Re: SG350X-24P SNMP and ping from different network not working

vistalba · ‎11-13-2020

Hi

I want to replace my SG500-28 with the new SG350X-24P which is arrived today.

Everything is working fine except two things.

I run a NMS System on VLAN20 (10.10.0.0/24) which should monitor the Switch which is addressed in VLAN1 (192.168.1.0/24).

I can successfully use snmpwalk from a node in VLAN1 to the Switch but it doesn't work at all from VLAN20.

I want to use the Switch in Layer 2 mode as all VLANS are routed throught a firewall which is default GW on both VLANs.

NMS-Server (10.10.0.99) -> FW (in 10.10.0.1) -> FW (out 192.168.1.1) -> SG350X-24P (192.168.1.13).

FW Rules are correct and are working if I address the old SG500 at the address the SG350X have. So this isn't the issue.

SNMP settings are correct too as I can use it successfully from within VLAN1 whit community etc. (tested with snmpwalk).

Additional I tried with Ping which is also only working in VLAN1 and NOT from VLAN20 -> VLAN1.

So for me it looks like the switch doesnt answer to anything which source address isn't in VLAN1?

What do I need to do to get this absolutly normal scenario working? Any ideas what is wrong with my configuration?

Martin Aleksandrov · ‎11-13-2020

Hello vistalba,

Have you enabled routing (Inter-VLAN routing) on the switch (IP Configuration -> IP interface -> IPv4 routing)? Did you check your firewall if it blocks the ping?

Regards,

Martin

StevePetryschuk · ‎11-13-2020

Have you set a default gateway on the switch? In this case it should be set to the IP address of your firewall on the 192.168.1.0/24 network, or 192.168.1.1.

Its happened to me a few times to forget adding that in!

Network Management @ Auvik - https://auvik.com/try

vistalba · ‎11-13-2020

@Martin

Inter-Routing is enabled (as by default). I also tried disabling this but this doesn't help too. As mentioned in the first post, Firewall is open and working fine. No drops for snmp (udp161) and icmp. It is working fine with the old SG500 with same IP/Subnet as destination.

@StevePetryschuk Where should I do this? If I look IP Configuration -> IPv4 Management and interface -> IPv4 static routes there is a 0.0.0.0/0 entry to the Gateway (FW interface).

vistalba · ‎11-15-2020

Some additional info may help to find out the problem:

switch1#sho ip int
    IP Address        I/F    I/F Status  Type   Directed  Prec Redirect Status
                             admin/oper         Broadcast
------------------ --------- ---------- ------- --------- ---- -------- ------
10.10.0.99/24      vlan 20   UP/UP      Static  disable   No   enable   Valid
192.168.1.13/24    vlan 1    UP/UP      Static  disable   No   enable   Valid

!
interface vlan 1
 name VL01_LAN
 ip address 192.168.1.13 255.255.255.0
 no ip address dhcp
!
interface vlan 20
 name VL20_DMZ
 ip address 10.10.0.99 255.255.255.0
!

Pinging default GW in subnet 10.10.0.0/24:

switch1#ping 10.10.0.1 source 10.10.0.99
Pinging 10.10.0.1 with 18 bytes of data:

18 bytes from 10.10.0.1: icmp_seq=1. time=0 ms
18 bytes from 10.10.0.1: icmp_seq=2. time=0 ms
18 bytes from 10.10.0.1: icmp_seq=3. time=0 ms
18 bytes from 10.10.0.1: icmp_seq=4. time=0 ms

----10.10.0.1 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0

Pinging default GW in subnet 192.168.1.0/24 fails:

switch1#ping 192.168.1.1 source 192.168.1.13
Pinging 192.168.1.1 with 18 bytes of data:

PING: no reply from 192.168.1.1
PING: timeout
PING: no reply from 192.168.1.1
PING: timeout
PING: no reply from 192.168.1.1
PING: timeout
PING: no reply from 192.168.1.1
PING: timeout

----192.168.1.1 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss

I can ping another host in VLAN1 from both, interface vlan1 and interface vlan20:

switch1#ping 192.168.1.21 source 10.10.0.99
Pinging 192.168.1.21 with 18 bytes of data:

18 bytes from 192.168.1.21: icmp_seq=1. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=2. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=3. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=4. time=0 ms

----192.168.1.21 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0

switch1#ping 192.168.1.21 source 192.168.1.13
Pinging 192.168.1.21 with 18 bytes of data:

18 bytes from 192.168.1.21: icmp_seq=1. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=2. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=3. time=0 ms
18 bytes from 192.168.1.21: icmp_seq=4. time=10 ms

----192.168.1.21 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/2/10

So I'm not able to reach anything from interface VLAN1 when destination isn't in VLAN1 as default GW is unreachable. But I'm able to reach other hosts on VLAN1.

Interface in VLAN20 I've configured for testing only (and I want to delete this). From this Interface I can ping the geteway and other host in same and other subnets too.

I've attached "sh run" (anonymized) so may some of you can point out the issue.

StevePetryschuk · ‎11-17-2020

I believe you have a duplicate IP.

In your first post you said "NMS-Server (10.10.0.99)"

But the config of your switch shows:

interface vlan 20
 name VL20_DMZ
 ip address 10.10.0.99 255.255.255.0

If this is correct, you've configured your switch with the same IP as your NMS server. Removing the IP address configuration for VLAN20 (or setting it to some other IP) should resolve your issue.

Network Management @ Auvik - https://auvik.com/try