6 Replies Latest reply: Oct 10, 2014 2:28 AM by Adam RSS

    Cannot ping PC client from switch

    clemouk

      This is driving me crazy now, I have a 2900XL switch with a VLAN1 address of 172.16.0.11.

       

      I also have a 2610XM router connected to Fa0/16 which is running a DHCP server on 172.16.0.254. When I connect the PC client to Fa0/1 it obtains an address of 172.16.0.1 from the DHCP server (all good so far).

       

      The problem is I can ping the switch from the PC but not the other way around. I have disabled all firewalls and security settings on the PC (Windows XP) but it just isn't working.

       

      I've also tried connecting a second PC to another switch port and tried from there, the same happens. I can ping the switch but not the PC, likewise the two PC's cannot see each other - they are both on the same VLAN.

       

      I am sure that I'm missing something obvious but would appreciate some guidance on this?

       

      Thanks

      Lee

        • 1. Re: Cannot ping PC client from switch
          Scott Morris - CCDE/4xCCIE/2xJNCIE

          Do you have a VACL in place on the switch?

           

          Or any other ACLs?

           

          Do you have an IDS/IDP on your network?

           

          "show arp" on the switch, or "arp -a" on the PC will let you know whether you have a MAC entry or not, and whether it is correct.  Since you can ping from the PC to the switch, I'd venture to say that's not the problem there, but PC to PC may be interesting.

           

          Are you set in a private vlan?  (I don't think the XL-series switches can do that, but I don't have one!)  What about "switchport protected"?

           

          Can you "show run" on the switch?

           

          Scott

          • 2. Re: Cannot ping PC client from switch
            rockstar

            For a layer 2 switch this is normal. You cannot ping a layer 3 address (ip address) from a layer 2 device. Even though the host is directly connected, the L2 switch only knows the mac address of the client. You have to ping from the router instead. If you need to check to see which mac address is connected to a switchport you can use the "show mac-address-table" command.

            • 3. Re: Cannot ping PC client from switch
              clemouk

              There are no ACL configured yet, this was a clean switch when I started so it only has a basic configuration on it. Both arp and mac-address-table are populated with entries I would expect to see against the correct ports etc.

               

              Ok, I think I understand that a Layer 2 device should not be able to ping a layer 3 address, bu then I can ping the router on 172.16.0.254 from the switch??? If I try to ping the PC from the router that also fails, likewise with two pc clients connected on the same switch.

               

              Below is the running-config from the switch:

               

              SwitchA#show running-config
              Building configuration...

              Current configuration:
              !
              version 12.0
              no service pad
              service timestamps debug uptime
              service timestamps log uptime
              no service password-encryption
              !
              hostname SwitchA
              !
              enable password cisco
              !
              username admin privilege 15 password 0 cisco
              !

              !
              ip subnet-zero
              no ip domain-lookup
              !
              !
              !
              interface FastEthernet0/1
              !
              interface FastEthernet0/2
              !
              interface FastEthernet0/3
              !
              interface FastEthernet0/4
              !
              interface FastEthernet0/5

              !
              interface FastEthernet0/6
              !
              interface FastEthernet0/7
              !
              interface FastEthernet0/8
              !
              interface FastEthernet0/9
              !
              interface FastEthernet0/10
              !
              interface FastEthernet0/11
              !
              interface FastEthernet0/12
              !
              interface FastEthernet0/13
              !
              interface FastEthernet0/14
              !
              interface FastEthernet0/15
              !
              interface FastEthernet0/16
              !
              interface FastEthernet0/17
              !
              interface FastEthernet0/18
              !
              interface FastEthernet0/19
              !
              interface FastEthernet0/20
              !
              interface FastEthernet0/21
              !
              interface FastEthernet0/22
              !
              interface FastEthernet0/23
              !
              interface FastEthernet0/24
              !
              interface VLAN1
              ip address 172.16.0.11 255.255.0.0
              no ip directed-broadcast
              no ip route-cache
              !
              ip default-gateway 172.16.0.254
              !
              line con 0
              password cisco
              login
              transport input none
              stopbits 1
              line vty 0 4
              password cisco
              logging synchronous
              login local
              line vty 5 14
              password cisco
              login
              line vty 15
              login
              !
              end

              • 4. Re: Cannot ping PC client from switch
                mr_toad1

                You wouldn't happen to be running McAfee are you?  I ran into the same issue and McAfee was blocking ICMP messages.

                • 5. Re: Cannot ping PC client from switch
                  clemouk

                  THanks for everyone's response. Ultimately it looks like it was a combination of AV software and VPN protocols on the PC client adapter. When I stripped everything back to basic install on PC, everything worked. Now I can start playing with VLANS, lol. All day to get a ping! Arghh....

                   

                  Edited: In case anybody has a similar problem I have confirmed that it was the ""Check Point SecuRemote" feature on the PC connection that was blocking the requests.

                  • 6. Re: Cannot ping PC client from switch
                    Adam

                    Computer firewall can also block this. I've experienced this on Windows 7 lately.