Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
6
Replies

WS-C4948E Unable to ping connected hosts

Scott Appel
Level 1
Level 1

‎12-14-2022 12:15 PM

We connected a WS-C4948E downstream from a Palo Alto 3220 FW. The FW and the switch are communicating fine. I can even access the switch remotely/externally via SSH. (Past the FW into the switch)

Note: It's probably important for me to mention that I had to configure the 4948E switch interface Gi1/1 as Layer 3 via 'no switchport' and 'ip address 10.190.28.124 255.255.255.0' to get it working properly with the Palo Alto. 

So, my problem in a nutshell is this: the hosts I'm connecting (10.190.28.x) to the 4948E switch are not pingable. I cannot ping a connected host from the switch, and vice versa, I cannot ping the switch (10.190.28.124) from the connected host. All the while, the interfaces show a status of 'connected'. 

I have to be missing something simple. Does anyone have an idea what I'm missing?

 

Labels:
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-14-2022 12:38 PM

 Gi1/1 as Layer 3 via 'no switchport' and 'ip address 10.190.28.124 255.255.255.0' to get it working properly with the Palo Alto. 

So, the connection between the switch and the firewall is via a routed port. Now, in order for the hosts to connect to the rest of the network, they need to be in a separate subnet and also VLAN.

So, on the switch for example:

vlan 10

description user vlan

exit

interface vlan 10

ip address 10.10.10.1 255.255.255.0

no sh

exit

and now add each host to vlan 10 and test again.

HTH

 

0 Helpful

Scott Appel
Level 1
Level 1
In response to Reza Sharifi

‎12-15-2022 08:40 AM

I applied your suggestion and, granted, it does work but I can't utilize that design. I waste the entire 10.190.28.0/24 subnet for a single link to the FW. The plan is to swing existing 10.190.28.x hosts to the 4948E switch so I took the wrong first step. I am stepping back to start from scratch again and figure out how to connect to the Palo Alto FW without wasting the entire 10.190.28.x/24 subnet.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Scott Appel

‎12-15-2022 08:54 AM - edited ‎12-15-2022 08:56 AM

For connectivity between the PA and the 4948, all you need is a /30.

So, I suggest you use the entire /24 (10.190.28.0/24) for the hosts and simply use a different subnet (a /30) for the link between the PA and the router. If you don't need the entire /24 for the hosts, you can always break it down and use a /25 for hosts and the other /25 for the uplink, but you waste a lot of IPs since you only need 2 for the uplink. Overall, if you use a different subnet for the uplink, it is much cleaner.

 

10.190.28.0/24

10.190.29.0/30

or

10.190.28.0/25

10.190.28.128/25

HTH

 

 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎12-15-2022 09:05 AM

There is also a third solution, which is to use a /29 for the uplink and the /24 for hosts:

10.190.28.0/24 (hosts)

10.190.29.0/29 (uplink)

This design gives you the most flexibility in a case in the future you need to add a second PA to the mix.

HTH

0 Helpful

Scott Appel
Level 1
Level 1
In response to Reza Sharifi

‎12-16-2022 06:54 AM

Reza,

Thank you for assisting in this situation. Your responses are correct and accurate, but I had to circle back and start from scratch. I didn't want to waste any subnets. And, when I first started working with and utilizing this 4948 that was provided, it wasn't responding the same way as Cisco 9k that we utilized to make other downstream connections from the Palo Alto.

In the end, I was able to configure the 4948 the same as the 9k(s) in that I created an 'interface vlan 28', 'ip address 10.190.28.124 255.255.255.0'. Then I configured Gi1/1 as 'switchport access vlan 28'. Super simple configuration.

That process was able to utilize the entire VLAN28 that same way as the 9k(s), nothing wasted. Strange thing is that setup didn't work for me on the 4948 first time around. Not sure why, I must have mis-configured or just plain missed something. Either way, I circled back, started at square one and was able to keep the design and configuration consistent. I wanted to use another 9k for this link but that was not what was provided to me. It all worked out in the end, but I started going in the wrong direction.

Thank you Reza. I think there is a lesson here in that sometimes one has to circle back to square one and start over again. Something could have been missed or some small, overlooked mistake can send you down a rabbit hole.

 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Scott Appel

‎12-16-2022 09:03 AM

Scott,

Glad to know you figure it out, and it is all working as expected.

HTH

0 Helpful
Customers Also Viewed These Support Documents