Connectivity between vLans
Feeling kind of silly asking this question - perhaps it late in the day and I'm missing something simple.
I'm having connectivity issues between two Firewalla based networks (vLans).
Hosts in vLan A cannot ping a host in vLan B
Hosts in vLan B cannot ping a host in vLan A
Hosts in vLan A can ping the gateway IP of vLan B, and vice versa.
I have verified that a host can ping another host in the same vLan - so Windows firewall is ruled out.
I don't have any blocking rules in place and have tried a "network to network" allow rule, but still no luck.
I vaguely recall Firewalla based networks having cross connectivity in the past (default allow) and having to block undesired connections, has this changed perhaps?
Any advice?
-
VLAN networks can always ping the gateway IP, this is because that gateway IP is firewalla.
Now, since you have NOT configured any rules to block segments A and B, then the blocking very likely be done by the switch itself. (I assume A can go to internet, and B can do the same, if both can't, you have other problems)
-
Long story short I lost access to the switch so I had to reset and loose the config. Given I needed to rebuild a portion, I decided to take the opportunity to rebuild the *entire* environment. The physical topology has not changed since it worked last.
There are no ACLs or routing in the switch config, just the tagged ports for the vLan participants (a vm host and the Firewalla box). In fact the config itself is pretty stock/basic other than the few tagged participants.
The logical path from A (100) to B (200) is:
vLan 100 VM -> vLan 100 port group -> vSwitch0 -> vmnic0 -> VM Host ge1 -> Switch port C15 -> Switch port D23 -> Firewalla ge2 -> Switch port D23 -> Switch port C15 -> VM Host ge1 -> vmnic0 -> vSwitch0 -> vLan 200 port group -> vLan 200 VM
vLan 100 hosts can ping the internet and get a DHCP lease from Firewalla for the given network without issue. The same is true for the vLan 200 hosts.
When this worked previously, my network connected to the Firewalla ge1 could see the ge2 hosts and vice-versa until I put a block in place.
Here is a snippet of the run config just for reference purposes.
<snip>
interface C15
name "iHostVMS1 ge1"
exit
<snip>
interface D23
name "Firewalla ge2 (vLans)"
exit
<snip>
vlan 100
tagged C15,D23
no ip address
exit
vlan 200
tagged C15,D23
no ip address
exit
<snip> -
Hi - thanks for the tip, everything has worked well over the past few years so my troubleshooting skills are a bit rusty ;)
For testing, I attached two physical hosts to native untagged ports, disabled the firewall on one but couldn't ping it from the other, so something in the path is indeed blocking ICMP, I just need to track it down. Using the physical hosts will help the troubleshooting efforts.
This is a Procurve 5406zl chassis.
I'll keep plugging away and report back, likely after the weekend at this point.
-
Alright, finally got some time to look at this. I had a pair of unused SPA122 ATAs that I confirmed would respond to ping. I ended up untagging one into each VLAN. That really helped with the troubleshooting.
Long story short, I think the one host in VLAN 100 had a bad deployment image - it was as if the subnet was fat fingered the way it was behaving (but it had a DHCP lease, so...)
Since this is a net new build I've blown away that VM and will start again :)
Thanks for your help!
Please sign in to leave a comment.
Comments
8 comments