Solved: svi not able to ping

faamin011 · ‎02-06-2013

int vlan 24

ip address 10.10.10.1 255.255.255.0

int vla 23

ip address 10.23.23.1 255.255.255.248

ip access-group acl in

ip access-list extended acl

permit 10.23.23.0 0.0.0.7 10.10.10.0 0.0.0.255

I am unable to ping 10.23.23.1 from switch as well as from PC which is the part of Vlan23..

Switch1#ping 10.23.23.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.23.1, timeout is 2 seconds:
Packet sent with a source address of 10.23.23.1

U.U.U
Success rate is 0 percent (0/5)
Switch1#

Giuseppe Larosa · ‎02-06-2013

Hello Fahad,

the ACL is applied inbound on the SVI and it is made of only one line

ip access-list extended acl

permit ip 10.23.23.0 0.0.0.7 10.10.10.0 0.0.0.255

when attempting to ping the SVI the ICMP echo request packets has a source in 10.23.23.0/29 and a destination of 10.23.23.1.

This packets does not match the only statement of the ACL.

As a result of this the packet is dropped by the implict deny any that is at the end of each access-list.

When pinging another host in subnet 10.23.23.0/29 the packet is not processed by the SVI, but it is directly sent to the destination because they are in the same IP subnet

If you add the line

permit ip 10.23.23.0 0.0.0.7 host 10.23.23.1

you will be able to ping the SVI

Hope to help

Giuseppe

View solution in original post

InayathUlla Sharieff · ‎02-06-2013

Hi Fahad,

1- The access-list has permitted the vlan 23 to ping to vlan 24 hence no issue the packets goes fine.

2- I dont see any access-list entry which is saying to allow ping to vlan 23. As you have ACL applied on the inward direction of the interface hence so any traffic that hits vlan 23 and check if that is allowed or not as we have not allowed in the ACL it gets dropped due to implicit deny. And when it sees the traffic for vlan 24 it gets pinged as the vlan 24 network is allowed under the acl.

Here are the suggestion:

A) configure Permit icmp any any or

B) permit ip 10.23.23.0 0.0.0.7 host 10.23.23.1

HTH.

Regards

Inayath

* Plz rate if this helpfull.

View solution in original post

InayathUlla Sharieff · ‎02-06-2013

Hi Fahad,

This is because of the Access list which you have applied. Could you please let us know what is the purpose of this acl?

As you know by default the implicit deny comes into picture.

To work this just apply :

ip access-list extended acl

permit ip 10.23.23.0 0.0.0.7 10.10.10.0 0.0.0.255

permit icmp any any <<<< This needs to be there to get the ICMP going else it will be denied by default.

It works as expected after this. hope this helps.

Thanks

Inayath

Plz rate if helpfull.

Giuseppe Larosa · ‎02-06-2013

Hello Fahad,

InayathUlla is right the ICMP U code means administratively forbidden by other device, so you need to review the ACL applied inbound on the SVI.

Hope to help

Giuseppe

InayathUlla Sharieff · ‎02-06-2013

If you want your pings to go fine then permit icmp under the access-list:

Eg:

ip access-list extended acl

permit ip 10.23.23.0 0.0.0.7 10.10.10.0 0.0.0.255

permit icmp any any <<<< This needs to be there to get the ICMP going else it will be denied by default.

HTH.

Regards

Inayath.

*Plz rate if helpfull.

faamin011 · ‎02-06-2013

Basically the topology like this

vlan 23 users should be communicate to vlan24 (Server Farm) and vice versa other traffic is denied implicity.

After this inbound ACL, noticed that users of vlan 23 is able to communicate or access other users
of vlan 23 but only Vlan 23 users are not able to ping 10.23.23.1 (SVI Interface).

Also I am unable to ping SVI from switch, I know icmp any any will allow ping and problem resolved.

But i want to know why vlan23 users are unable to ping 10.23.23.1 as they able to ping the whole subnet.

If I get removed ACL, ping ok

Giuseppe Larosa · ‎02-06-2013

Hello Fahad,

the ACL is applied inbound on the SVI and it is made of only one line

ip access-list extended acl

permit ip 10.23.23.0 0.0.0.7 10.10.10.0 0.0.0.255

when attempting to ping the SVI the ICMP echo request packets has a source in 10.23.23.0/29 and a destination of 10.23.23.1.

This packets does not match the only statement of the ACL.

As a result of this the packet is dropped by the implict deny any that is at the end of each access-list.

When pinging another host in subnet 10.23.23.0/29 the packet is not processed by the SVI, but it is directly sent to the destination because they are in the same IP subnet

If you add the line

permit ip 10.23.23.0 0.0.0.7 host 10.23.23.1

you will be able to ping the SVI

Hope to help

Giuseppe

InayathUlla Sharieff · ‎02-06-2013

Hi Fahad,

1- The access-list has permitted the vlan 23 to ping to vlan 24 hence no issue the packets goes fine.

2- I dont see any access-list entry which is saying to allow ping to vlan 23. As you have ACL applied on the inward direction of the interface hence so any traffic that hits vlan 23 and check if that is allowed or not as we have not allowed in the ACL it gets dropped due to implicit deny. And when it sees the traffic for vlan 24 it gets pinged as the vlan 24 network is allowed under the acl.

Here are the suggestion:

A) configure Permit icmp any any or

B) permit ip 10.23.23.0 0.0.0.7 host 10.23.23.1

HTH.

Regards

Inayath

* Plz rate if this helpfull.