 0cc4.7a53.9ec9 ARPA Vlan50
Internet 10.2.5.18 1 0cc4.7a1f.30ec ARPA Vlan50
Internet 10.0.6.57 2 0022.91b8.5bc8 ARPA Vlan100
Internet 10.10.2.141 138 0015.5d02.f609 ARPA Vlan102
Internet 10.2.0.199 - 4403.a749.b344 ARPA Vlan100
Here is the result for sh ip arp: (10.10.2.1 is the DMZ interface ip. Is everything ok?)
ColoC3750X#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.2.2 - 4403.a749.b345 ARPA Vlan102
Internet 10.2.6.14 - 4403.a749.b343 ARPA Vlan60
Internet 10.2.4.14 - 4403.a749.b341 ARPA Vlan40
Internet 10.10.2.1 36 001e.c9b2.788b ARPA Vlan102
Internet 10.2.5.14 - 4403.a749.b342 ARPA Vlan50
Internet 10.2.0.1 73 0022.91b8.5bc8 ARPA Vlan100
Internet 10.2.5.20 184 0cc4.7a53.9ec9 ARPA Vlan50
Internet 10.2.5.18 1 0cc4.7a1f.30ec ARPA Vlan50
Internet 10.0.6.57 2 0022.91b8.5bc8 ARPA Vlan100
Internet 10.10.2.141 138 0015.5d02.f609 ARPA Vlan102
Internet 10.2.0.199 - 4403.a749.b344 ARPA Vlan100
I do not see an arp for 10.10.2.1 when you do the ping did you try sourcing it from VLAN102 you shouldn't have too, but worth a try.
As for why the other switch can ping the IP Address by the diagram it is going through the firewall to do so, not via the other switch since 102 is not carried on the trunk and it doesn't have an interface in that vlan.
on the ColoC3750X
can you also do a show VLAN
and sho arp dyn int g2/0/21
Thanks
As for why the other switch can ping the IP Address by the diagram it is going through the firewall to do so, not via the other switch since 102 is not carried on the trunk and it doesn't have an interface in that vlan.
on the ColoC3750X
can you also do a show VLAN
and sho arp dyn int g2/0/21
Thanks
ASKER
"I do not see an arp for 10.10.2.1" ? Didn't you see it listed? The fourth from the top. Isn't it for 10.10.2.1?
How to ping with sourcing from VLAN102?
Here is the result of sh vlan:
ColoC3750X#sh vlan
VLAN Name Status Ports
---- --------------------------
1 default active
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi2/0/20, Gi2/0/22
40 VLAN0040 active Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi2/0/15, Gi2/0/16, Gi2/0/17, Gi2/0/18, Gi2/0/19
50 VLAN0050 active Gi1/0/1, Gi1/0/2, Gi2/0/1, Gi2/0/2
60 VLAN0060 active Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi2/0/5, Gi2/0/6, Gi2/0/7, Gi2/0/8, Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
100 VLAN0100 active
101 VLAN0101 active
102 Vlan102 active Gi1/0/3, Gi1/0/4, Gi2/0/3, Gi2/0/4, Gi2/0/21
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
60 enet 100060 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
101 enet 100101 1500 - - - - - 0 0
102 enet 100102 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
"sho arp dyn int g2/0/21" is not a valid command.
How to ping with sourcing from VLAN102?
Here is the result of sh vlan:
ColoC3750X#sh vlan
VLAN Name Status Ports
---- --------------------------
1 default active
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi2/0/20, Gi2/0/22
40 VLAN0040 active Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi2/0/15, Gi2/0/16, Gi2/0/17, Gi2/0/18, Gi2/0/19
50 VLAN0050 active Gi1/0/1, Gi1/0/2, Gi2/0/1, Gi2/0/2
60 VLAN0060 active Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi2/0/5, Gi2/0/6, Gi2/0/7, Gi2/0/8, Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
100 VLAN0100 active
101 VLAN0101 active
102 Vlan102 active Gi1/0/3, Gi1/0/4, Gi2/0/3, Gi2/0/4, Gi2/0/21
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
60 enet 100060 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
101 enet 100101 1500 - - - - - 0 0
102 enet 100102 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
"sho arp dyn int g2/0/21" is not a valid command.
#1 you are correct I am blind
#2 ping x.x.x.x source vlan 102
#3 sorry again thinking to fast it is sho mac add dyna int g2/0/21
#2 ping x.x.x.x source vlan 102
#3 sorry again thinking to fast it is sho mac add dyna int g2/0/21
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Also, any particular reason for this?
If hosts are not configured to use both SVIs as default gateway (distribute traffic load between switches or whatever) it just creates confusion.
hostname ColoC3750X
!
interface Vlan40
ip address 10.2.4.14 255.255.255.0
!
interface Vlan50
ip address 10.2.5.14 255.255.255.0
!
interface Vlan60
ip address 10.2.6.14 255.255.255.0
!
interface Vlan100
ip address 10.2.0.199 255.255.255.0
hostname Winston-3750swI mean, except wasting few IP addresses?
!
interface Vlan40
ip address 10.2.4.1 255.255.255.0
!
interface Vlan50
ip address 10.2.5.1 255.255.255.0
!
interface Vlan60
ip address 10.2.6.1 255.255.255.0
!
interface Vlan100
ip address 10.2.0.1 255.255.255.0
If hosts are not configured to use both SVIs as default gateway (distribute traffic load between switches or whatever) it just creates confusion.
ASKER
The DMZ2 interface on firewall was newly created so no rules at all. As the result, no incoming traffic allowed. That is why.
Thanks you guys.
Thanks you guys.
Maybe you didn't create the vlan in the vlan-database and the interface is down?