moaz
Contributor
Contributor

VM in different port groups(VLANs) can not ping eachother

Jump to solution

Dear All,

Have single ESXi host, All portgroups are connected to single vSwitch0 & vSwitch0 is connected to a single physical nic vmnic0.

I have multiple VMportgroups & each VMportgroup has its own VLAN. have 3 VMs each connected to its own VMportgroup. my VMK Portgroup is within my management vlan. I can ping my ESXi's management IP as well as each of above mentioned VMs from outside.

I can also ping to outside world (for example my laptop or IP assigned to each vlan on the physical switches) via each VM to the allowed vlans as per ACLs configured on physical switch.

But VM to VM ping is not successful, even the VM which is allowed to reach management VLAN is not able to ping ESXi management IP, however same VM can reach IP assigned to management vlan on physical switch.

The host is connected to physical switch trunk port, this switch connected to a L3 switch (where the ACLs are configured) then this switch connects to checkpoint firewall...

One this I noticed is that when we try to ping our firewall from these machines, ping is unsuccessful & firewall is also not able to notice/detect any kind of traffic...

Any suggestions?

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal

Not much to say other than you have a firewall/routing issue upstream in your environment. This isn't something ESXi is blocking for you as there are no policies applied to virtual machine port groups. I'd look at your routing tables on your L3 device and see if you have a bad route somewhere.

View solution in original post

0 Kudos
3 Replies
daphnissov
Immortal
Immortal

Not much to say other than you have a firewall/routing issue upstream in your environment. This isn't something ESXi is blocking for you as there are no policies applied to virtual machine port groups. I'd look at your routing tables on your L3 device and see if you have a bad route somewhere.

0 Kudos

Hi there,

To help me understand a little bit better:

You can ping from your VMs to outside IPs in the same VLAN.

You can ping from outside to VMs in the same VLAN.

You can ping management network

Your vms in different VLANs cannot ping each other

VMs cannot ping management (another VLAN)

If I understod ok, it looks like a routing problem.

I would try the same:

  • Ping DG from the VMs
  • Traceroute from one VM to another in different VLANs
  • Check ACLs are in place

If its routing problem, it will shouw up with the traceroute

-------------------------------------------------------------------
Triple VCIX (CMA-NV-DCV) | vExpert | MCSE | CCNA
0 Kudos
moaz
Contributor
Contributor

Thanks!

Got it resolved after adjusting the ACLs.

0 Kudos