cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3934
Views
0
Helpful
11
Replies

Not able to ping another VLAN

Sanjay Goswami
Level 1
Level 1

Dear All,

This is my Network Diagram. When i am trying to ping from my CISCO 4331 Router to another vlan I am unable to ping. I am putting following command.

CISCO-4331-ROUTER#ping 192.168.16.1 source 192.168.15.250

or 

CISCO-4331-ROUTER#ping 192.168.15.1 source 192.168.16.250

or 

CISCO-4331-ROUTER#ping 192.168.17.1 source 192.168.16.250

Please suggest what changes I have to make to ping another vlan.

Network MAP.jpg

 

 

11 Replies 11

Troy Jackson
Level 1
Level 1

Can you post the configuration for the switch?

 

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Hi Jackson,

interface GigabitEthernet1/0/35
description ****** CISCO-4331 ROUTER ******
switchport trunk allowed vlan 6-8
switchport mode trunk

 

interface GigabitEthernet1/0/2
description *** CONNECTED TO FORTINET INT-1 ***
switchport trunk allowed vlan 6-8
switchport mode trunk

 

* Do you have VLANs 6,7, and 8 created on the switch?

Ans : YES...

MAL-GIGA-SW#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 xxxxxxxxxxxxxxxxxxxx
2 xxxxxxxxxxxxxxxxxxxxxx
3 xxxxxxxxxxxxxxxxxxxxxx
4 xxxxxxxxxxxxxxxxxxxxxx
6 SERVER-VLAN active Gi1/0/8
7 MANAGEMENT-VLAN active Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/21, Gi1/0/22, Gi1/0/25
8 USER-VLAN active Gi1/0/27, Gi1/0/29, Gi1/0/30, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/36

 

Regards

Sanjay Goswami

andresfr
Cisco Employee
Cisco Employee

Hello Sanjay,

 

I hope you're doing well.

 

Some questions regarding this setup:

 

* Are you able to ping Fortinet IP addresses from the Cisco router when not specifying the source of the ICMP echo request in the ping command? Or by sourcing with IP address within the same VLAN as destination IP address.

* Are those interfaces on the Catalyst switch configured as trunk interfaces? Both the one connected to the router and the one connected to the Fortinet device.

* Do you have VLANs 6,7, and 8 created on the switch?

* Is that Fortinet device not filtering ICMP echo requests or allowing ICMP echo request from any source?

 

You can also create Layer 3 VLAN interfaces (VLAN SVIs) on the switch fro testing purposes and try pinging the configured IP address for each VLAN from the router or from the Fortinet device.

 

Regards,

 

 

Hi Andres

 

At first thanks for your quick response. Please find the required information,

 

* Are you able to ping Fortinet IP addresses from the Cisco router when not specifying the source of the ICMP echo request in the ping command? Or by sourcing with IP address within the same VLAN as destination IP address.

Ans: YES but in same VLAN not others. 

MAL-HO-4331#ping 192.168.15.1 source 192.168.15.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.15.250
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

******* THIS IS NOT WORKING (WHICH IS MY ACTUAL ISSUE) *****

MAL-HO-4331#ping 192.168.15.1 source 192.168.16.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.16.250

 

* Are those interfaces on the Catalyst switch configured as trunk interfaces? Both the one connected to the router and the one connected to the Fortinet device.

Ans: Yes. Both the Interfaces has been configured as Trunk. Here is the configuration,

interface GigabitEthernet1/0/35
description ****** CISCO-4331 ROUTER ******
switchport trunk allowed vlan 6-8
switchport mode trunk

 

interface GigabitEthernet1/0/2
description *** CONNECTED TO FORTINET INT-1 ***
switchport trunk allowed vlan 6-8
switchport mode trunk

 

* Do you have VLANs 6,7, and 8 created on the switch?

Ans : YES...

MAL-GIGA-SW#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 xxxxxxxxxxxxxxxxxxxx
2 xxxxxxxxxxxxxxxxxxxxxx
3 xxxxxxxxxxxxxxxxxxxxxx
4 xxxxxxxxxxxxxxxxxxxxxx
6 SERVER-VLAN active Gi1/0/8
7 MANAGEMENT-VLAN active Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/21, Gi1/0/22, Gi1/0/25
8 USER-VLAN active Gi1/0/27, Gi1/0/29, Gi1/0/30, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/36

* Is that Fortinet device not filtering ICMP echo requests or allowing ICMP echo request from any source?

Ans : No Idea.

 

Please feel free for any other clarification.

Regards

Sanjay Goswami

 

Test the following on the router:

 

!Ping router IP address in VLAN 6 from the router itself sourcing from VLAN 7

ping 192.168.15.250 source 192.168.16.250

!Similarly

ping 192.168.15.250 source 192.168.17.250

ping 192.168.16.250 source 192.168.17.250

 

Consider, as suggested previously,  configuring Layer 3 VLAN interfaces (VLAN SVIs) on the switch for testing purposes and try pinging the configured IP address for each VLAN from the router or from the Fortinet device.

