Cisco Router – Can’t Ping the Management IP of Switch

ciscopingroutersubnet

My topology is:

Topology

I am logged in to R1. I can ping 10.0.0.2 on R2 and 198.51.100.1 on R2, but can't ping the management IP of sw3 (198.51.100.2). What am I doing wrong? 

R1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   0cc1.8f5a.c102  ARPA   GigabitEthernet0/2
Internet  10.0.0.2               11   0cc1.8fc5.c701  ARPA   GigabitEthernet0/2
Internet  10.0.0.5                -   0cc1.8f5a.c101  ARPA   GigabitEthernet0/1
Internet  10.0.0.6               11   0cc1.8f0b.af00  ARPA   GigabitEthernet0/1
Internet  192.0.2.1               -   0cc1.8f5a.c100  ARPA   GigabitEthernet0/0
Internet  192.0.2.2              11   0cc1.8fe9.8001  ARPA   GigabitEthernet0/0

R1#sh ip route
Gateway of last resort is not set
         10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.0.0/30 is directly connected, GigabitEthernet0/2
L        10.0.0.1/32 is directly connected, GigabitEthernet0/2
C        10.0.0.4/30 is directly connected, GigabitEthernet0/1
L        10.0.0.5/32 is directly connected, GigabitEthernet0/1
      192.0.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.2.0/24 is directly connected, GigabitEthernet0/0
L        192.0.2.1/32 is directly connected, GigabitEthernet0/0
S     198.51.100.0/24 [1/0] via 10.0.0.2

R1#ping 198.51.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/13/16 ms
R1#ping 198.51.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Update: I can ping a host connected through sw2, but not sw2 itself

Well, i tried adding a Virtual PC through sw2 and assigning it an IP address of 198.51.100.5/24 with a gateway of 198.51.100.1. Turns out I can ping it from R1 and vice versa, but R1 still can't ping the management IP of sw2. Can we not ping the management IP of a switch from outside the subnet?

R1#ping 198.51.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/21/37 ms
R1#ping 198.51.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Here are the running configs for each device:

R1:

R1#sh run | s net0/2
interface GigabitEthernet0/2
 description Connected to R2
 ip address 10.0.0.1 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
R1#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.0.2.1       YES manual up                    up
GigabitEthernet0/1         10.0.0.5        YES manual up                    up
GigabitEthernet0/2         10.0.0.1        YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down

R2: 

R2#ping 198.51.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/23 ms
R2#sh run | s net0/0
interface GigabitEthernet0/0
 description Connected to sw2
 ip address 198.51.100.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
R2#sh run | s net0/1
interface GigabitEthernet0/1
 description Connected to R1
 ip address 10.0.0.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
R2#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         198.51.100.1    YES manual up                    up
GigabitEthernet0/1         10.0.0.2        YES manual up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down

R2#sh ip route
Gateway of last resort is not set
         10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/30 is directly connected, GigabitEthernet0/1
L        10.0.0.2/32 is directly connected, GigabitEthernet0/1
      198.51.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.51.100.0/24 is directly connected, GigabitEthernet0/0
L        198.51.100.1/32 is directly connected, GigabitEthernet0/0

sw2: 

sw2#sh run | s net0/0
interface GigabitEthernet0/0
 description Connected to R2
 media-type rj45
 negotiation auto
sw2#sh run | s vlan
vlan internal allocation policy ascending
sw2#sh run | s Vlan
interface Vlan1
 ip address 198.51.100.2 255.255.255.0
sw2#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/1     unassigned      YES unset  administratively down down
GigabitEthernet0/2     unassigned      YES unset  administratively down down
GigabitEthernet0/3     unassigned      YES unset  administratively down down
Vlan1                  198.51.100.2    YES manual up                    up

Best Answer

Can we ping the management IP address of a switch from outside the subnet?

We certainly can.

It looks like you need a route on the switch. It must have a route which includes 10.0.0.0/30 such as a default route. It also needs no blocking ACLs.

Sometimes you have to think of a managed switch as two devices:

  • A layer 2 communications device which forwards frames (your one works, as you can exchange packets between R1 and a PC on SW2 with address 198.51.100.5/24 and default route to R2.
  • A layer 3 management device plugged into one of the VLANs of the layer 2 device. This is a host you communicate with to configure the behaviour of the switch. This host needs an IP address, IP routes, ACLs, usernames, passwords so that it can be controlled from various places on the network by the correct people (and only the correct places and people!)

Imagine an unmanaged switch with a reset button:

  • The switch has no IP address or configuration
  • But you could put a network-enabled robot next to it and SSH to the robot when you want to reset the switch

Like every host, the robot needs an IP address. It also needs routes if you want to connect to it from off the local LAN.

A managed switch is a switch with very capable network-enabled robot, normally controlled by SSH or HTTP.

It is in fact common to have a separate "robot" like this: network-controlled power distribution, for remotely power-cycling equipment, is very common in racks you can't visit easily. It's also common to have a "terminal server" connected to many console ports by RS-232. In the old days a Cisco 2511, nowadays something from perhaps Lantronix, at the top of a rack, connected to the console port of all the routers and switches in the rack.

Because you want these robots/management interfaces to be accessible only by authorised people, it's common to put all kinds of ACLs in the way. In a production network, it's very common to be able to exchange packets with management interfaces only from very few places. But almost the whole point of a managed switch is so that a network team can manage switches from outside the subnet.

Related Topic