05-04-2011 04:55 AM - edited 03-06-2019 04:53 PM
I have a 3560 configured with a vlan 60, there are 2 ports in the vlan
the vlan is assgined a public IP and first port is wired to router which goes to internet.
I have a desktop connected to the second port.
There are other vlans as well in the same switch so the default route goes to another internal router. this also means there is no gateway added specific to vlan 60. I still am able to ping the vlan IP and the public IP of the desktop attached to it from internet.
But I cannot ssh or http to the desktop IP, only ping works.
Why is it so?
05-04-2011 05:38 AM
Hi Riju,
Make sure you have enable ssh in the Desktop to which you are trying to ssh.
please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.
05-04-2011 05:43 AM
I have enabled ssh, http, remote desktop and everything in the desktop. So that is not the problem.
My question is if the routing will work without a gateway specified in the vlan\switch?
I am thinking the 3560 is intelligently routing the vlan to the next router even without a static route.
If that is the case, then why is ping working and no other ports work?
05-04-2011 05:59 AM
Hi,
The ip default-gateway only works when there is no routing, so if ip routing is enabled you need to specify a default gateway with the ip route 0.0.0.0 command.
If icmp is working then you have ip connectivity so this is surely not a routing problem.
Are you sure the services are up on the desktop? Isn't there a firewalling rule blocking http/ssh?
Regards.
Alain.
05-04-2011 06:04 AM
I have ip routing enabled but this is for another vlan in the switch.
I don't want the public vlan to take that route. Basically I want this vlan to work as a router.
This vlan is wired to another public vlan in another switch and it goes out from there.
The fact is this route path is working without a static route being there, but only in the case of ping
what is the difference between ping and ssh (or any other apps) is what I don't understand.
05-04-2011 06:07 AM
and I confirm that there is no FW on the path. If I attached the desktop to another private vlan, I can ssh
05-04-2011 06:09 AM
Hi,
Can you provide a diagram and the config.
Regards.
Alain.
05-04-2011 06:29 AM
attaching the diagram and relevant config is pasted below.
!trunk to switch2
interface GigabitEthernet0/1
switchport trunk encapsulation isl
switchport mode trunk
!
interface GigabitEthernet0/2
!trunk to ASA
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 7,12
switchport mode trunk
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/28
switchport access vlan 60
switchport mode access
!
interface GigabitEthernet0/29
switchport access vlan 60
switchport mode access
!
!
interface Vlan1
no ip address
!
interface Vlan7
ip address 10.51.1.8 255.255.255.0
!
!
interface Vlan60
ip address 216.35.15.17 255.255.255.248
ip classless
ip route 0.0.0.0 0.0.0.0 10.51.1.1
access-list 101 permit ip any any
05-04-2011 06:46 AM
Hi,
From where are you doing the pings and ssh/http ?
Regards.
Alain.
05-04-2011 07:00 AM
From internet. You can do it as well
05-04-2011 08:23 AM
Routing for vlan 60 there is a directly connected SVI on the switch.
This really appears to be an issue with either the ssh & http services not working or being blocked as mentioned before either by the desktop or by some ACL on the public switch. Have the ssh and http services on the desktop been tested? I don't see any notes regarding this. I do see where you mention that it should work, but you may want to verify this by attempting an SSH and HTTP connection to the desktop with a test machine connected to the switch in the same vlan and then move that same test machine to another vlan and make sure the service is running and accessible.
The design looks solid and straightforward enough. I don't see how that could be a problem.
Message was edited by: Antonio Knox
05-04-2011 11:18 PM
Hi,
if the ssh/http connection works locally, I'd check the ASA configuration as the next step.
It's possible the ASA is permitting ICMP but blocking ssh and http coming from the Internet.
BR,
Milan
05-04-2011 02:06 PM
Although you have provided diagram, config and explanation. But still your source destination and path is not clear.
What i understand, you are trying to ping from Internet and for that you are using Vlan 60 which has two ports assigned on 3560.
When you say you have not roouted this vlan, what does that mean? if you have Default route on this switch it will be used by any source reaching this switch.
your ip addressing also present a problem if both (Vlan 60) and IP of outside interface of ASA are routed on Internet.
Following is required to understand full picture.
Full Configuration of 3560 & Other switch?
Your source and destination where ping is successful and ssh is not working? and Traceroute also (while you trace you may find some clue if you are trying to ssh from internet) :)
Draw a topology to explain the intended path of routing with all participating devices?
05-05-2011 04:17 AM
ok. I figured it
Basically, the problem was that ping will work both ways and nothing else would.
ICMP works on layer3 which when traversing through the vlan in a layer3 switch is inteliigent to find the gateway IP (even though gw IP is not specified) through it's physical connection and route it that way.
But apps (ssh, http, etc) on layer4 and other layers will not do this.
So I can ping, but not ssh or http.
I routed it through a physical router (not a vlan), gave it a gateway and all is well
thanks guys for all your help.
-Riju
05-05-2011 04:38 AM
Hi,
I don't believe it was a pure routing problem.
At the moment you are able to Ping, routing is OK.
L4 is NOT involved in routing, there's no difference between ssh, http or ICPM from routing point of view - all of that are IP packets.
I understand you replaced the ASA with a router and it made the ssh/http to work?
BR,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide