cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3363
Views
0
Helpful
21
Replies

SG500X-24P, IP layer issue ?

ArnaudG
Level 1
Level 1

Dear Cisco,

 

I'm encountering an issue with a SG500X-24poe switch on a specific vlan.

Firmware 1.4.8.6

Boot 1.4.0.02


I'm logged with ssh directly into my switch and got a device(ip camera) configured in 172.20.230.101 connected onto a access port (vlan 2253)

My switch has an IP in that VLAN and can ping itself

When I try to ping the camera, it fails.

But the ARP shows the correct ip, port and vlan... 

 

When I switch to another VLAN, the device is pinging normally.

Moreover I have a mirror setup with sames switch (same config) and device thats working fine.

I got no specific rules like ACL or else.

See the console output below

 

let me know if you require any other information

 

Any clue to help me solve this mystery ?

a92-sw-stk-s12-poe#clear arp-cache
a92-sw-stk-s12-poe#show arp
Total number of entries: 1

VLAN Interface IP address HW address status
--------------------- --------------- ------------------- ---------------
vlan 2251 te1/1/1 172.20.0.3 e0:d1:73:fb:e3:74 dynamic

a92-sw-stk-s12-poe#ping 172.20.230.101
Pinging 172.20.230.101 with 18 bytes of data:
PING: no reply from 172.20.230.101
PING: timeout
PING: no reply from 172.20.230.101
PING: timeout
PING: no reply from 172.20.230.101
PING: timeout
PING: no reply from 172.20.230.101
PING: timeout
----172.20.230.101 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss
a92-sw-stk-s12-poe#show arp
Total number of entries: 2

VLAN Interface IP address HW address status
--------------------- --------------- ------------------- ---------------
vlan 2251 te1/1/1 172.20.0.3 e0:d1:73:fb:e3:74 dynamic
vlan 2253 gi1/1/19 172.20.230.101 00:1b:a2:00:a2:b5 dynamic

 

21 Replies 21

Hi again.

Sorry my last message contained a small mistake the switch is a SG500X-24Poe not an SG200.

 

Any case, the ACL system and more generally the CLI in that switch is very different from what you propose.

 

So far I configured some ACE this way.

ip access-list extended 110
permit ip 172.20.230.199 0.0.0.0 172.20.230.101 0.0.0.0 log-input
permit ip 172.20.230.101 0.0.0.0 172.20.230.199 0.0.0.0 log-input
permit ip 172.20.0.101 0.0.0.0 172.20.230.101 0.0.0.0 log-input
permit ip 172.20.230.101 0.0.0.0 172.20.0.101 0.0.0.0 log-input
interface ge1/1/19
service-acl input 110

You can see that I enabled logging but after several ping I cannot see anything popping into the log (I activated debug level in the log)

 

is there some equivalent for this switch to "debug ip packet 110 detail" ?

 

for now, after several pings "show access-list 110"commands only outputs :

a92-sw-stk-s12-poe#show access-lists 110
Extended IP access list 110
    permit  ip host 172.20.230.199 host 172.20.230.101 ace-priority 20 log-input
    permit  ip host 172.20.230.101 host 172.20.230.199 ace-priority 40 log-input
    permit  ip host 172.20.0.101 host 172.20.230.101 ace-priority 60 log-input
    permit  ip host 172.20.230.101 host 172.20.0.101 ace-priority 80 log-input

I must be doing wrong....

The debug needs to be typed in priveleged mode ( #) not config mode.

Type these in and let me know what you get

 

a92-sw-stk-s12-poe#debug ip packet ? 

 

a92-sw-stk-s12-poe#debug ip ? 

Also, do this in config mode and then try pinging again 

 

ip routing
Ip route 0.0.0.0 0.0.0.0 172.20.0.3

no ip default-gateway 172.20.0.3

 

Same behavior...

none of this command gives autocomplete

debug ?

gives the command

debug-mode

when I enter debug mode and type 

 

 

menu

I get some commands  options 

debug             exit              help              lcli
logout            mcli

then

>debug ip
Enter DEBUG Password:

I'm stuck here. Some posts explains that this mode is intended for Cisco engineers only...

 

 

 

 

Find or get another host on that switch and ensure they're on 2253.find out it's ip address and ping it from the switch. We want to see if you can ping other hosts on 2253. Would be good if you had a pc so you can snap verify it's IP and gateway 

Yes I could do this but thats a delicate operation. I keep you posted.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X