The following results state which ping fails and which did not using extended ping from the C4K_Sec:

1) Src=172.20.5.3 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.3 ==> Des= 172.25.5.1 (HSRP add.) (Fail)

3) Src=172.20.5.3 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.3 ==> Des= 172.25.4.1 (HSRP add) (Fail)

(i.e from interface vlan 3 as Src and any address of interface vlan 2 on the C4K_Pri as a destination address it fail)

5) Src=172.25.5.3 ==> Des= 172.25.5.2 (OK)

6) Src=172.25.5.3 ==> Des= 172.25.5.1 (OK)

7) Src=172.25.4.3 ==> Des= 172.25.4.2 (OK)

8) Src=172.25.4.3 ==> Des= 172.25.4.1 (OK)

Also when I issue extended ping from the C4K_Pri the following results I got:

1) Src=172.20.5.2 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.2 ==> Des= 172.25.5.1 (Fail)

3) Src=172.20.5.2 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.2 ==> Des= 172.25.4.1 (Fail)

5) Src=172.25.4.2 ==> Des= 172.25.5.2 (Fail)

6) Src=172.25.4.2 ==> Des= 172.25.5.1 (Fail)

also I tried a workstation with IP 172.20.5.10 it failed to ping any IP on interf vlan2 on the C4K_Pri (where the ACL is applied.

I apreciate your help, Thanks

Does anyone have an explanation to the above behavior?

Regards

you need to permit 172.20.5.0 0.0.0.255 in the access-list 101..

I'd suggest putting the 'log-input' keyword in the last line of the access list so that you can see, from the interface's perspective, what's getting dropped. This could shed some light on the situation.

I have put the the "log-input" command at the "deny any any" at the end of the access list, and it shows that the access list drops any packet come from the 172.20.5.0

omohamed is correct, you need to allow the 172.20.5 network in your access list. It is an inbount access-list that you placed on the primary switch only allowing the 172.25.5.X and 172.25.4.X networks into the VLAN 2 switch. You need to add an additional line to allow the 172.20.5 network. as such...

access-list 101 premit ip 172.20.5.0 0.0.0.255 any

Hope this helps...

I dont know if you are psting the list in as you showed us but the first two permit statements are spelled wrong. Those are also the statements needed to make the vlans2 work.

Thanks for the reply I applied what you said and it worked fine.

but I wonder why it works? since the access list is in the inbound direction and it permits a subnet that is not sourced from the attached interface (i.e it permites 172.20.5.0/24 as the source address although this subnet does not sourced from interface Vlan 2 where the access list is applied !!!)

can anyone explain it to me?

Thanks and best Regards

Ashraf

Question about your HSRP setup. I see you're using standby group 3 for two different VLAN's/interfaces.. am I wrong in saying you can only use one standby group (standby group 3 for example) on only ONE interface (only once?) Lemme know..

- Matt

Hi Matthew,

U can only use one standby group on one interface..

You can use only one standby group per VLAN, i.e you can span the same standby group on the whole switch if it has multiple VLANs configured, provided that the standby group used once per VLAN.