 

Comment on your results?

 

Share the configuration of both the router and the switch.

 

Comment on your results.

 

Regards,

Hi Andres,



I appreciate for the efforts you have given for this issue. Sending you the
outputs of given command,



MAL-HO-4331#ping 192.168.15.250 source 192.168.16.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.15.250, timeout is 2 seconds:

Packet sent with a source address of 192.168.16.250

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



MAL-HO-4331#ping 192.168.15.250 source 192.168.17.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.15.250, timeout is 2 seconds:

Packet sent with a source address of 192.168.17.250

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



MAL-HO-4331#ping 192.168.16.250 source 192.168.17.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.16.250, timeout is 2 seconds:

Packet sent with a source address of 192.168.17.250

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



We do not have L3 Switches in our network. Whatever the VLAN we have
configured, that is configured in Fortinet only.



In that case what do you suggest? Or how can I resolve this issue ?

Hello

Disable any ip routing enabled on the switch.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Dear Sir,



No any IP Routing has been configured



MAL-GIGA-SW#show ip route

Default gateway is 192.168.16.1



Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

MAL-GIGA-SW#



Regards

Sanjay


nixpengu1n
Level 1
Level 1

Hello,

 

Couple of questions / considerations:

 

1. Is there any possibility to see Cisco 2900 switch configuration?

2. It could be a good idea to use native VLANs on trunks as well

3. Consider to disable DTP on trunk links at least between Cisco 2900 device and Fortinet device

4. Make sure that Cisco 2900 and Fortinet device using same STP mode

5. Please provide show interface gi1/0/2 and show spanning-tree vlan for appropriate VLANs on Cisco 2900 switch

 

This will give more information about your setup.

sh run
Building configuration...

Current configuration : 7389 bytes
!
! Last configuration change at 10:02:34 UTC Fri Aug 3 2018
! NVRAM config last updated at 10:02:36 UTC Fri Aug 3 2018
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAL-GIGA-SW
!
boot-start-marker
boot-end-marker
!

