No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG9520 Configured with VLANIF 1 Cannot Ping the Directly Connected Device

Publication Date:  2019-07-03 Views:  320 Downloads:  0

Issue Description

The USG9520 configured with VLANIF 1 cannot ping the directly connected device.


The firewall version is as follows:

VRP (R) Software, Version 5.160 (USG9520 V500R001C30SPC100)


The configuration on the firewall is as follows:


interface Vlanif1

 ip address X.X.1.27 255.255.255.0

 alias vlan1

 service-manage http permit

 service-manage https permit

 service-manage ping permit

 service-manage telnet permit


firewall zone trust

 set priority 85

 add interface Vlanif1


security-policy

 default action permit


interface GigabitEthernet1/0/0

 portswitch

 description TO-CE12800-XG7/0/2

 undo shutdown                          

 port link-type trunk

 port trunk allow-pass vlan 1 to 4094

Handling Process

The firewall configuration shows that the ping function is enabled for interface access management and VLANIF 1 is in the trust zone. By default, the security policies of all zones are permitted.


Ping the IP address of the peer switch from the firewall. No packet is received within the timeout period.


ping X.X.1.28

  PING X.1X.1.28: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out


  --- X.X.1.28 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss


Check the ARP entries on the firewall. The firewall does not have the dynamic ARP entry with the address of the peer switch.


display arp interface vlan 1

2016-10-12 13:37:41.100

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE

                                          VLAN/CEVLAN PVC                    

------------------------------------------------------------------------------

X.X.1.27     XXXX-XXXX-5302            I -         Vlanif1

------------------------------------------------------------------------------

Total:1         Dynamic:0       Static:0     Interface:1    Remote:0


However, the peer switch can learn the ARP entry of the firewall address.


<HUAWEI>display arp interface vlan 1

ARP Entry Types: D - Dynamic, S - Static, I - Interface

EXP: Expire-time


IP ADDRESS      MAC ADDRESS    EXP(M) TYPE/VLAN INTERFACE       VPN-INSTANCE

------------------------------------------------------------------------------

X.X.1.28     XXXX-1e4a-1f03        I         Vlanif1        

X.X.1.1      XXXX-eb07-6900   20   D/1       Eth-Trunk3     

X.X.1.27     XXXX-1e4a-5302   20   D/1       10GE7/0/2      

------------------------------------------------------------------------------

Total:3         Dynamic:2       Static:0    Interface:1


The peer switch cannot ping the firewall.


<HUAWEI>ping X.X.1.27

  PING X.X.1.27: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out


  --- X.X.1.27 ping statistics ---

    4 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss


The configuration of the interface connecting the switch to the firewall is as follows:


  port link-type trunk

  port trunk allow-pass vlan 2 to 4094


The preceding information shows that the configuration on the switch is correct, VLAN transparent transmission is normal, and ARP entry learning is normal. The configuration on the firewall seems to be correct, but why cannot the ARP entry be learned?


Check the configuration of the interface connecting the firewall to the switch:


 port link-type trunk

 port trunk allow-pass vlan 1 to 4094


It is suspected that the problem is caused by the lack of pvid vlan. The ping packets from the peer switch are not tagged with VLAN 1. As a result, the ping fails. However, the firewall model and version do not support port trunk pvid vlan 1 or the configuration of the port default vlan 1 command on trunk interfaces.


Change the interface mode to hybrid, which supports the configuration of port default vlan and port trunk allow-vlan.


port link-type hybrid

port default vlan 1

port trunk allow-vlan 1 to 4094


After the preceding configuration, the switch and firewall can ping each other and learn ARP entries.

Root Cause

In USG9520 V5, a Layer 2 trunk interface connects the firewall to a switch, but no default VLAN (PVID VLAN) is configured. As a result, the ping packets from the peer switch cannot be tagged with VLAN 1 (the peer's PVID VLAN ID is 1 and the tag is stripped when the packets are sent). Therefore, the two devices cannot ping each other.

Solution

There are two solutions:


1. Change the PVID VLAN ID of the interconnected interface on the switch to another VLAN ID (an unused VLAN ID is recommended) so that the sent packets carry the VLAN tag. The packets are allowed to pass through the firewall.


2. Change the firewall interface mode to hybrid and run the port default vlan command to configure the default VLAN:


 port link-type hybrid

 port default vlan 1

 port trunk allow-vlan 1 to 4094

Suggestions

Generally, when the interface of a device is used as a Layer 2 interface, VLAN 1 is used for transparent transmission and as the default VLAN. Therefore, we may ignore the situation that the interface does not have the default VLAN.

END