[All About Switches] A Gateway Fails to Ping a PC Connected to the VRRP Backup Device

Involved Products and Versions

All products and versions

Networking

As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. The network segment where the PC resides is 10.0.0.0, and the network segment where the gateway SwitchC resides is 10.36.0.0.

To enable communication between the network segments 10.36.0.0 and 10.0.0.0, a user configures ACL-based packet filtering on SwitchB to allow only the traffic from 10.0.0.0 to 10.36.0.0 to pass. In addition, this rule is applied to the outbound direction of VLAN 322.

Figure 1-1 Networking diagram for the failure of a gateway to ping a PC connected to the VRRP backup device

Fault Symptom

SwitchC fails to ping the PC.

Cause Analysis

1.       Check the configuration on SwitchC.

The ACL named Vlan322Out and numbered 3022 allows all traffic from network segment 10.0.0.0 to network segment 10.36.0.0 to pass. Therefore, the PC can ping SwitchC. When SwitchC pings the PC, the traffic from network segment 10.36.0.0 to network segment 10.0.0.0 is not allowed to pass.

#
acl name Vlan322Out 3022 
 rule 10 permit ip source 10.0.0.0 0.15.255.255 destination 10.36.0.0 0.0.255.255  
 rule 30 permit ip source 10.36.0.0 0.0.255.255 destination 224.0.0.0 0.0.0.255 
 rule 40 permit ip source 10.38.0.0 0.0.255.255 destination 10.36.0.0 0.0.255.255 
 rule 50 permit ip source 10.100.5.0 0.0.0.255 destination 10.36.0.0 0.0.255.255 
 rule 60 permit ip source 10.100.246.0 0.0.0.255 destination 10.36.0.0 0.0.255.255 
 rule 1000 deny ip 
#
acl number 3144 
 rule 10 deny tcp destination-port eq 5554 
 rule 15 deny tcp destination-port eq 9995 
 rule 20 deny tcp destination-port eq 9996 
 rule 25 deny udp destination-port eq 445  
 rule 30 deny udp destination-port eq 1434 
 rule 35 deny ip source 10.0.0.0 0.255.255.255 destination 99.0.0.0 0.255.255.255 
 rule 40 permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 
 rule 45 permit ip source 10.36.0.0 0.0.255.255 destination 224.0.0.0 0.0.0.255 
 rule 1000 deny ip 
#
interface GigabitEthernet1/0/7 
 port link-type access 
 port default vlan 322 
#
traffic-filter vlan 322 inbound acl 3144
traffic-filter vlan 322 outbound acl name Vlan322Out

2.       SwitchB connected to the PC is the VRRP backup device, and therefore Layer 2 forwarding is performed. In this case, the ping is successful only when traffic is allowed to pass in both directions. If the PC is connected to the VRRP master device, you only need to configure unidirectional traffic.

Troubleshooting Procedure

                          Step 1     Add the following rule to the ACL named Vlan322Out and numbered 3022: rule 20 permit ip source 10.36.0.0 0.0.255.255 destination 10.0.0.0 0.255.255.255. Then SwitchC can ping the PC, and the fault is rectified.

----End