Involved Products and Versions
All products and versions
Networking
As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. The network segment where the PC resides is 10.0.0.0, and the network segment where the gateway SwitchC resides is 10.36.0.0.
To enable communication between the network segments 10.36.0.0 and 10.0.0.0, a user configures ACL-based packet filtering on SwitchB to allow only the traffic from 10.0.0.0 to 10.36.0.0 to pass. In addition, this rule is applied to the outbound direction of VLAN 322.
Figure 1-1 Networking diagram for the failure of a gateway to ping a PC connected to the VRRP backup device
Fault Symptom
SwitchC fails to ping the PC.
Cause Analysis
1. Check the configuration on SwitchC.
The ACL named Vlan322Out and numbered 3022 allows all traffic from network segment 10.0.0.0 to network segment 10.36.0.0 to pass. Therefore, the PC can ping SwitchC. When SwitchC pings the PC, the traffic from network segment 10.36.0.0 to network segment 10.0.0.0 is not allowed to pass.
#
acl name Vlan322Out 3022
rule 10 permit ip source 10.0.0.0 0.15.255.255 destination 10.36.0.0
0.0.255.255
rule 30 permit ip source 10.36.0.0 0.0.255.255 destination 224.0.0.0
0.0.0.255
rule 40 permit ip source 10.38.0.0 0.0.255.255 destination 10.36.0.0
0.0.255.255
rule 50 permit ip source 10.100.5.0 0.0.0.255 destination 10.36.0.0
0.0.255.255
rule 60 permit ip source 10.100.246.0 0.0.0.255 destination 10.36.0.0
0.0.255.255
rule 1000 deny ip
#
acl number 3144
rule 10 deny tcp destination-port eq 5554
rule 15 deny tcp destination-port eq 9995
rule 20 deny tcp destination-port eq 9996
rule 25 deny udp destination-port eq 445
rule 30 deny udp destination-port eq 1434
rule 35 deny ip source 10.0.0.0 0.255.255.255 destination 99.0.0.0
0.255.255.255
rule 40 permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0
0.255.255.255
rule 45 permit ip source 10.36.0.0 0.0.255.255 destination 224.0.0.0
0.0.0.255
rule 1000 deny ip
#
interface GigabitEthernet1/0/7
port link-type access
port default vlan 322
#
traffic-filter vlan 322 inbound acl 3144
traffic-filter vlan 322 outbound acl name Vlan322Out
2. SwitchB connected to the PC is the VRRP backup device, and therefore Layer 2 forwarding is performed. In this case, the ping is successful only when traffic is allowed to pass in both directions. If the PC is connected to the VRRP master device, you only need to configure unidirectional traffic.
Troubleshooting Procedure
Step 1 Add the following rule to the ACL named Vlan322Out and numbered 3022: rule 20 permit ip source 10.36.0.0 0.0.255.255 destination 10.0.0.0 0.255.255.255. Then SwitchC can ping the PC, and the fault is rectified.
----End