!
cluster enable MAL-CLUSTER 0
!
!
crypto pki trustpoint TP-self-signed-3588563328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3588563328
revocation-check none
rsakeypair TP-self-signed-3588563328
!
!
crypto pki certificate chain TP-self-signed-3588563328
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353838 35363333 3238301E 170D3137 30343033 31363034
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35383835
36333332 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E4EA 4C8462E7 F7D0819B 8D701E58 D5A37093 ECFC9A4F 83694C7B 83EF25E3
D565E219 C2F58E7D 31255B38 50E3CE55 86573ED4 7C93D40E 99D9C89E D6D8FBC7
B2C98A80 258E7F36 9880472E D68B0856 34989F81 1D6EF353 A0AE3595 5D21707D
C654CEA8 ED739F42 FF404CDD 65D68706 AFE36D77 0973B482 0108554E 199A0E0A
AA6D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14EED96B CD33FC49 9671B69B 6122BDB2 0219D8CB B3301D06
03551D0E 04160414 EED96BCD 33FC4996 71B69B61 22BDB202 19D8CBB3 300D0609
2A864886 F70D0101 05050003 818100DB 11BC3A8F 5EE7A09A E7A26C0C 3E7E1DAD
ED624487 676ABD6A E82C0B01 F49A5B38 63858F6B AE20E51B 01635748 9B4DAE47
C095C8CA 346905CE 96430840 24C6EFEC EF08CBCB CE4FA54A F0944CB4 144E72E5
1EB4770A 64DE68F8 0698927E 58FCF714 02C9A23F 0126F852 06EC3413 B6985A45
F72135F2 F9FA3C8E 48FC94A5 202AB5
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 7,8
switchport mode trunk
!
interface GigabitEthernet1/0/2
description *** CONNECTED TO FORTINET INT-1 ***
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/8
description ****Backup Server****
switchport access vlan 6
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 7
!
interface GigabitEthernet1/0/10
switchport access vlan 7
!
interface GigabitEthernet1/0/11
switchport access vlan 7
!
interface GigabitEthernet1/0/12
switchport access vlan 7
!
interface GigabitEthernet1/0/13
switchport access vlan 7
!
interface GigabitEthernet1/0/14
switchport access vlan 7
!
interface GigabitEthernet1/0/15
switchport access vlan 7
!
interface GigabitEthernet1/0/16
switchport access vlan 7
!
interface GigabitEthernet1/0/17
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/18
description **** VLAN-2,3,4 to FORTIGATE-PORT-2 **********
switchport trunk allowed vlan 2-4
switchport mode trunk
!
interface GigabitEthernet1/0/19
description ****Trunk Port to POE| VLAN 2,3,4,6,7,8****
switchport trunk allowed vlan 2-4,6-8
switchport mode trunk
!
interface GigabitEthernet1/0/20
description ****** VLAN-3 *******
switchport access vlan 3
!
interface GigabitEthernet1/0/21
description ****** VLAN-7 *******
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/22
description *** MATRIX SIP TRUNK ****
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/23
description **** TRUNK-VLAN-2,3,6,7,8 UPLINK *****
switchport trunk allowed vlan 2-4,6-8
switchport mode trunk
!
interface GigabitEthernet1/0/24
description **** TRUNK-VLAN-2,3,6,7,8 STORE-UPLINK *****
switchport trunk allowed vlan 2,3,6-8
switchport mode trunk
!
interface GigabitEthernet1/0/25
description *** MGMT VLAN ****
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/26
description ***TPLINK Radio***
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 8
!
interface GigabitEthernet1/0/28
description **** TRUNK-VLAN-1,2,3,4,6,7,8 UPLINK *****
switchport trunk allowed vlan 1-4,6-8
switchport mode trunk
!
interface GigabitEthernet1/0/29
switchport access vlan 8
!
interface GigabitEthernet1/0/30
switchport access vlan 8
!
interface GigabitEthernet1/0/31
switchport access vlan 8
!
interface GigabitEthernet1/0/32
switchport access vlan 8
!
interface GigabitEthernet1/0/33
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 8
!
interface GigabitEthernet1/0/35
description ****** CISCO-4331 ROUTER ******
switchport trunk allowed vlan 6-8
switchport mode trunk
!
interface GigabitEthernet1/0/36
switchport access vlan 8
!
interface GigabitEthernet1/0/37
switchport access vlan 8
!
interface GigabitEthernet1/0/38
switchport access vlan 8
!
interface GigabitEthernet1/0/39
switchport access vlan 8
!
interface GigabitEthernet1/0/40
switchport access vlan 8
!
interface GigabitEthernet1/0/41
switchport access vlan 8
!
interface GigabitEthernet1/0/42
switchport access vlan 8
!
interface GigabitEthernet1/0/43
switchport access vlan 8
!
interface GigabitEthernet1/0/44
switchport access vlan 8
!
interface GigabitEthernet1/0/45
switchport access vlan 8
!
interface GigabitEthernet1/0/46
switchport access vlan 8
!
interface GigabitEthernet1/0/47
switchport access vlan 8
!
interface GigabitEthernet1/0/48
switchport access vlan 8
!
interface GigabitEthernet1/0/49
switchport access vlan 8
!
interface GigabitEthernet1/0/50
switchport access vlan 8
!
interface GigabitEthernet1/0/51
switchport trunk allowed vlan 2-4,6-8
switchport mode trunk
!
interface GigabitEthernet1/0/52
switchport trunk allowed vlan 2-4,6-8
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.117 255.255.255.0
!
interface Vlan2
ip address 192.168.9.117 255.255.255.0
!
interface Vlan3
ip address 192.168.10.117 255.255.255.0
!
interface Vlan4
ip address 192.168.12.117 255.255.255.0
!
interface Vlan6
ip address 192.168.15.117 255.255.255.0
!
interface Vlan7
ip address 192.168.16.8 255.255.255.0
!
interface Vlan8
ip address 192.168.17.117 255.255.255.0
!
interface Vlan9
ip address 192.168.20.117 255.255.255.0
!
ip default-gateway 192.168.16.1
ip http server
ip http secure-server
!
!
!
snmp-server community public RO
!
!

!
monitor session 1 source interface Gi1/0/2
monitor session 1 destination interface Gi1/0/31
end

MAL-GIGA-SW#

Hello,

 

OK, based on your configuration you are using PVST mode. Make sure that your Fortinet switch is using the same STP mode otherwise you may face up with very strange LAN behavior including Layer 2 loops. Second - due to you are not specifying any native VLAN on trunk port between Fortinet and Cisco 2960 switch, by default Cisco switch will use VLAN 1. If native VLAN will mismatch STP tree for all VLANs might note be formed and Layer 2 loops may occur.

 

I would recommend following configuration:

 

1. Configure both switches to use same STP mode

2. Configure dummy VLAN (for example 999) as dummy VLAN to be used as native VLAN for trunk port to Fortinet switch. You may consider to use this VLAN as native VLAN for all trunk ports

3. Disable DTP protocol on this trunk interface to dynamically negotiate trunk settings. This might be an issue when you establish trunk connections to non-Cisco devices. This needs to be done on both ends for Cisco and Fortinet device

 

All in all, your configuration on Cisco 2960 switch will look like this:

 

!

vlan 999

name NATIVE-DYMMY

!

interface GigabitEthernet1/0/2
description *** CONNECTED TO FORTINET INT-1 ***
switchport trunk allowed vlan 6-8

switchport trunk native vlan 999
switchport mode trunk

switchport nonegotiate

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: